Malware Analysis Report

2025-01-22 19:56

Sample ID 241016-v4xb5awdkr
Target 4e21121a61f231b5288f3f795bf80987_JaffaCakes118
SHA256 49e77e045d00f2f8db630fc82a7cf6c9242df80270619a6194297ed7d88cf8d8
Tags
discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

49e77e045d00f2f8db630fc82a7cf6c9242df80270619a6194297ed7d88cf8d8

Threat Level: Known bad

The file 4e21121a61f231b5288f3f795bf80987_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

discovery persistence ransomware

Modifies WinLogon for persistence

Renames multiple (91) files with added filename extension

Executes dropped EXE

Drops startup file

Loads dropped DLL

Enumerates connected drives

Drops autorun.inf file

Drops file in System32 directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 17:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 17:33

Reported

2024-10-16 17:35

Platform

win7-20241010-en

Max time kernel

145s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Renames multiple (91) files with added filename extension

ransomware

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

N/A

Files

memory/2380-0-0x0000000000220000-0x0000000000221000-memory.dmp

\Windows\SysWOW64\HelpMe.exe

MD5 d366f09b45829980a4389f3803b2f1fa
SHA1 89e72610077a582083a2c9ebdf30115f04924ae1
SHA256 ff979c46e355a4596575abc136c245a8f5931faef96771825ae50312a9186fe3
SHA512 f53438ebfef858fbba99fea8035fba35d5eb5635840552dc62382adc5a851c2d82d768ef08f5653b697e02ae2515ff29002698e3b36186e44ad898b8823da5e0

memory/2892-9-0x0000000000220000-0x0000000000221000-memory.dmp

F:\AutoRun.exe

MD5 4e21121a61f231b5288f3f795bf80987
SHA1 1aaea300f162b85c4034d24aaba40d823e7832cc
SHA256 49e77e045d00f2f8db630fc82a7cf6c9242df80270619a6194297ed7d88cf8d8
SHA512 8ddb522f6606b73b8bf1fbfbd9bb41d295aee2e94883bdd1fb369de20377abac99891d65fc38bf151205abd5062d7ca1876b3f13a66dc0539d45515bd647694c

C:\$Recycle.Bin\S-1-5-21-3692679935-4019334568-335155002-1000\desktop.ini.exe

MD5 643d9d17c4fee2961762a0e971d3dab4
SHA1 c9bdd312c544de660de34a5cb6dfcca70b00df58
SHA256 0a452cef7ee0bcdb4a12d1edfb42e46e57a2d2469e5c153dae634a07363c2c21
SHA512 b14a6db2ffd1d3146b0f21b413feeefb1615bf0dc69cc90feea5975a702a06cda74b2c1a021101ffbb9b64334975e06748dabc59bf802e5a306f4e749cbf6ca8

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

memory/2380-67-0x0000000000220000-0x0000000000221000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c0413d8a0d64df19e11ca4aec83e18fc
SHA1 2c4eadc535476b3fb21ef578932c30ef476625d0
SHA256 5802dce9f16d7677e040c4532ea301b5424946a74ccd4115270b7951d351fa7b
SHA512 23044706e7d9c59859dd552e4a89ba8630d018ab12a72d61b96d744022ecba6ac6bc4ea54dd99c1936c8965fcacd6e6197ee55fb5a37e591ccd81c15b8596848

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 dfb3a368682f8d1288e39be46f7d71d8
SHA1 d57cb1ee0f930fc39b3c7dafeeb21527046c26e9
SHA256 97911c62fd77511155e9385531fb2c8752255e126b8a79cbec4a47b8272b7960
SHA512 f6bcf1d11763e3868d509cc81dafad2b8f7eb177f12b76eea79eb085b476382799dd6027637484debc08476b26f9f0a5389cef109e4860d3162894f0f58bb8f1

memory/2892-74-0x0000000000220000-0x0000000000221000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 17:33

