Malware Analysis Report

2025-08-05 21:56

Sample ID 241006-llxqhaxcjm
Target 178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118
SHA256 6a8425919b1942929fc98d0d8c8777515936042c5499e958304543bf0e8be8b8
Tags
discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6a8425919b1942929fc98d0d8c8777515936042c5499e958304543bf0e8be8b8

Threat Level: Known bad

The file 178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

discovery persistence ransomware

Modifies WinLogon for persistence

Renames multiple (91) files with added filename extension

Drops startup file

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Drops autorun.inf file

Drops file in System32 directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-06 09:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-06 09:37

Reported

2024-10-06 09:40

Platform

win7-20240903-en

Max time kernel

145s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe N/A

Renames multiple (91) files with added filename extension

ransomware

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\notepad.exe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

N/A

Files

memory/2220-0-0x0000000000400000-0x000000000047894E-memory.dmp

memory/2220-1-0x00000000001B0000-0x00000000001B1000-memory.dmp

\Windows\SysWOW64\HelpMe.exe

MD5 82965e433eb5a238a4799ed73cd11deb
SHA1 01c6fdd542b74e1ca43618f01e28ed8bc29da072
SHA256 eea8932b004270395fc51f2da0451e4adc1f8d17de7acbfcac1d7739ac604444
SHA512 5cac544dd823d3dbd2bd886e8987e4cf2fe276ee2371b15472606162dbdda087ddcc53a6b5e2ef3ddb2434f537bbbed6480aee56e842cfc9f9c306c7569f6096

memory/2220-4-0x0000000000480000-0x00000000004F9000-memory.dmp

memory/1856-11-0x0000000000400000-0x000000000047894E-memory.dmp

memory/1856-13-0x0000000000220000-0x0000000000221000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3063565911-2056067323-3330884624-1000\desktop.ini.exe

MD5 abaff92f421b901b04df393d30f3eeec
SHA1 a7c03b384182a0212a3c2e96cbff5ea3a224ace1
SHA256 15d0eed86486b8b0cf27ab4fd2e8463d41bcb0f1c5f7bc966cfcc2849f22246c
SHA512 0001c115d5f71e7fe8072f6ab6af22561ff7170f6daba094120a5a7c0515d22f8f22e2943feb779826efeeec18ffd423501ddaad22ce7992dd9e7117785ca362

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

F:\AutoRun.exe

MD5 178d180e0c8e7a6bd10fc985f8683131
SHA1 97fbf858a5dad72cffe943c3461410b64d81bf90
SHA256 6a8425919b1942929fc98d0d8c8777515936042c5499e958304543bf0e8be8b8
SHA512 0c04cdf39c7d5ac22f53ebac669268e8804e20848e39e90a8e06fa3cc1c960dc33a6c2db7bd0efb6222815d06743748d8c5e8a7dcdde6d8bb51b0592e65a618c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2220-74-0x0000000000400000-0x000000000047894E-memory.dmp

memory/2220-79-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2220-233-0x0000000000480000-0x00000000004F9000-memory.dmp

memory/1856-234-0x0000000000400000-0x000000000047894E-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2792dd46d41d8f9d694e8d7be04a9330
SHA1 c38a06a0ceadd69c0bf7b53961bcc8c4db4a9b71
SHA256 a1a33d64ddb70cefd084ff2dc24b79bad153087c82d4fcde865d484e24c53573
SHA512 8b35b51d5667f7ec34b2fd156cc138cc5d5d7cc25f4704f4f34ebe767ee291b5fe86a41be690b54cf563c15191550264ba34c6081266ed01e4a1e487e08d6560

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 47ffd8181fc35fc8489a6340cb535efe
SHA1 e8e334fb3db982e741861c3a5422e9f5a32b571a
SHA256 c2b22ba78517b238b71420edcbffe6baccfbccf71ca466deec7a2dc9932fc907
SHA512 93a898806da373f01967946fa6c1fa9bdc7ed59c3a292c9846a7ac6a84875785c75e042b839fe614eb108977649c65342a74936b0bbe2bf30b172e5c5d9d68bb

