Malware Analysis Report

2025-01-22 19:56

Sample ID 241016-vsy2ksvfrk
Target 4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118
SHA256 bb68a904e007f0d082785fc6a14530e18108815560ac7977e4eee9e0437c581c
Tags
discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bb68a904e007f0d082785fc6a14530e18108815560ac7977e4eee9e0437c581c

Threat Level: Known bad

The file 4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

discovery persistence ransomware

Modifies WinLogon for persistence

Renames multiple (91) files with added filename extension

Drops startup file

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Drops autorun.inf file

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 17:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 17:15

Reported

2024-10-16 17:18

Platform

win7-20240903-en

Max time kernel

145s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Renames multiple (91) files with added filename extension

ransomware

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

N/A

Files

memory/1128-0-0x0000000000230000-0x0000000000231000-memory.dmp

\Windows\SysWOW64\HelpMe.exe

MD5 ad829f24697ab5836b3e93d3c014f7a4
SHA1 b95d212648b5b57abe2a84190c351def10c85132
SHA256 df8ae02c0de4737a69093223c13326818f8e7ef3322ab1252a7e2d40b79221f2
SHA512 01c110bf6662b0df58a3ef6f8db64ad4bd5165998603f5d48dc7388cce27a306b0c41ea08985d331a44f8f422044cc44d8fc9048a6a346519776630c8ac72888

memory/2840-9-0x00000000003A0000-0x00000000003A1000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini.exe

MD5 107b390033f6bc75db2eec110514a1f1
SHA1 bd2033bb90b1cbc0fb689d806509c5be88b20ad9
SHA256 69a09ec98afb1a38f43fb5bac58d88e9ee945219c5411be609b9443f0293fb44
SHA512 724faf32129722ac3fc76d9820486ac3dc31ef8c4235ad6724ac45ab5f83c81c4e0c452a793c7708726528438fe8a752ea0f84dea0648a120940964e9cd33642

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f04a2d70cffd816dcd2a4ee3cd5acd22
SHA1 7d6745a076d11ef0495ac25e43bd03c33276ecad
SHA256 1dfd58e26676de675d0b2733d9b435eb563a8d321051ee81056b34a05004a9f6
SHA512 850d43839a82ed3a6f0a61ebacb32b7325e44d3e3072517455c67a94dad4cd185481e89ac1d74968fc25fce06f6cc876be0061f173cc7b2093f0548a2498b81b

F:\AutoRun.exe

MD5 4e0f5f12d55728e3056fc3f9efacc75f
SHA1 cc73069286a96ce0892aca0e8294e3fd5fcdaeb0
SHA256 bb68a904e007f0d082785fc6a14530e18108815560ac7977e4eee9e0437c581c
SHA512 d03e4d85bee3e805e2a1d964157a01b4d83a1ef216f761127efa216a4a040a968e9728f7a3149d4478d2b0d3e0e74b84558044d6887fc0691536c23a5cda36bd

memory/1128-224-0x0000000000230000-0x0000000000231000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 493cff44a2a9af9a34db5a8c0d055f5b
SHA1 dd40c543abc951245db7bbffbdbeeae2069972e6
SHA256 f0d3df82c8269a0c01261caaab2e24be91e192959cdde527e895555fecff3ea0
SHA512 f9d1b9e7cc2975ece47086f2e848d0bf465b335f3620ad4b762fb0171a9efacef86dda4a4b0a0891994be09d189efcaddfefcaa8c3a20313cdbafa32c8890124

memory/2840-229-0x00000000003A0000-0x00000000003A1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 17:15

Reported

2024-10-16 17:18

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/2620-0-0x0000000002210000-0x0000000002211000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 ad829f24697ab5836b3e93d3c014f7a4
SHA1 b95d212648b5b57abe2a84190c351def10c85132
SHA256 df8ae02c0de4737a69093223c13326818f8e7ef3322ab1252a7e2d40b79221f2
SHA512 01c110bf6662b0df58a3ef6f8db64ad4bd5165998603f5d48dc7388cce27a306b0c41ea08985d331a44f8f422044cc44d8fc9048a6a346519776630c8ac72888

memory/2692-5-0x0000000000640000-0x0000000000641000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