Reported

2024-10-16 17:35

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp

Files

memory/3876-0-0x0000000002210000-0x0000000002211000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 d366f09b45829980a4389f3803b2f1fa
SHA1 89e72610077a582083a2c9ebdf30115f04924ae1
SHA256 ff979c46e355a4596575abc136c245a8f5931faef96771825ae50312a9186fe3
SHA512 f53438ebfef858fbba99fea8035fba35d5eb5635840552dc62382adc5a851c2d82d768ef08f5653b697e02ae2515ff29002698e3b36186e44ad898b8823da5e0

memory/3936-5-0x00000000020B0000-0x00000000020B1000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

F:\$RECYCLE.BIN\S-1-5-21-3442511616-637977696-3186306149-1000\desktop.ini.exe

MD5 732160158e8abb6b3aadad6143bc807a
SHA1 0f919fa390d5ae03e54031b5269e58e829a4e2e2
SHA256 2236e2da08ea95412c9abbf62483e08a97926daefd2cd20d991730441fe9a8ec
SHA512 02af7cc440ec619d309d66451755db2dd369a6451f1ec4900589887babd42ce1c2f1223d4ccefec4403de3acdf7cf3cf796b66cb23af8932d166511a3059f8c5

C:\$Recycle.Bin\S-1-5-21-3442511616-637977696-3186306149-1000\desktop.ini.exe

MD5 d9730aa9d3ca3e37b6cf2c8780e3107b
SHA1 145e16f5b40d123873b7e6d7d4bfd60df86f72e5
SHA256 11af077e5416e11b66cb37e95f9b65f63c4ceed257adcdcbcffe7ffb20302bc0
SHA512 d2b1efb5f01a49c9d938f2a8d19c2b89ee4b85def8bcb44dc8ef11ce496c73874b97bb975d864a369bec24e86896efb503db2417da1fa0106c4f4934fc122e40

F:\AutoRun.exe

MD5 4e21121a61f231b5288f3f795bf80987
SHA1 1aaea300f162b85c4034d24aaba40d823e7832cc
SHA256 49e77e045d00f2f8db630fc82a7cf6c9242df80270619a6194297ed7d88cf8d8
SHA512 8ddb522f6606b73b8bf1fbfbd9bb41d295aee2e94883bdd1fb369de20377abac99891d65fc38bf151205abd5062d7ca1876b3f13a66dc0539d45515bd647694c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3876-45-0x0000000002210000-0x0000000002211000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 537115f493be990becd8ddecd3a77a09
SHA1 03b620e99faedd55e43f83a18ef38d2ed07f0afc
SHA256 1cba23dd3c21bf7c5b5ee79d4bb1fe4cbdd00dc4dad9c9ea2ea8c4db2585167c
SHA512 bf6e041232366fceead7b1770de2fb5bc64d971ba18cc8f82f7c12256c8bc7c376bc25e24bad72adc99f4168a8a605de7a061a1b3804495f6b35f67f25c2d57b

memory/3936-49-0x00000000020B0000-0x00000000020B1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b9eac0b39f985bada706d31e9dae62f2
SHA1 743ca60202135f455b7fee2c0dc1b0007e29b5a3
SHA256 d87f63d17e95b3a9a06e079bd2c55e2f5c7c3fa8808148cfad78909445a3656d
SHA512 a6133311467d0849ba58199935241baf0514870ae58266863324bbe7bcc84c494a349549662e7ddc4e6920f93311dc7932857569ea2581b120b191864a7b87aa

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 56257ea4057323a4403ed8f649d71066
SHA1 a5db10970be8fc886749c4074bb58a4ab3ec95e6
SHA256 199b7a978b6e2355a4991318246cecd1133e98054a671a294678f82232924bdb
SHA512 b9e33f2912284ed904b56b09a1801dd8c77a368f784859176cbb1dfa4ec7dcda87af9783a08b3c893c7e650c799c1fd689bbf59dda0cbd7095d48e285e390325