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-06 09:37

Reported

2024-10-06 09:40

Platform

win10v2004-20240802-en

Max time kernel

145s

Max time network

100s

Command Line

"C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File created C:\Windows\SysWOW64\notepad.exe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\178d180e0c8e7a6bd10fc985f8683131_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/4112-0-0x0000000000400000-0x000000000047894E-memory.dmp

memory/4112-1-0x0000000000650000-0x0000000000651000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 82965e433eb5a238a4799ed73cd11deb
SHA1 01c6fdd542b74e1ca43618f01e28ed8bc29da072
SHA256 eea8932b004270395fc51f2da0451e4adc1f8d17de7acbfcac1d7739ac604444
SHA512 5cac544dd823d3dbd2bd886e8987e4cf2fe276ee2371b15472606162dbdda087ddcc53a6b5e2ef3ddb2434f537bbbed6480aee56e842cfc9f9c306c7569f6096

memory/1796-6-0x0000000000400000-0x000000000047894E-memory.dmp

memory/1796-7-0x0000000000650000-0x0000000000651000-memory.dmp

C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe

MD5 ac6cc02fc530425acbb7a8fd8c5f18fb
SHA1 2fa04a08a33af72ad51ad922641e09cfa161613b
SHA256 2679ac01b92bef235d521d6283d8acad82f7ad1700368a42d75261ad15d6d7d9
SHA512 ef9cf526edd2dcbae7328e71964fd4cde4fcf722424db13ee41340b916d21fc446a0d4fa7eaa6fc388d10838833c7af1a22054c3a42cab514e2cd95431c14759

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.exe

MD5 68c149007c077ed96e0d7375c7f70692
SHA1 8759062c3bcb83802e5e2dd42bf72ec9850b9062
SHA256 cece46c936765d9908b2ef63c8ad426ded6cc36a5e1ae7f66f7ddda7551943b8
SHA512 63c9c978660f453fc47f063bfa1249dd193c9dcd4d5d7efba8d8154ee87af6f6ef97618d601e10c26f4fad565d95de0ce842f08373bd5b795733dd47f5fe691a

F:\AutoRun.exe

MD5 178d180e0c8e7a6bd10fc985f8683131
SHA1 97fbf858a5dad72cffe943c3461410b64d81bf90
SHA256 6a8425919b1942929fc98d0d8c8777515936042c5499e958304543bf0e8be8b8
SHA512 0c04cdf39c7d5ac22f53ebac669268e8804e20848e39e90a8e06fa3cc1c960dc33a6c2db7bd0efb6222815d06743748d8c5e8a7dcdde6d8bb51b0592e65a618c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e0c3680d29f37851a600176619eb357b
SHA1 29ff023fd1a19e92a56644ea41ea72541d12b136
SHA256 6071b08930a907743b594e84fc4ae33691bdf46128596ee1f6cfabb39a4855f4
SHA512 bb68ce93292392912f4aadcccc4cdbe81d1eb4acd342e376a1ade257846eb431626a5e72bb90fff17500c0bda215d397227a356ef48e4f946da4cd16b8ed28b1

memory/4112-51-0x0000000000400000-0x000000000047894E-memory.dmp

memory/4112-52-0x0000000000650000-0x0000000000651000-memory.dmp

memory/1796-53-0x0000000000400000-0x000000000047894E-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 523f2e5386d054188235d9d5dd3a86cc
SHA1 c17d6888052bd41df4702ddec421c2ad328358ad
SHA256 bc9f5804bf80f6ac15b6f9538e27c8da1ff3715f27f3d6914c7750047385fd61
SHA512 dbc477bc5f350ab0240e9573b035907fa0608700d2d7f147757f307e4b58b8856c1d0e9e010428a05a98a0682e127c286044d7901a56913d36056a2a69c5c990

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1796-58-0x0000000000650000-0x0000000000651000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fbdf25eb870a6923ad3d2d270201d7de
SHA1 44a8fa13ad263b6af8a5689af2263fc072577b10
SHA256 2fb928d1e6c77efffd80359ccaf78941064370db24022b88a15cacbfd9212125
SHA512 f7ad236d99aa7e970771042cb2a08ede34b5a14e16781470ec6aca274895fed463b415394bba84a0047eeae0f71bcf13401bb1d79c7531c50ce69e8af9b87dbd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a906c15bd9f96a2d3005dbe1a690d7ab
SHA1 db3454e04d9578822c09e726148f1573f8534b45
SHA256 1e3586e365236386e20f1d1241c2c92bbf01f8fd21031e47eece7398368c9fad
SHA512 28d8b04e5785c161bad940eb22d31c900df3e4af0307d4bf936013a75f7a9335bf936f16ed667789a7772b4e862cbc09b9ad9223bdca62d93cfb7c19ed343832