F:\$RECYCLE.BIN\S-1-5-21-2437139445-1151884604-3026847218-1000\desktop.ini.exe

MD5 8b6f46d0200e8410c1623abea3f7e8a7
SHA1 1bd4f2b999cb9cad32588c599f8c358a0fc2a59d
SHA256 bccb47ad76c890f55afd1d9b9321457659bd2e85e0fdcf86eb82879402de5f8d
SHA512 33688cb400a9e292f7166f72e8a1b2c0fb1006a33495414531461776a4b3e163f668b2d2d2b0f3dec27ab92efa8fc645882ccbec8790caf9aeca96d57d0a6a30

C:\$Recycle.Bin\S-1-5-21-2437139445-1151884604-3026847218-1000\desktop.ini.exe

MD5 d532537f76a9f906b89f0b30971ef8e8
SHA1 741aa69b102a4603f7bd3194bf72719e1178c918
SHA256 553b473e3cc562991a01fe8987be8639499a1f8d555f8896db2888d330e78d5a
SHA512 7d83aa7a03abdfcdaa08e0a7201d5f3aec97cbbd073723ad469c500804d8f07260ef3f0d6b5972ccc7bbb5ee7dbf0f7d040d1bd0058b589490deac2d095af025

F:\AutoRun.exe

MD5 4e0f5f12d55728e3056fc3f9efacc75f
SHA1 cc73069286a96ce0892aca0e8294e3fd5fcdaeb0
SHA256 bb68a904e007f0d082785fc6a14530e18108815560ac7977e4eee9e0437c581c
SHA512 d03e4d85bee3e805e2a1d964157a01b4d83a1ef216f761127efa216a4a040a968e9728f7a3149d4478d2b0d3e0e74b84558044d6887fc0691536c23a5cda36bd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2620-45-0x0000000002210000-0x0000000002211000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 265f408e60ab6a7a947e1d70fafac643
SHA1 9a79f18fe4a055e1db5038e891820dd63b5e2f6e
SHA256 88f9e6f92ed5fbc40494498a41e30eb7a429152001c303cb35d421311532939b
SHA512 4b489b72a2fe8fa2488048b5e08393fd87e4ebd649fe658ea8e64aec1718ee5535ab672855e92ed547986e50ced06617c14b4ff4a23697bf1bf88281feaa63ea

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4edd511a0339fd59b7799b5f13550b52
SHA1 332de97be26ac2880706c15abff1ce9761e1df3a
SHA256 4c26dcae5696002bba4a8bb65c1e7ccc9aaa44b108d92cd6658be41fc2c21773
SHA512 6035a6bfca6e893d50e7f67c283800ad90d20acfb039571b8a5a6f8367d11464cc1ff7023c759c4d0121af3839f6ba2e1cf07fe3483ebaf852d2d814130bab46

memory/2692-50-0x0000000000640000-0x0000000000641000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3971212e0034f9a4840d47b48592e221
SHA1 a5e1891994a2c5b56a2165e35982437c15f0ebbe
SHA256 4c421a1706f014799cfa2dfac530dc437d90d92e6c3c18ffc67bd7dccea745a6
SHA512 c80540ad1cf1c83ba84f93d017d415f4088e20669f077d7f4f0871244e190d40b623e69701e9719bd523be390e64dcf7358e68b9e849ac812849aa146f28842b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a6eea6ae3cf025c4a3592a48e218642c
SHA1 26444104785396d8a412ad10709594c7dcdcf9ac
SHA256 193e7a137ec898b2a1bc85e50f9b4a850424560ae768c9c84168997b2967bf58
SHA512 0ec3e998ebe659ba31381cff3bb8027e97ae27c8a1d26d61abd13efa87f2dfdf2d850cfea6fa6766e23e6aada141c12878c1fcece32a90937db8b008f502061e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e386e4b1f374e25c92c24da20972870d
SHA1 dbe471e1c3c919ea8d4c47f0dcf1394f961f6213
SHA256 235bebbb313601e9552133d32c8b549159ae066b069db7980e935fff86a607c3
SHA512 051c001192682269efed9efe4f9c466e85fbb7cbd5525329e6a6338bab012384429c931cf448f4ea59b928c2d5cc00adcb8498ae7522a4cef2cf625d4b1442c1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9535c9f3c3fe08ffe660b7a7d5e58d5a
SHA1 cc017a0bcc0ec6650671ada05dbbe35c7ef237aa
SHA256 4bedb3f902b06dcb29a764d514012d93d7ab291df23195008b08e0a6e6e51326
SHA512 c3dcc37ba7d288e638b6b87dab262067040b2aeeda2003090bfdf2c46f3d889ed51c4e0a6099e888c035f43889449165c7a4276accd9fe59da1a46e4f2410f14