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c059706938f618c5be8f1210c544dab5
SHA1 d33a32c73817b94833b69d7087cb645962b5d71d
SHA256 6e1c4396d379f4b9a0950306aee219f654258944f060cbe4459ca71c36b7d72c
SHA512 a0845811373fa782c3c5ad9d55b84a26d1e5794db549a7062c5fe4a7c72f65c47805ac7b24d0695805be266120d15bf16df0f72a8f641d4bd4eb79416d620817

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e8e9d71cb69e425ead094ddc859bf228
SHA1 706547deeb4f70a57ff8320fc3e4225b97c78de3
SHA256 b0cbeb6ed5b17fd0fcc3bdf685fe3ed262b83dcb44a8b2aac2697467df2d9626
SHA512 3caeae713ee59cbb9e6f457cd9d7009691873ceb6f153eeb0007ad310dfef220d56ec7afd2d0ad1722aa38d90c19e03a8cb7ac9da42d54ae589a7b034be64ee8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 cf8de2ab56cb35d804f7f51173912e83
SHA1 74562fcd2fc36529bbd3c1fe2a18dde6bf752360
SHA256 14e5a118487c7e6f9574a7d8d14c4856c8408ff522ef13d888c7f184f52fcc96
SHA512 93139421afd656d454067ef93c15ec518f679143655bc336c0cd6588e57981faf1c10cfd262c82306cf0b14ec766b449153b713fd77a670a8e436137927c22df

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 29410c76589a56e47b51b1d42df6e667
SHA1 69c73e3d691380842cca9d8ebbdd16cac704edc0
SHA256 00b48be3fd0052aa9f2e1d60afb13657043798e0b47612776608e71676a500f6
SHA512 f5d4db6ee31cfa2617d8e7662b7fbbc4808b4cfed9a7bcf556d28217033fe08b53e551749da1850988b3462924e6346b1491cac52c148e62072d24c32a9ba009

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a473939b8eb87f46cb964a41974f6b26
SHA1 de6bc8f894420e939d47c0174f21fa20702ec648
SHA256 b0c943090ddd85d6c9879a24adbf8b87745711f1c2cfca7abbe68b50c2ba3883
SHA512 c4957a5c476740c12f879ff44d502138729b0d7e9b82afa7b3996bd23b49d8e8694b4764ed0308cc2d631317624fa9bb315409be01c0c223de398c2ab1565ff8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0016442aba8967e23fff6db4efa06cc3
SHA1 2bca7db407662ef22f09ac2df212d5a431816a84
SHA256 9cce93ca20fe22e757b0e86bd82575961fc0ccf2c72bfcb3b752034d18eacec2
SHA512 120ea6c4034641d1d0535a8da265f26e36f48c84b4759d3a1317123f322ff1c5326e98214361e8bcc5a4e7ba1b74f91ae4e3d80a216f7ec58dd41ed8e6ac5765

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ca3b592ea9f128ac52447e19b0fa8b17
SHA1 e82f3f59101beb8cc8ccae3051519dd27eec5df0
SHA256 3a21ca446407fb6156f240183c0dfd59145d61ea270d9b1a28c4690f7519f1a4
SHA512 786e4f706520fb1deb4abf2f18426f760c205fec9af17b39ff635f5e4a630e80cf54d18a3f3a337ecbfea5aa37c075644c744e09fde6916a35adbb50adb65f59

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8780a8aa7d84c7e4cb9013a50fb4dc86
SHA1 e6fd483b3c4fc28ceba49a8cf051b029ef33f641
SHA256 ebc09672e08ceaa89b83145801ab73c486bbc01cbcdc025a86c751cd61ca6c6e
SHA512 78bd7590ed172c440aa21597b4728ada62f7125b875f4e926b3c8f92eb0de9a54e867e5d99ff50e58c2da3d4bba471c18b01581250ab61536881d0ffd88b8dae