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1b78c6b5eb1f5dce01f597553ab6d3c9
SHA1 1a4fefbf8a8eeb4bd353c31b9f5f20b72b0528bf
SHA256 ac89b302848ca9c805b07ea66a4cb83b3684c4697dd4f2f5938c6b04f7dd702b
SHA512 192458811e26850bb9a9e85a9f95457d2c55ddba45030c15e132211b6c78e3443fab9d52c0ddc97a4277e7ce6fea9888d2f19f428930b3d79fb40f4f6d733b3d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7e5531d392f087aa9595f01ec6588d98
SHA1 63df65c9cf2d4aa8edcd392ef3e7ae4bf2a7e68b
SHA256 c32a4f2cb7ced5575e89dc010aa3b94f439c1e73818c989e88a363ed24e3526a
SHA512 e89c56b9d19ac699a25aa684d04fc069820374bc370cd98d3e2c9b4744ff939de49d313069f28ed7fc2401e50d06d76592dd632244ffaa133fb092a8fa0f051f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 45d8b495abeed516a2e4ebfa93d52739
SHA1 d86ad1428ec45de3471ebcae75d9a78ed005fe08
SHA256 4e0a2877c6a22042ec0163aa97f3e72092cf5ad44c2e26050475f14cb91a2774
SHA512 8ab6bdb418e3d2ed9082970b0f6dd3d8205f865f986fde008c63ff3d10f101d8a5dc6101671d17f0fbb00da1d74d43cba463ea6c388745b39158cf4309aa1dbc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bdf7dcc42576a4cb0e753988e3b8c454
SHA1 646a45103b31bda673a5bed9d9c6da8d5bfbbb29
SHA256 00069fcf598bf5eaf4dcbccfd30dea4031308cf18cae32ff44b40f387f7a38a8
SHA512 63f955ffc7653f8de12bd034d98228e21828787d971a3d9f3063277176976d6086ebe2dbf0ffc0aa9b258ef6660af8ef83791deae45e186d5a589b5f6af0b88a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3c267eb0c398c838ad4490f13f158dfb
SHA1 427748c43247a6b6c8945af328d7dccca04e56ee
SHA256 8ed3a0038a1f98b3aa4d2313a6e45f5a7729900aef56e1f74b51ed58e615dfe9
SHA512 5b3485b9bf3a96dcd4b230a38a65efbf110f7ef7d1decfd4a96787dfe969653c68679c874d74b1bda3075e8bf7e5cf129e03ced59a76d78ef23780cad92da76d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 be2f9ffb5b9239b1004f79b28f0e7133
SHA1 722f1b0820708677717d2ec74fd0c1f9a8aa6f9d
SHA256 0fb596257c73c15dd368bb3f9f851a7a09e55ddb307547e5334635109cf06570
SHA512 a8c6458658e5192f632ba5d04b8f0db2c902eb95902ba1f4a63364ead12ad7bdac5430928d623d646b1c1f29f4514b2776e3218441b39d274b25c4b562614047

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 aa2255b173861231f04eced32a369a96
SHA1 6433d10655b74350a3dc5d5b2d9b74d811451639
SHA256 0360ef3ab0e2aecdf8478a7ba2f764337baa6aec9cac5064cce64b64f98014dd
SHA512 3b79ddd976e67f86b5c3992e00c17f592acf1e1bf7250f122adec77236c958e8b73fc323a29d9dd605925f6d670faa10f2ebc461b6e0fe13ec5283d74e4cfe60