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ca639b4575c214c5d26f06a2335134b9
SHA1 25c8b5b348d746b186301ab1a803cd0873c51656
SHA256 0fd32c7ddf3d05058c2456628770930b3a10c28e793850e25fb027c4ccbc62af
SHA512 c4fa168fe908682f379e354c36b6a3e640a63d5a852e404089bde7edee58e026eb8b60932c07dfbcf228b4f11f4cce8b414733885d28e8ef58ff8eb3a373837d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4a7819279618d0a915fcea0ed6346b7b
SHA1 8b76894b119cc59e42bc7f28dd62373f1e891b6b
SHA256 a8b5eedf036856a10dd01870dae03347b5d5d7948a18b98361d3acea89cf8ff6
SHA512 3f5dedefdaa38c8a32268602dc469397eedb4e21e8453af69c6b64c4e12ccb40cd98ad37bd88f17f8830a71e83f148e6129d2672e219d2b35fb06876d342c5f6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 262a4ade83f6257aed28ada7883bf2ec
SHA1 eb79a685d6eb4c0c3afd03c46cccee57b29f8734
SHA256 636f022af1b13a2840cd6933b62c1617a95510e118725ceaec191f16d34d04c6
SHA512 fd4e54c0ca1b2d3256899c5ab64091516d796840405a6e37803438544ea3fc12402caaeb9891767d87e7bd6df354c1c6c1a30f66ee1d6ec4b38c57d746f84714

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e63382811a2d96286b7a7a573d16a2ee
SHA1 fd14574dfd08b73fad7e1ebe599a62763aeae953
SHA256 00fd094cafda8202e04283d8bc5775c252853086db304b0b8622b498d13897d7
SHA512 3c96dc2bd82314f953764c531e56b67ac58a2ba220654b0a0d58a9b5cff3ad796ac1cba25d4153dfaef9b4021e9c12a40888210314e455f39c315129106015e2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 aa3dce335dfb7a03c8b70b81715130c5
SHA1 e4ee1f6f526325a154d24aa5a8e86bc6f4832444
SHA256 2fe712d3de3781bc7b3a7c4d2f3dc9d2079fa13ceb77bedd510cc1cacbc39eaa
SHA512 bbfcc659255f81f26c0ecf022b4e07f1f4e90290cedd900231beb9c458a4d8702a0135ecfd48ead970a5f0a02cd1a5876f26ba13c2de4910fd7adad9708786bd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e99d1a3086991837f725bc5b908ed204
SHA1 2ae7328691d712d1f8c886b3b00ff77e802d3bea
SHA256 271cd90cba2f9098ec75e9e61cb9088fc69dc2507120ea3fab458c467318fb45
SHA512 1ed3f4aa8254d2c2ff2b9a57f35ea73914a995726a63a5c3e8c11091d3442e56457bfe674077aa16bc805faf2cc0e00dedae52396624508b5ac8cfeed4d16251

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 68162cfd67fc12b6152d1bbda67ccb17
SHA1 98bcbaa6452737ae179985a308fad860296360b9
SHA256 be37917c1daed919863e9458733cce6443eb0ca6aa054416fdba3cf1ed2d7083
SHA512 f87304638eb605a49be2081948a5b3ab41647e9247726850fea4bc5136a2abceaa10d21ee89a18be37d42b01a4651b2ebee536257c38ad5594a3f57d629a7417