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c42a8a794cdd1d8a6512e285a5209536
SHA1 1df304a65d21e9b7d22dafcef5dee7073edb95e1
SHA256 c92950e93a776b4d5fa23551cc93aa1ca83dc6864f0db596e86b9550779c1ade
SHA512 8cb4bcbc3493add994ca8d073ab5989148f663f75f0c51c235d1c67e65ae716b8e8f657b5d38be744b39b2b26f0711602892795c9d030b5edfab371c8b33b4d0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5e56c698591d0f341561264f44aa1d42
SHA1 6b6d950a9c2b46672c6c2a0551aa54de84978468
SHA256 6878a392b932dbfa24eea3013110e52d3a71be18cd0a1abf3cef6bced1e4afce
SHA512 15108f1332e3f7a97ab2dea0982a06a377fcf6c1b6a375e4d40df23fd0f4e910ff96872e7f0243116463ef526c2a56db091b9a86e1358ad538d3443e4bf8b823

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8ee394bf3831b8bdf039dfa48281b5a0
SHA1 5a51c292410589d138785f69c296d495a8edde03
SHA256 3beeb7d185390467958a3a706d3ffafa64b7ea0152a914192b0bc72e2db6cf12
SHA512 ec965471723a23ad8f7fe3da256adb1ca2494772b25ac4ef552d9a44e73be9cc0793d16a3a3ecea29ac32cd4e736407914f0c24a188da16503db86934ef02597

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 444b0b029baf516411df2d8cc19fca8d
SHA1 d6795147425ccec74c6b7e43f9818f733c82bafb
SHA256 beadd168c10841c4934a9e55823e80ad5dda8ca59cfd41a8f64b04d62aef4c1f
SHA512 b4f349397601324e3bc88092a49a58bc0531cac03fa871ffb0881a827c2750742b3209ec5fcf5ef075a42e21a982e7157b2d2c5758b1deb1f758fb50b8af75dd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 94946f129c9fdcf226d251a109994056
SHA1 3c9fbeaa3653eb8c44a22f93d3b2f863c47a6fb1
SHA256 cfe1fe941aa1fc92d9f7448ed02e35c1649919e521fba99045e162e3c38b494a
SHA512 16b85619dd2dc52414f9fcf4e8c54c56fd0552e813befcec09a34a345e18cd263fe5f1539c0107b3bfc761a12d6479806ce9a232d788c014b5ddccad98750a22

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9468bf476a6c1980bff368208c4633bf
SHA1 06712faf29b6dbb5754280949d721dd541e5d4a9
SHA256 934f10469cdb2c98c3dd29933c6e3fe7d69f3ae842fc610de58a7819d0e6768e
SHA512 0bbc83171a8ae14ed82da76e926fa9be105ded30e9a65aec227ca19e27282876829c867badf76d6c6648e548cb2993edbca87f7db686dfcf58dc532ac53e5e56

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 455b67f396fe925a694a1c2ddbf61c2e
SHA1 05a5cb571a1b86feeb63853b7acf070715819a6a
SHA256 282650785bc2bffcdaafec4f5ac69e3700f9dc2ed39f32d3f1bd442162a187a6
SHA512 fb9d4dcc27b68c50c46a945cc2a51f6d350096a246c2cdb464c98283b53c40cb32a38f33855616fdbf9e354e592aa18edb006dc189c84cb1feb10bab24231198

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 17084fabb05a11a1eca696debc882be3
SHA1 240bed9f1c2754eb38e5e985aa8b9b8fca48cb75
SHA256 0d66a2acf8c2751d09242b1c4d35b0338cf140038ee7dcef325f075cf571cba2
SHA512 86a13684a220b91ce0763a4690ce967b6b3216b1bba3139c97e8033faac54ad43b10aa1547cb19d0ce6e673f890f19f99804a2f329c8db867fdbd4697304bd90