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ca21c4f5574e55f0775397eaf6c35b68
SHA1 8058e9950ae1e52c45ed0f18354c2026a1633e22
SHA256 cd88c51d13855a3bd69819d7531645af2fd38ef11e2828b9d2416fd6c5bae412
SHA512 906d747d87c683e6851618649946df9bcaa566bbaabb1b08858c24d5484874dcec20be5866ef8a87844c3b999c67de5fbe13ae7d9edb8bab8f9ad52941b406c4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 807ff18c9c85594390d98b9a7eec137e
SHA1 9b7ee794d6f51b2ad2843189767e10d474c79a7a
SHA256 bec5a00c84ba234f3f1a201aea5478e73df168ab050dd57e64b3921675697841
SHA512 dac68e19cf7adb2e1c9e6134b24b59868df602af046518b0b98bb3fb041f7ddb8ad7144b5ba849fcf28133419d01be35988de00b011594fd894cbbe4f847e11c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 cc56560b4ae2db355ff8d3abd249bdd4
SHA1 ed3a46c9446e84e6d25d3f5aacce09031244fd9a
SHA256 5194bc325d5bc951c4b4af4b2e62382c5d172af1dcfffe82e5cc0879ae751499
SHA512 ac4a0980570a5d882d0b524ce9b0032bd0642e9c58df006fe777e915cf806bfdf74b3f7a4c08dd0ee926ac2253329aaf31b7d8e4f136625137aae6a59a349517

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 910267702c599f8c791f50edcb2861f2
SHA1 79985706ed9e3aed91e214ee2dcc4902a94123fc
SHA256 88e6ebb4c0ffbcd0d719bd36c41f9096ca225bd2b675c2f39af426edd83d0e97
SHA512 ddbff7d4703a2ae87ef04f10cdbc19c1b40a01f9aa4ff836e69e347073ee73b45ffe5ee541ef3a4a64ac9fd50f2d0599d01131d82b1a391aa5e7006a6bc33a04

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f760f0bb088b2a0967dcae80bdd366b0
SHA1 c850edc7c2d8f91e021faa76fdc7d3795b93553a
SHA256 679dea3e7326a1c47b6fd1f61388610ed563664cf1649388ced11b6e267920eb
SHA512 fa9e9fe037ed4ab8f03e8c32448cd07d6a6c19a1f0f7d522c0c44b527e389c57e21f80fb639a6f6a56897c1a4c59601d18d6332eb8dbee682c738c65058debc5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 734e4002bde7ca3327e76335de3c0082
SHA1 ab0aec984cf56a09cc74afd2d82d44520ee997ca
SHA256 d880b03e2e845dcd0e91a0adb13b9c56cf6c000256adef057a4dec9ef9471053
SHA512 316bba92b8d68b8c66eaf7bee7f868b254e12a08aa6a9d727db870b0f104918d0b47786cd4c2cd268afd2af12b792996a678c051ad5a698fc669afba3bff315b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c4908f31bb108edf3a93ca93a86f633d
SHA1 54a29eb5e9448134880caeed684928d5ee7fff54
SHA256 42a396337cc210bd9b5ff82172847f8da4d3ce0d0608ecaa1eff54d2086d5fe2
SHA512 cbe87a7ac465c98bb97f7184fab474206b2a757d124e2a2eb198692adb09e8953e3114527983a19ac182a45cfd4476586223bffcf03ccf361ea08d9f811b7650

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3433fa5b221f6d36a908932ea4139659
SHA1 78ec9fe02586849ba99d1b13161e71ac7a70dfc3
SHA256 a449913b8f8c382ce4152e969659fd15ac0265fbfdb445faf9e952c357be82e5
SHA512 08cef8845040399f2827f39ebd2f61c764e58f68449f6879b08d189082269f11b4873d0c7cda6bc4d68d116657dcb0e3b385f28cf2a80f78cc0e7ae261b1859e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ec99cd896a7d257e0f3be679649f0abe
SHA1 0ccb3fd45f899a4cce196e8c6715c910fb1d7786
SHA256 a39536ab7a90c44ba05055560562386c5dc22ca3e44836ee2633e248c9b1a1c6
SHA512 6f56e974a8cf90c41672ccc611b523523b83e3ac3e8a79558f90e2627c69e90e7fc8513c290e2995fd95da1849feca960277b43b9109ebdf03487c1381befd71