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8af5e8b571b14dbb1054a0733a47805b
SHA1 ffcd184e207992e48e6e03674b1f72400bda3546
SHA256 b00bae88be3fd825481998f948bc554dde8bd3c73492f97bff365abdb995e708
SHA512 6287aef582de74e5af0f925a84082b5e67f031a4711b82a1b10196817de09e5974f7e2dd8ffd9586736c90d06fbed3700c8f49165929fd07002d9fd2b60398e1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b3b47b154061f1c1d1eccaa1cf11f01e
SHA1 b4cdee721f00a52656044e243072b2c3e27be319
SHA256 ea5b05269ff10856728d6923d1cdf3a44d5f1df2c621ff00710c3bd1f52c21d2
SHA512 da250dfd7dd1195e63d79522a04cef2b322e523ed05244406668321d2bb1d3d31cb385ea9cfb6a65df6b71f2dfab8c663824b1a66258d551438689ca35576877

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 54c292133a1f42e4062e7bc9432bd1b9
SHA1 1727f5bba8287b4aecb2c913cde769650f3d0faa
SHA256 bd020dbd42d42224a5c857834f228c802b8c1249aacb0caad984d2ae31af5978
SHA512 0e8de6899ee149f409208c603157172816fa9a468d86ac51c399fd56cc2c57b8c053ee1c787efe58be65f9c806804dd546b62605e6dfcd91be5d05c4418fd281

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6c9a1a84a2639610dc3765c8dd378daf
SHA1 1099b5c7fadd57397107c5e4276db204d96079f6
SHA256 d2b6529b8389bd89627f40e88a04854a25d30f64382587b9d5e50261138d88fc
SHA512 ff72a3416439e2344395f6b157b699c19dba796ffeb7025545b0a67ce32ec3d2ccc15cebfa8c526c7b76f009b979d7f8e4fcc393b6b1f4c4ad8920419f0ab893

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a2d4f50a36e74ffd098427f90ed2f1de
SHA1 8b76c9b6f37328b4c3cc2a9db16513a5315acbb5
SHA256 d2c51b0629b98bb5855e5268fd0ea9388f3dfb1800e8798671f9c558d3cf7175
SHA512 58c59ca1b88ea3cd25c6009bca9ebbf0bf1497f69bd058604efa87484a963e0901ee7180f4463927e361a1f36dd4f4eb8600f33f30e9b96041a935d8076d8081

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a6b2cc663f52bd61647c87e3b7851cbe
SHA1 7ee5e56e7a8ac060facdbe13c79f250572fe66ad
SHA256 e426dd57bb9be303f0e3cc28796c17236c16cdf58cac33efeaf234d3f530b1b7
SHA512 80e02f939095c34bfc717ca4c08840e76fe21911da042b4a5989033fc8580cab63b1891e0fe4b3167b4f9cfbd44fe6e97825e6918b72fa0c1b25fa1b67232fcd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1124e28dd1c386dc4ff6c9048c835c9d
SHA1 8b2e3e096e07b73a6acd82a92518002abce53f4b
SHA256 29823b9111c6e828c7f4bf02ae9d32ab6495f6011a4f39d555f815d9efca2630
SHA512 817661f89f873036fc2af0f19047c1866dcbf8ec0129a6e2f660f2262e47f9ceb4b223e6dcdf54a07005f00fab4f1e8ab8d0642decc72bf4c21e138d531cf26d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6808e954c0c3ffbf798ce8fd84e855f5
SHA1 a0b32b39475d5fbf5dc0f485dbe2f50cf569f56d
SHA256 e43bd1d9cacb2e537c5888b14f7fab2437aae027177114309a4c83445703b551
SHA512 e220087c0f6451d6a3ebb39cbfdc7fd6c93b77b3166ab16a2e92a36390dee93bd351b972d1f4cea81829c2c67843be960207b60e42b7eb1abac037fe20ae95e8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b45f43c10fdbcbf46845209cdf1a1969
SHA1 1701474423e5954348ce08dd1bcacee1d6c3ac3d
SHA256 36f98526eef18d817cdc9f946fe749dae9137ed14ca9a4e4c90a830420b3b3ab
SHA512 efaf18a46116d98dda9542467320025552432f84d2a7b6aae712c594c5893cdbcba0530cc54eb097b3827d9fda246fbe90864674a11e46fbe5a1db46d4360780