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c88f596cc5b16398c3d378b1e3b5f6a3
SHA1 ecfba95d30a63fde7e0d0eb397c2fb7264d0d1bb
SHA256 c27f0ae365083c09c4fb034ab9c65663f477b8671d35bff276d90c141edf505b
SHA512 427772b15a0cf095740ca2fc6c54f00b6790d431e6819ddb8703bc1702b23dbfd241cfb6f07cd8b009c77560b72959c66f3fccce6eb26849518769fcc9c6310e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9c4956d7e29fe3b64b9fbd0bc4799df4
SHA1 30fd059a4e0d04a01a017b0570c79de21a618b86
SHA256 3401fd3c369e9d2f636fe43f799e9241b542a74eefe46126ddb58c052475fbdf
SHA512 ea2d89e2ae0af30365ca3608f199c8d0e3785c978bcbbbb1df4de2452e80c305d287a5e21329dd16335122a892462bccc4bf27c32039ecce87d491e2d54154bc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 99515cc7f54974782fd8e8ff26ef7ecc
SHA1 0ac1527f0617d319c1aedadda7218e0509ca65d5
SHA256 0f0c8a5c4f3842c0d26d00f8e6df0d53e21aff43583c30fd95452e163e309074
SHA512 c8df5258ef6331d5967a36e3967f266089515220bdd02045fec5c4059e3f0e21f337e0c4d7c81c0b240f4bed3969351918cd711494df64e889c29262c17f6573

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ddbc6b118fc6f1da424bd7f66ad4ad27
SHA1 cd6312fd43370a37327a5a32ec0552d3ae86146d
SHA256 ca7023c9c8c90e59e5851bafad35547670da68a5bfb803889e28dc425f09ee53
SHA512 f14261bf81d715fb107c543e05e9c215ace82eb0134583dc8072bbb62cffbb636d5a8f0d81d646fb6de802153bdea71b91d8cd5bbe5c69e96d8b4b9b8e34a895

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 89cc1bcf1aeac5479cbbe5b6931822d0
SHA1 7d1396a6e1655ef567a3c931dbc98ea544432e82
SHA256 a1c18213d35f36a56c08a5f0078b35c51700da97d2376933dbbd7c15d83951b5
SHA512 f48890941ff62854b2ac72ff3ab0f2daac7df07ef4e7bc001d6dc971764bcf3db3b01b02b1972d4f93f2d08e9b69edb0ceef64cf237eb4e5a9284b98bf2dc558

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 79a7003976ab398785281e9f5e7f2102
SHA1 ebc0f0030638dc9ddc6f701210890e5dddc50a1e
SHA256 cc099e5cca6553c6be4164f4163b4546ea245be2dcdb264b7f04bc46cdefa888
SHA512 70545c02ffd1e386c153c43c45b84a785a9e6d5ee2002fcb80d0b93f6d08ada94adf5415b15639f041ffb3356918b1b37bad9ff2e1ea9721348d3bd822d1fd7f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fd0e8ff202f54c5979388114bd4b56c6
SHA1 2034c3ea09017886404a6b0e3d63d43def51b2ca
SHA256 44d4819db9500c5222b757911fbb875b5c18a7c727466839b4d136ea4abe38c7
SHA512 1744d2bc76a274a8a1b96a5e82f18fbc823c69cb0126e7708f6c091f1cac9ab341ccfe4f53a3047d68fd918fb20edf75ca5825e2806232c8b5cd7ae0f2a57fd8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 134a7e9849b777d908fe2c76b9622b5d
SHA1 c2814e171524a5b59e776df3ddae70a363adf6fe
SHA256 bfbf9b3ac9f971a98cca3072d81173c660c2d110b4c5e33679a29f7a4df9ce50
SHA512 fb309da3aca23937349d6ccf6bbfcb07b1e6c034b94af1b2adf0d077e45a3ddae0706d605377eda449f1e5e5edb256ca5d9fa25065eb14abd967956283a1e452