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9728a68575e2c8c2a253ed41723ae740
SHA1 046b0580b7ee896a38b83962ba59d44cafcf8062
SHA256 21c3f824b0a5496c9e6953191929175df1e9ac300a02b5fcd7ddd4e17e4bbe62
SHA512 ef19aa89f85fd36fc147f420fb615984112ecb27063db6203b3b4fca286032b245804c06e67ca3aa4468587381221bdb1bc8f61cd9c666880e2b985910c91de7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ff51b18a9389e1aca0867839d4af99df
SHA1 2cbbbc0340ce4c5e3f41fd51d5ee69a1f9a6fdf7
SHA256 65edd337dabc3587c362eb735ffe5aab269666448ce514fdc1d364a06eef3a61
SHA512 5323ab777e3c1d0129662d42e4422c0cf398ae0627d53155c1ad4bf0efd00f7094eedb1078c57bd8c91174c6c1554724ea2492af6d3964436a8cadf72c9f224a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b666e4ab190afd340868262035b8d267
SHA1 3810f326abc83715869e51e42449a152d521c7b1
SHA256 c14105260c5407f0a3e690afcfdd701dc64493ef123e6e20b8e9697380f33172
SHA512 615efda8e5b38bc2e3290bcb2a8720fb2c22187dacabc1a8f440c07a84320015812e0db6dfdb1afa52a66e4a8a57628f5c67d31f6bb52ec03ccbac22b6940217

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 84af86539733dc24d47b2d2cf3c1b1b2
SHA1 307c71fa29839a3d9f41e23c1443951d4cc8ae7b
SHA256 46d0d7b32fc41541105d81b03300064d68653b1fee894b5490ac2924cc3c80e7
SHA512 aa6eddd11a650b5a53573c8ed2df1bff1d3f9313338196ce764566e4a762588455f61bff4a78e6a0e490d35eae1fdbc4db36dedbbfb7c1e5c1185d67b2c922e6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 afc927946ec81a574009f3cfdd6c20ee
SHA1 da4d7bc510724c9da94038cdab0853aeee4ce545
SHA256 d0ff6837574fdd53f2946fc3c6b0269c6ef296e77666a86c7e77bb091fb3ad7d
SHA512 1895cca5fe02c6b2cb3a7eeb671a0cfdf05ca4cbbd48cb478b1bd97c026509042e19fd85e39950eefdf1e10b5b9294e00d47fbe4c5abacebb8de4e2a95522130

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d77d5924cf9025ca536958a81d284b5d
SHA1 86723960d1fc4acd46e14d9831a457714b2a078c
SHA256 bed1eaecf9aec07eb3bd2fb218e0ad4dbf0d0a1e1dd88c05852107973649a2c2
SHA512 8e97c8a6737705c99b100394567c27b87b32cdde8e87ddb17f34371290ccf14bb496f942207b23ea8d064f776d4050492ee8649525de23bb59055a0822222640

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a536e02838a7ccb9776848725c988752
SHA1 5992185410760c5adb998d8d18a2eaf69dc3be54
SHA256 fa9d84d8864d4aa775fa079387945d806783eba875bc5f11fc6d4c1bc14e1a33
SHA512 6c6ac9f309ac4c9880558f401c3701986b1a21ae1a4a19be2402ec18f27d9d3906cd10af222529ccbbc465ed1a565fa76a9548cca368d07060879830730ac7e9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a2aa5c8998e039936e96d427a45c17a5
SHA1 a12b4c4e717dd27624776a97d658590f13de552b
SHA256 e0fdd87d496ff64cd8756f6023ece5c8471b10493c8fd156fa936f94fbbe1f33
SHA512 684c84ce055999902871d1a8c93dbe031e0febd71f14e6c02bf252b373b62d5cf3ce0de9a2b59bc408b060bff37974b297a2e9c20c1b8be7c20c37485342e884