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 37b349ff0d807272da9f52158086c81b
SHA1 cfd08e35384cc9e6693aa6b0c468942d556fa727
SHA256 c881d41baa28644d1fb042c60ecd0af040577a849385edbe3a9a77f171a9a960
SHA512 69b1cd241b4477994793ac79623a1341dc5a739ebd44e38a773525f80a9f1da54d9f2eca717ca67ae6dcaf75c9ddd225bba17e7728511ad7586619ebc7fffd98

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b36835bf2cc3c446060f178994a9ee96
SHA1 31e8dd3477c1fe44d3e60b55559afdb319bbd4c1
SHA256 182bf911843628ab7da90a5c623c0951b7b921f5ffddc07663797d4f97133c6e
SHA512 2717fd90f8ab91794d4746ac7f40652004f26d507570ba7439a4684f395d7b0f3abd62e792fe3b17cc1a23ca472fd5924f46c080ad8cd13dcc4fc826c08592a4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 12c42c8e53f41aeda4ada61c4ac9b400
SHA1 afedd6a8570bd341a74072ebc1926e1106307335
SHA256 11dd1ac64ec42001a55abbcd926921e478358b00273a9a74f392696891aca310
SHA512 0d949104a598c0715dda82e16d94ccb9c7b8338f8d2162385d74cc6271fdf055946de3b6e4af160d3a5ed94eadcf2e851cd6bd97c4945349df495beb2e63a707

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d9b5a85057611780f709fb6347efe3b1
SHA1 96c30371be9a65764376ba972e424e39c39500d1
SHA256 4dd98af52b639620be9669c80a9cb56593d08193afbe82a60e021d271b2a09da
SHA512 0667f7a21f7228617bf8ad37aa3b2b264c5e665441f94d0656919dd9417cd64cc24fec6cb3d3dbba84fc9245a74f55285dedce0bd4a3f90342c3b04869fbc2f8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 32fc0d047db480439b767c2caa1de31b
SHA1 c2506c93e5160d23b6f302ce38329331a9af35b6
SHA256 2488796931ed83c7e9e7c5231b0b48e6ba287c689710d439204f7f4ec678d67b
SHA512 8bc66273cc74fb1e004802a61eadf7362c7bc9da6c18f76c27d11f9074ba0bae2ae666f30e0d1711c92f63b84800511dc8c1e91bb5e733879a92ef844884fb13

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 cc52b3c43db412b7877e451dfff42778
SHA1 d5705f76653a5c981a31f00df299db4c61e25d38
SHA256 d90545f1f8a9f0f12302018cd01647c38ff8a082f93ee6fd208790964ee1e26b
SHA512 5cf72057617c7936327d0f6f66b6e58cf092c7c3f90bce152c12e0f400b853573460eb2a5b96761e454c7b064a47687ac69f1f99dc036c70d2526c84a181e892

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7bc8bb60b6f3941387fd97bf263945c9
SHA1 be9b632364d115be6653e73e2c19beca440789a6
SHA256 96f89d406302ffed6d7a736b5d01ab07659d4d91bb81fc388b32ce7a37299f06
SHA512 34b329947552359752937d2a34e015379e8bc9aa813e7003392ea81a412f33bc0868501ed8739632fe9d2288d04874e172de6271f2fab4de71191e576a7c191c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 35cd9024a5d48b5094e63460ee24f1b4
SHA1 23622bc03597df4d55905cfd47a71bce24a9685f
SHA256 e924f78a5bea46d8c1307b07d108758c73bb9188784f5e5635de935305da7dac
SHA512 b5d0f6a155680f1ed78600411b9a812525faaba40e40dbdac2fb62361e5d0157ccfcbd66da60f34895fb5b9c98d723dbd15d4ea3ceec939845ec9031bc0e21df