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 de37632c0adc22497c385379d2e0d732
SHA1 5c2869b01ddb7237881171c6cfd39df330bb9d51
SHA256 aa03ac7d2e565286101448a9f4385d86842628e387a9b58fc4ec342e3c27b1af
SHA512 e850f4d5194aa7ea940b05f45083bb316e79bf03a35c4c86ff5d263122780e9b6c29fd51b8c794cdfb691d85588aad56b80dbedcf636f1c5ab34f638e4eb2e15

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 48654daecad74ff1c491c3b0a764feaf
SHA1 3c9dc8da2d2d4499bac1b5621371be438f3b91d5
SHA256 586a5825224ad0587d249ac34e0c9c18e1b0fab335afca3c5f0bb5d355b3dbb8
SHA512 7583d10a7fa24b3d9916230d0d0924986d7eebe6809f5942d43841969145b5820584484f2d16536ffdba94cb51cd570a921ae16fdfebdbeccfb488b83a0d88b8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7c52f0b3e7b3a1bed3a9a2f6157731c3
SHA1 2f455d5788b81fdfb03e47fb24e166fd1a5d392e
SHA256 5efce4469a537e24f645da07e6a2bf80f8340ee9929cb8775c1e30a3de27b453
SHA512 892f504872713b90e1851e89c94247d0461662066ab45b5f3b3f50782a41a8996627d8e0bf91aae2af255317bd1e7a240d1c09480f737fa84f6894e6553d0833

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6d1c15e30f9db617b2c76a5811bc636d
SHA1 5d90614b5fc579b73fb5a06e29b13217cfec81d9
SHA256 c29bc71fbd2054c726869d3e47f16c2ad38b75f3c1c829a9d73432b70a39152c
SHA512 dff1b7f521d2e5bddf8edd90ded4bc474427c3456cdaf34cbfdec9f2bcf98584e6d3c28861fb59698fb13b9c82fadb14dcb92af9e3a4b53f93660d8010504e05