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f3454e1879d2698597a3750e67a9784d
SHA1 547e41770059ce9d01179aa274c7b8f79db12eeb
SHA256 d31d85c5f1711cc8e5fbedf2eefa99e74bd0fae715dde8d1ee2c55ddcacf1f14
SHA512 2f2ca108e5f23607d549a4113ac41e77dc8ddd3d1912750134043f9fcfb45ae4183385fcd13f0a2e0ee676f9fa7125852e54205aed4aa602ef50125b9b7c03cd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ef34a346aa93acfdc28d53d827579b2b
SHA1 3151d66bd0fa8f1f7788b47a9eba11613dc18527
SHA256 33954a57689f6c22f36ebc4de94fd6fcbe6f11fd6e773331a630c205df239027
SHA512 d1ce9530af631f76529c5e8d928eebf9b9b1c45142855b5186be4b78cf6c49e452be455fa34df87014ecff1aee54e010a291f859c1ed1f2d483a20f33224b8e5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e76ab3920f3a0105ac1baba07d34ad9a
SHA1 f3c1ca4c969359347736df54ae27cd7097e3e02d
SHA256 a5d4153808a5e2a47935fbaf836916bec302b6d76cacee3dd5966216393b9afe
SHA512 2558238bd6bd7cd2f1a9ca5b3b8969c99de8230e458a5894e4f3b24a2658e23a01c91b32e8da2d1d87ce8086f1da4f92794d6a4411d941cfd8fcc6815639688d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 44b2dfbd7c77f110412f6749b4ba8bd1
SHA1 8bbd9232edba6336814f2667844f3bc2a9a7a136
SHA256 34e42a62f7b5e31a7927161ec6b1ee35cfab88cf62b912c1e3b6d1885b1eef99
SHA512 5d2744a0df0c2aa51fd9c0140a27080d56e8f256506b3825724709c95c194349cc138d97a0040b7f7614fd913c144e94b7854c46e2233f81e257e3ae080f48a7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a9fbe79442f10846f8ae745104aded53
SHA1 e473bf75b47f8b13ad8052600e89035562ba8f53
SHA256 719809dbbea1469b0de20a0aad8fc105ab9735c16b6e70c3e251c030c34b66ea
SHA512 afea1e63f4e91d49210bf2575fb767f50a3ebca789b0270b545c6eb67da99ff227539496281cb9b882c939e747aff95c6c20b79b7346b88572cc2d87f06d70ca

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d9b125e0767447c24e4af9fc1501cb89
SHA1 f57cb3c5450b54b871754b0a602c1f985ff52355
SHA256 2c98caf04203603e8c4abc1bd1a752ba9a1b0157020e4ed4bfb534225f3f7102
SHA512 96f1a6497d08df2ef523648deeb547208e6a83f03b5e50e63853d0ee2ca4688abde97fb53130201763e0ce447853aa2988e98d8a89be5b71da6eb53c7b47c848

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 00ff427dd7aabac46ec20e7c3167eb78
SHA1 a5b28e261d5f6509f2882fe895a429e2d3aa2171
SHA256 fba79ade95cf452b86c449d6c91326453e17193785ce6189d197d56d36e5d61b
SHA512 7332d39b4ff0bbbb59f74982497e110847621548fe5712547fa405939143dc564c56a0653e9fe37c8a65fdd3f5fc2f7887f7d7836b3a2913cb51eaa31fae3f36

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7e8f705d91ef7afc271e73c7379dd00d
SHA1 f6033de003a7f514538d8f26a084a5ae5bd73908
SHA256 1c40928fa66a48af86702b4321432f1b8b40ab34b175ca8bba7e295fc0998221
SHA512 9129b555212bf93e17b38a7d32f6c06e0fe06ade9c75678a23d34bf1f41d133845f430a60768bb897028a2732c690be85ca46d2353aae690deedd1737b6c532e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c8a369d76403ffe5f72a022cd4381f8c
SHA1 614fd75553a28171ffd8797d0e567aec8de8a9fa
SHA256 3ef0501b62e99c0175c6c7cb802e21b35b9ccd4cd2ec890d22d210b39f803ff9
SHA512 e7be615fd358997ee9d472c8673846eb042ff9d4e632c358a17d285a8d081892ff10e904e65f01915512b4fb74c479236537d4a20eadd7d251942f2d82c807d0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6c2547c796ee83cca3067acb38a8242c
SHA1 3bac3d7398e5e36d8bc841abd3ef66465c9f374f
SHA256 d779b47eb6f71693a7384f14b9b16164af474189ab6b301c80aeea4b98dce490
SHA512 496f687cc3141b31bd713cc2763b7298532941c80982af13408a04157a4b9471e808aa01c07b86d01b846f29c4b147d22b0a63a336b4efed8d2b124ec190a1f9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f1d942d0259bbe756ce31520659b2298
SHA1 9944d10ef7b5763715f6542d7bbaaabc066249d8
SHA256 eb8a0b6c294ea2f147d71e7249ea700b1ca1a77226f56dbe90aed537303effe5
SHA512 f8669c14f809c8a144c87bb4d99afb62d76b22b673aa1ea1cafbc6c64238ee76c69923e0a926e8053883f615021f0ee0a1dee4bfbcc712763aa7450b3d29c197