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 95e441335cd9e6fafa145dec9993449d
SHA1 b82db8639eedc144f3ea45a23b46d1470ff0aae1
SHA256 e30f64d3a6e54b471bb8e351c66a23a0de2c135db229b63519db22df92ce94fe
SHA512 690dd6592ad28cf236adc63a554498b13aad80a0b4d76b60738be94a8b5c620963e88013201bab2f61baa668aa0f91dd63cd6625fccc63f800323cf6b5ba719c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ac874aa47e06cfe1f4bc3a10a4062ee3
SHA1 fa8e124e91790400cb729bad53675a5d7e584b7d
SHA256 16a46bab610e64cc6c9d10419707757ca9ee9870688a99d096cd550ce1de1a1f
SHA512 b81ceb75ee69289273570b9eeca670828fcb0e782f61d5236c1fc7dbf7b7318003316223c624b68a4d443868762948f640f9f4cdd9c313734926eea8c3f9ede2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5748b6e119feba653ccdce064915a424
SHA1 34f3f4d2c9051e54c54d72667d92c687f9fd33c5
SHA256 5fd70b64539d53e1209b911caf46093971756f3e5e8d9b8baadaa199b60d4b21
SHA512 52440d9408209e54b6c5a04f4f355dcca671393f0cd06b50188aea643a7de515076efa108d029ee2a4dcaf5b38324ec8f65fa13ca1512519238c59ebd2963823

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4e5b7697430623543cef4e6d78bc9f44
SHA1 6e63fd6c683e9cc30d6fbee61530c7ec531457e2
SHA256 4fc868fbfab96041f567bb075b3033d006543065b8585be13a4cda5729f80fa2
SHA512 a04bf5d31c032ca10b2ed19f4aee160c2386024164e33c4a2412f85473d2bd40f8756c5821f27d8dd1fb2b734d33d43362efc11480902c6f9995adf49e9dd93e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4b298cc23a7fc4fa36638e68f9f3bd62
SHA1 66bdffea3d8516a7735ee9fcc81e8357e380f660
SHA256 2ad67ce8adb65b5d6db0c951dd209dfc4312add27884de0d3572352c25639343
SHA512 2e6e0f1e1cdc74c6a20f2c186b96dca17a31dc87f3a0c2903e3a24c3c820d8fc3f2977b643c84f2f86ed402108c61f05eb4b0f381bf01e85011e507d99799f40

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1644633a50f819a1fe0c63bcd80b3f59
SHA1 567ef6b3e5089ff14d776d52a32159da26a09a9d
SHA256 00f783fba63c94c71b2644a792fde038e3b21d5dd464337d15fb95e9bf83eeff
SHA512 695955e87c22d2b8ac35a1455d7c42b2cc46499d12e2e58e65e31420101f9ef96c49452554ee7ade1240fba6c58c9c72cad3ea12987c6f35374d2f7068b22866

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9e8537f1f16585ce8788616a44db1eb8
SHA1 96cb82ade5cdff661ab7ec6af248edc04d432e97
SHA256 63c83f03ddb82482ab74f7a13832c52e4cfa6412fbb79bd52e39a25d81fc45f8
SHA512 385c87153d4a6f2aa975aa2e8eab0717e27f6d1cdc50deaa3c5ed2b1d2352c30c109fe8116cbc17eece54f191e881f82599e0a117d001bdeae7064015369bb3d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a1d94f38d0fe4e50cbd229405dc63032
SHA1 4470208ca6678244f91e45a1a0c5d6369c54ba50
SHA256 a2c2fa783e097f14cf95e2cc8168638a59bb37a9f534d4b9735f322e2547c029
SHA512 49ffb12718498c085967d54a01051ca58851209cc73cecef073f7087d6d8642b9e67d4ced5facba9de15fdf71fa0df0b64669be71c9dd77b9a63fed0d30711ba

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ab24b2f9bacdb690dae82f3cf276d5ba
SHA1 d13673a50a04ee1725913f7c5fd9103932e7dda4
SHA256 65de458283e562e318f98d961e02181dc5ba9c854144cf56e569f447eec2bc4e
SHA512 2ca842f55d38d50320dbd87739ca41350c7b19b5d96cc85a877084b3ee82d2cff9f6831597778d82e0be17c45a008bbbce75c99842ba569c40694308d2815814