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2ffec7fbd465e78699d3e20b67241d37
SHA1 931663f90837f66a2eba6847637bccfb26b95c0d
SHA256 b7b22105c46434e9aeea7464035d12051a14b7aef5a507068c71ba26aaef8abc
SHA512 f7bdbbd34957f243241cc910cafcd933cc4e5f8c8744023e530f3e3e84c053eab3fdd4567ce90d3e23d5ac69724d4f0eaf43f2da2c72c6c5ed671d3b17a9dfeb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2b21c64dd91c0b9db9252521d8b81107
SHA1 2687b202e20ab895baab5e9ba14eea6e2c4cf2bb
SHA256 a4daeb7d78e46af366ea6683b397d603a7cb7aa77d7fca9fcd252e22932183f7
SHA512 3b98b455841c989c624f3f5e88e9e806a42dfe945b7ab530a4e86ea9263dbe84f305748d55dc8120fcffb701cacc0abeb5db26a699568496a170d7b35eddd87c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d38396e5637ce4d3ca6ac64eb3a19635
SHA1 4c392a82d21f454cee2922322077f93c9b73ee27
SHA256 1e35ee8f918dcfa812ba74bd176b8a77524567246db7b65f22d9ef3f8620f81f
SHA512 d9a6dac73c070c4e46d6e387026874cb493b1216485b84c553b6855c875d01f5f0352d98102c3b6335dcc0480b25645c47581c71c5315feb532120934cb8f09a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c2fc09f244d670d079b46101d477417c
SHA1 30b91621380c7ed81bb48f528d37d6e4016802d4
SHA256 640a818264b4460ede62744c151c31a2a1681b7f37c3b7b232de21f858af261e
SHA512 b69497ed4b9b44f884236a891473cad677eae3681e030f604ea8d07158f5f9b5231f7a7a1556cdc31e66913678450a0eb3e88f4ca0d3870e6aa7580b1313a3b0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1cbc55ebb39877755e59f1dc78470557
SHA1 dff66d616a02001321211de61271da12b4a87e17
SHA256 98973e24585c5c06e86d04849af24046b8069a5b8e40a330d659bba897dfb640
SHA512 cb896b739b3ba2afbc6503f44b5502548a8e63eb2e391893587d9e0e9b25bdd8f1af87beb533d6123321de2ad6b9698e1f539a1436f5c8a11e37148588cff2b6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1814652264d99e384895011240799615
SHA1 081b1e09e7c0546655f9708f89a96b57bbff4d18
SHA256 cd8de0cc04c76efc868e34e8d4c5b5da793fd17a4d13a32ef8379fe3c9eb5699
SHA512 558f93cc8fbc3c600f010968a301faf46f39a0ea78cebbbf02fe153493708049305d2da477f044447b82b129b9d07831427d0cc3130bf82fb9c497fa47c1012a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b5a552fb3ec02ea71703018d368ef8ae
SHA1 452d92b6bdb93e1021361a0dcc20bfbbbaa6c303
SHA256 fb5f74d52b28290ef91bec61b575b9a1224864df322c87e19f47143d0af51af3
SHA512 74edbf593b6bda4824f22b14ddf5ef3e2849b034dab404250ae391e07dbaebd57281d13a6f3e0fb42a9e0e63ff37085c3841f6f467dedbada636d711321ae17b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9046df3727d861b85cb76ed27ded3b24
SHA1 852d02760c95a49e8a581716b9f6a8f0d04200fb
SHA256 96e2960ede5d5acc5dc5988ea7b9f2705f9e50228555425c5c4f2eba9eb15a6d
SHA512 a92908c5aae6ccefb848d73f625dd3cc1c18c0f7e8c67d8ad70b35e2e394f7df164abc5cfdb8a61e5013c6546a0078e4343b702f021cc3ab16381d7fe7d75b1c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 19624d0a9fc977a8928c22a320ac2c62
SHA1 7eaca66aecdfc2832ed0964f6204719d08f1c075
SHA256 14ca56328d870a5c6e8c023d634b91434c47bb49f8bf7534a6b08bb31b76fa5b
SHA512 72ee3a5e6a88de86429820ab855ebec663c0023d7f0e5773a23a892b704aa1738120d67f5fd8afb6db33f4561685fa49c347e0069017510b9b8e1331a15cd53c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e2eb62f3473f8efe363be0a9d23df1fa
SHA1 13d214c0ff5da063a436ed77864563df5d596fcb
SHA256 4090caeadd7940b9ad0a8515d3213b9ee238ea05b77c3b99930b20816ebfede2
SHA512 c58bd786d92dd17672a4836e962b544123e1eae7052488074dc4e22b5efa3839d81e52dc55e975584802e90831efce8b5137b4a4c6ac44c82537a49577c4daf0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 14e0c666d0bf3e5385819b9f43e12c7c
SHA1 70d6aa0088c94add463c07dbec190481800879cb
SHA256 96b3164523423c54e31bd1a25d402aedbdfaa9cb0a64a8528c49532d0e65296a
SHA512 636d0ecd2a716c500e892ae48cf381cce8e86c41d0f0224d6f0c62411edc813d849b7e861899aa5966b7c350c5a8bb1aeabd58b31a630007563226012d26401f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0b047cdb37b7b59da746c0f2ee81a08d
SHA1 ad8ade5b363d99d245ca2e1d1afd08ba580764ed
SHA256 281912a7910ec56e4c1b39bcafb66d2d9cb2a292b1fc231d8503a39d6a23211b
SHA512 d5bf96588381127b6e63d62e1e5c330a407471cb23564cbdedbb334d08918c6f6236c52bef2305fd6ed88b2c580aafbe3b90150f371dc1d0ee0c4731399b7f2b