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 27b2b69d7aa95945da4582140386aa30
SHA1 ced0aca8e59a9662ec66ea0c73c1fccbc1f81754
SHA256 ccea3dc8571839bc75ce07eaad69750edfa215727b9a046e4b3c66a9b8c2d438
SHA512 e82cf9d6c13c3aab351d9af13e5f6790c0a8379a6069739361fff3dabbe3e997f12f96a65b9e573ceecdabc3995b0d1020cce6fd9bbaac7626cb68cd7435b95f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 443136ba15ee79e85878d00330f61b90
SHA1 9f9b0f6eb3d9e4bad442fc15596c5fe07aed5395
SHA256 4b47e5740193a8ae63f8d19822f1561d02a7cdb139e2f7b0771da27e9f53d88e
SHA512 814301bc3d53c4f5dd9c4da673c29949702dcd0024b2c99cf813380ca4184c8de157d32018f823e2b7943744a6b81046113f67a6e619bd8463d72559f1b5079b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d851eea5e7265b8f4f96dd858502a020
SHA1 784f24429834a88dd6e50da65aba27fc7a9f9b32
SHA256 53e28a19549c7727cd380d75bbeb6969fe337c4cb502ec03686925807d6a22ce
SHA512 abd9b8379484f2f2944d337c3a2db33afdb8da0965c770f233e2bb2eefa77807df327d50a602af777bc8b755982bebc577b743b930f43de25887c067bfb1f0b2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2076bfd6b3f2c9da84a823e8d9a8e5d0
SHA1 28d62b3fbd464bdd2614137a109f1277797085e1
SHA256 f4e2fafae4568c43691565c5894f5bb7ac78f7cf791c182fc8b55f4c98f49fc0
SHA512 51715a804f13006e69e714bf0894ea9edba3be4ac769d7ad87d25b4e1e1e1b8a4777182ce160b0612eed1874fccc01ff79fe81a9a92ee6fbe861b5ac4003e75b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 267e7ef9bac82d7d916539310859132a
SHA1 595cc0459f033c5ee9a5455c721ef758b58ed628
SHA256 6888aaf813c386b1ca1e04d74f455cb2550807aa08342c39fe541dcb038e9b4d
SHA512 f9507bffb17b469f400f5008955e804a8079ac3daa2fbcf852915d6c4ccd7159fa9abaf45731af1c331f56d5719552ef6f1552a5f8c64af7e94cc57b0721aaef

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6ebc0c63f7c7bb50ad689944d3a800e0
SHA1 0a79a34d7b39d74cb1ec44c0c512f3dce9de6ef7
SHA256 252319c9a41c6f6bea0d2b371392a4c5c41f9baf2d02b2dd8007bc91089a2367
SHA512 2b70d9a2744dc68ac4333396147dd9ebb85ced80b44111b0fcbc449b7795afb9daab84301e0a222747a825194d1fab42c563931f84eeedd12a71f54165af84e8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d2fa1e68599e91d0d025db6e4536d163
SHA1 7d9c4f6debb8c82f5135cb72d54f794c1d83564f
SHA256 b7a8091121f8a4df51f0c2c8bf90a069ffe5306fd68fd8db64f4be282f7ac946
SHA512 5ac174ae57849aad60342f2650e6f6300c9d5eb35e856926848c0a747b6e0a0082532e839444faa10467bbeaeacf19fbbda9e83bac819d79cf4cb8bba28a9752