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 88e1c02af0df663c49aed99758c8f0f4
SHA1 b295a8bbd4e2a2e8569eb203ba1d9b98b0df5f84
SHA256 b88540f94fc1ef2c1c3e333941122b5f53b6b7bf214f645405c0f1684d86ae68
SHA512 e453ecd950297951ef1ac7659e0855256426f72e789bbff1bc75f0032f1a0700309d149bc130622674e88c79a0d0b5ba0eb6fdb593fce92483c34ab961069d0f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7ce258f888cc4bfd644632635a447764
SHA1 3bd73abafb42b8c13c5f165f4dac986c950bbb7f
SHA256 c31c00a62677da18a2d6fab72ebba147f41284baee591e9fc7b0cc6b503148b9
SHA512 c21f1d2851d4a2906371b62083f6c5b5886e1321c42b0755863b3356299d786e30cd6dd4bb2327d436bab5f1801e81a6008ae0730c3f3484a9f05dae43793a5d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e6068154d5dc1a94d775402fe593d0d3
SHA1 a52aa850adac24d2215f9beccd5779dc2018eb4b
SHA256 f76bcbab8baf6402b9c5bd51d37c4a9eb4f79dff78fd5339912c71131f8e9a1e
SHA512 36ebf7ca8bfdd3b13f683e814d9d3dba4a511ae41b3e9b0b4a9cdcc4c6da6fc1e7f290f5224a03a5dde188306e9961d5e7d3347ae42147412b070a4adac76aae

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e7b1922f580e9ea64037c956e02c209b
SHA1 2650bcb2c4f0fd5ea27236f9101cec488feb4735
SHA256 b63a56af4d5359499d87a7711e93d4796d39b83e50718fca3aa388b67fada16c
SHA512 216132decbaa11b33cefd494dd7ac51808e037deebbff06bb0eaea8ef35d680923c9b942b5476f901d330264a4c756c9ad65ab7b727e69badc0717666b170155

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d2d4c254595bed5b0ff2f4d166f64fc1
SHA1 7ef41316f6dabc35a0482e122d73b3732fe4c3c9
SHA256 f0136816633165c1ae3f9e4af6562fd26afc787c40d803701d321ead1e7c2cb8
SHA512 0a5a5b158b20034e4b24467334e7c03da9c04335f3be49cdca69dca2824ba198ba755d0d203030ed9945b98e3813b406388b29e689b72184835a8af9a0ae262f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0bc9f39a9bf17953976115677f6c53e6
SHA1 426cc822f5c2a9d94f79850ea0d0f1b6e8cc984d
SHA256 3d818386e0e6182474c4e54e0b47022ca6ee877cd762198d4cf8a638ef7d2643
SHA512 28673bb5c68f43f5cb6d45c3fec5db44ec0dada024fc53fdb985777012b793691f9d5931b79236e7eab9115a2fb55ab1e1668cdc0b6852c80879e46174bb5aaa

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bc002f80d5a899e5d4e9ce41607b9c26
SHA1 3b132c531a91caae8d47211f632a0cbbffe354b1
SHA256 2ea23f47ef93d1c77361d14c690f0cc59b8c75dc1da6d043995bbe25153e3afe
SHA512 6c9a7b9599fb4820474ca30d0eacb70f9fcabba33c077d3a6f1500f8765b4658060d3bd08b05a6d56058a67bafaf71baed0d7034d491e323eabeda7a26c0a50c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fbb07eb619f3477a8d290c269e1c8969
SHA1 03fb219054cad51042c11f6333ecb4f490f48329
SHA256 dfbc2d4ed3e88e7a6ccefb70331750d9d672e801b70dbdd85c1151289553ce73
SHA512 6a375d311ee4577dcedcce81dced945ceeaf4b2bead9a82d5ccb73690d01c50503896e738bf9f48b9b3c29d2379bad7aafac2d69c5d8a3de87322147983efa97