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2941cded53e52677d148e93c86f69576
SHA1 b65420e4a86c34415bbf053a539f43722cd84122
SHA256 5c51af0e4f42c17246d325413e1dd1f93c75220103f17b5b9f7893c114c55428
SHA512 14281759281ffdc8309cd6f5ebee23693b8d10260d36325f24507695cba577b30e1983e987c3bd68dc3e19cc7a76c0758570af74168e0b28b8bcffb2213be939

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5dc4f129ed061725b1794cc8f08d4949
SHA1 b7ece21b8a3ebc5fc30cc7c6a55ce0e8b069ef9e
SHA256 88d603b6fcf0d7a6c8e789f77248ecea2b78de7287a5160718bee1f0e951eb21
SHA512 c84de353b1410b9a3d698c176fcb2a3b19f21c682704713de9346b22c32206e2db5d7d65d9ecedfbc38350c13b438a66a2a604606145514e4aaefc25f43cd53e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5a9a9f4b58efce45e46a3ad468d63329
SHA1 a91b9aca77ed35809ece59f9520cfd370221b0fe
SHA256 a4f5424de7bcf46974547825520d9cb718af226dc8dd9c37ebc274108f92ec1e
SHA512 6438661dc41f71c44b1d68e42061e933078c360b680b0044059e4e184be2009ce4557705cc816264c0ed0d3a2bde6c068990d6a432407e6d7eaaaf44d5cbba43

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9a1d9fd8aa2cd6a0a70805cbf1d8e3d6
SHA1 de251132e90e0f977f69be2a409b518d3c4ff537
SHA256 7e1563e57b956fcfe4c7379407087c45f6cb22dc2145a3180ebdecfa7e8f6513
SHA512 6e4b1defd84e4ed3f5062350f1e596f6bbce6ba838c290f4deb7419862ddef59c7c0433200538af21315539a2381fc88925930e3dc080fbc1bea75b1934cecd2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7e1a7140381917cfa8f1962a46307418
SHA1 765671a2bac5134b309d2d03ac6639b5bfc9e7e7
SHA256 ade7d2a2c3fd9a0489af02f9b5fe50fb17142e924a25bd6a17d0a6e215119b33
SHA512 71db611767938a22ae5b46d2bd81d475975953b28d8f058be0fe8a19ba433d7a907c7dbae116cf7d04352cf02e6db974aaf8175835a9a1de163652a3338a00cd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5ebcf6c269a661211473c25a06bf3d9b
SHA1 8c910caef8ff55d3158fe25e29e4095f1554e404
SHA256 813ddf54de7c004950b402ba975e558cd31fb0cf4fe949acfc1e00a5919d7fb3
SHA512 72013b3c3036653429c72f22114c0cdd3fcf390b439c7812955134952f94b792fbc6df7fed5451748d1a5fa439e82528d21344c4a208077f39d6f546ee67e644

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4a9cff51f7687330fa6a1d943a699910
SHA1 c409bdc7545d351fd949b18ef015e2ccc237ec7c
SHA256 4413b05c4d27e2395a2217b7be9b0620c13d531ee00df173db36c42f6ed073b7
SHA512 3853539635e49e44bc304e9d17123e4658dff07af6aa4bdda86050035de194cc818a1b6e17c2773cc02f8c83f45b5b37fc4cf0d4a9231026aa06de73c492a0cd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 01c2a492bf83e19750d998365f7a9404
SHA1 88ecbe81e77992e7b0e596624a8450632b1ba4c0
SHA256 0680f11cc991eb5bfa13f9b1976ecbc502f1542aff38424cbb78ace96f7b3d14
SHA512 e13cd23edd4f845dc10edd0b3fa7491d77a6f0098eaffad38019b373c6e0e23a9100f96104c82ba5d5a793f5a6d48b00b15d73a0630af2e2ee41b684dc627249

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9236a8f0ebce2590b8b039c8c9f01860
SHA1 f0d57ce176c2f5d93f571e3cc2c929ee423e56b5
SHA256 793de8402ff5400d4cd820381b062a4a354864945a8cd45a9fc9846ba08b9fd6
SHA512 53e9382df4fb4cf2c9345598b692f0fa0cf3dd607434b50e656a65acd90a4def75b267c32233108cc8d9b4392e9f6895abf072ae07b570da5cc21c92a3ad818c