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 64a302c95989a3ef83e7da888a672793
SHA1 1decd65a0d27081ec2979513662ee6719e367bc0
SHA256 055ddd9dcf6521e4fc02a0e49bef86956afd00f80768abff3211b73893695bb2
SHA512 cc29c12d55f06eece55a453629ba0fbfd82efe6db05e88bedc76827995328b379805bc9418bc0c3fa9a8631d191febe61cdffe4fb9e8759957073941dbd0858d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 029ff11a552beecb98a473140c5ab0a5
SHA1 8f5a747947c3d15d430b2bb6fe9a8afbccbcd532
SHA256 b51cd3c482a615a0a1961a09d303bf4862a91fe97abd5959448051da77b73a43
SHA512 fd5e76b05f849e722d65124dc146a40aab2a6fe13dfb926654b2ad570d6707ad3f4c7b06e0aecb8191b8127b229d25721d9189ed0e7a09f4c74cc2fc03157d27

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fc66cef1a4dad0c1a966ef2d969b2268
SHA1 d674e525c7463b6dde2ed80265cab5cd1df4d922
SHA256 250ba8deefe45b6e86670bf937e930950806afb658e832a67e25736401d39840
SHA512 5db82d93a68f4982b07f480f0757c3f38ed359833395c5612fac1aa583d83352d5768c7936efc54b7266f8a352231edb1e0d77511ba3c788168c9fa2cc101c7b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7ad3ca4cd8d2c2d21779809a9659fa0a
SHA1 0c5aab179757c8bef5da99c220980be7815f347a
SHA256 03ec5e30f5fb0ee0719a6bbb1baaefad443896567927ca3b81fae2a15b1ce840
SHA512 abe3b27ad9bfef8f44da697c58b867b63ad4c85ed0cb06e126c2730dc24843a022ac9f9f629654033b02ac96e7c777062ca48467fb83f93e9598cde88a4de3b2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 453f27cab2573c6edcc0baab02be3939
SHA1 a4f6cc74759404e73367421a9b6deaec1e2ed5aa
SHA256 c28d88c334076f2062317b5f076b80c914d2081cabab2d0cd0db53db8c64bca1
SHA512 886e426525a502a84c20edf1dadbc40a80a78e29009470b43af2e1f9975e16c4eb211277512f8a92ea6f53a6165d6c568038d55591daf6c7c733123389951510

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e95764c7a9749ad3b244e3ccc42d7953
SHA1 7715adcde59b116586996e50b3622e4f9257b091
SHA256 8a0957f60536e4783ba25d83861fd02d20446ed120b3201626584a97c90c0c4c
SHA512 5496c8cd85d471fab856cfcc7d1416fd07f94f532374b10a1b093aa69f165136524501e0df06c4cd9ea5ef0f79286622a6bb37dc946cf0b641eb10bdc75e4aa0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f1552d5ea9e65dcf49ef3ba7e1ae80d5
SHA1 a6a1ca145bb0eb2745cd4f1cafe2ab5d63d0f0ea
SHA256 8d4e6d857e85dd9be20e6bb74f26a381dfec7f940207475eda19a80bc713b32b
SHA512 6ccf117d3b2ad36cfa2f20066304b2046d6684a7d8c291be168f85018696c248d0e545ccd0b408305e1dd3788b3c44f706341e9f447a11bd2ceb5812c0e2a7cb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 07bd81dfdb6fefc13e206fd6518d9b75
SHA1 dc2466b912b4a636533184392b5fb6ec3af7d0e9
SHA256 8c8f5268e743299dd68f2b250e6c9660689be477f75e43db7aa9fbec0df15df6
SHA512 9a8a18158ddd22e132decbfac0b7b2ce595888ebf0a9986ace2730a80a0123b079f6cc1ca0a83d3a1a7906ba81771b668dbfda1291758aaded1265a1e89b9778

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9fe456289bb02f759f1c6aa24cd41ece
SHA1 59c36daeec54e40402df183fae1d8577f7549cb8
SHA256 0ef79f743927b3cebeaf7f23fec05f980c9eddf888ad1b2e9e444c24347b949c
SHA512 f7243b4fbb51eea6e08eef765c4bf91ea8db8176f9a64d97b721a11ef5482b69d647a6cddb0af81e23f19675a238d9092fba8fadfb75716fe64cf0572055e829