Malware Analysis Report

2025-01-22 19:56

Sample ID 241016-wknfjstbma
Target 4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118
SHA256 723ef5c8665cc631c3dc5215aabdb0b379c6c4b0b247a36ddfd4954174024818
Tags
discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

723ef5c8665cc631c3dc5215aabdb0b379c6c4b0b247a36ddfd4954174024818

Threat Level: Known bad

The file 4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

discovery persistence ransomware

Modifies WinLogon for persistence

Renames multiple (91) files with added filename extension

Loads dropped DLL

Drops startup file

Executes dropped EXE

Enumerates connected drives

Drops autorun.inf file

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 17:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 17:58

Reported

2024-10-16 18:01

Platform

win7-20240708-en

Max time kernel

145s

Max time network

18s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Renames multiple (91) files with added filename extension

ransomware

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

N/A

Files

memory/2876-0-0x0000000000400000-0x000000000047894E-memory.dmp

memory/2876-1-0x00000000003B0000-0x00000000003B1000-memory.dmp

\Windows\SysWOW64\HelpMe.exe

MD5 7e4e24ffea295894b9a761a4357978eb
SHA1 3902b765eb7224e56cc9dc0c555a6c650534d967
SHA256 6539f6d8a284a0225ef83189bf6bd85d930fb033836fd95e743e992767b6ea79
SHA512 df1bc9ce2903457b241f41456a9a534162c38ea5a4308c095e3fabe480fbecca7c45c3f24953f67d2593097ec1a7fb3a0eb4c5b6ccb6a6cc347cffaf9cb59b26

memory/2876-10-0x0000000001DF0000-0x0000000001E69000-memory.dmp

memory/2316-12-0x0000000000400000-0x000000000047894E-memory.dmp

memory/2876-9-0x0000000001DF0000-0x0000000001E69000-memory.dmp

memory/2316-14-0x00000000001B0000-0x00000000001B1000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1506706701-1246725540-2219210854-1000\desktop.ini.exe

MD5 bd97d3d006bb26acf309266ad631b633
SHA1 d750b8b387ebb3a391db45575a428c7b147ec0d3
SHA256 8b3be8668b6b196c577557c24010de1f2e7d1b1e7d5dbe896809f78114086762
SHA512 692ffaf8b79f949066cccff5aeda504f74ce95ce6cf41636fc18d0c03b894a44c6a02b38448559255a1de90bba6bc4bf9df1200c9816ebb87a784eeb6eee90a9

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

F:\AutoRun.exe

MD5 4e3bc33d73f4d1b456edd175c4e1992b
SHA1 48d3fd59564c5352080c2c3799e03581610b1978
SHA256 723ef5c8665cc631c3dc5215aabdb0b379c6c4b0b247a36ddfd4954174024818
SHA512 7690e3b5f1f36d6a01eca0759cc8e94771a1d71b200f89fd19173902c0a5aaef3d261bfda819ca648b6503fa84fd790f42a4a863990b0ee693c81aafba939a74

memory/2876-52-0x0000000000400000-0x000000000047894E-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ffee3a04db1b0dfc10aba9a5a38100f9
SHA1 c32183808e4f40b6a4220f1a427d37859cf34678
SHA256 631703d391a4db30cb0cb7fc7d5b53a33b7298bad0cca67a60201367c5bcbef1
SHA512 b5bc902d8f70e6cd1aca8dde55418529384915f178b26dad4667dde4977e2ece00cd321bf4b89af801be6a7ba96c0398288f14f1164b0f623c6fd38ad79b7cc6

memory/2876-74-0x00000000003B0000-0x00000000003B1000-memory.dmp

memory/2316-230-0x0000000000400000-0x000000000047894E-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7d288d089e88794f871771feb622790a
SHA1 c13eb13d794813e31c1f958c21d3dc80fc71012a
SHA256 d1067ed8767fa33676d740571f2e2faf5235a067846d99e0c722d2b35c47fcbc
SHA512 420377f9e5833202c7936b79fc15924638c359cc1f3a9876bf717398849abce57b3cc603cd283ee87bbb67b322d77e69075e7ac646d222f232f2ea282226d943

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 17:58

Reported

2024-10-16 18:01

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4e3bc33d73f4d1b456edd175c4e1992b_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/4568-0-0x0000000000400000-0x000000000047894E-memory.dmp

memory/4568-1-0x0000000002220000-0x0000000002221000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 7e4e24ffea295894b9a761a4357978eb
SHA1 3902b765eb7224e56cc9dc0c555a6c650534d967
SHA256 6539f6d8a284a0225ef83189bf6bd85d930fb033836fd95e743e992767b6ea79
SHA512 df1bc9ce2903457b241f41456a9a534162c38ea5a4308c095e3fabe480fbecca7c45c3f24953f67d2593097ec1a7fb3a0eb4c5b6ccb6a6cc347cffaf9cb59b26

memory/768-6-0x0000000000400000-0x000000000047894E-memory.dmp

memory/768-7-0x0000000000620000-0x0000000000621000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

F:\$RECYCLE.BIN\S-1-5-21-3227495264-2217614367-4027411560-1000\desktop.ini.exe

MD5 87f34015e0c55ae4002e4cb273671947
SHA1 e85032da47de47a0131b5c4ffb2504c07b507ff6
SHA256 9a03b0cbce8e4dba8655dc02a100a2fe48914aaa07ae6ec794e3c5ea8554b6f9
SHA512 2344b779417a86e3da6f279fb28d1ed77ed2daae948be1c96115e659280a294f51da3176c2139680b6354a86c6ca39069168f846d6ad4490c38fa23fcf40c117

C:\$Recycle.Bin\S-1-5-21-3227495264-2217614367-4027411560-1000\desktop.ini.exe

MD5 14c419c7e9c6a5720775dd7a10ef0c84
SHA1 8be944601ce21bd6644556d391fb7b50df8df058
SHA256 65fdf9a4c23f675415981e441de285da36d33367c305964135ce7863b94fbff0
SHA512 6bce364ea86670aecb83fbe6badba54f79a272c0285c29e9195c83c851f6691ab0e3e877fcc1c5d02507f42da512e8d1d0b20b0a2c228b930f67cf26d8b3c5a8

F:\AutoRun.exe

MD5 4e3bc33d73f4d1b456edd175c4e1992b
SHA1 48d3fd59564c5352080c2c3799e03581610b1978
SHA256 723ef5c8665cc631c3dc5215aabdb0b379c6c4b0b247a36ddfd4954174024818
SHA512 7690e3b5f1f36d6a01eca0759cc8e94771a1d71b200f89fd19173902c0a5aaef3d261bfda819ca648b6503fa84fd790f42a4a863990b0ee693c81aafba939a74

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4568-47-0x0000000000400000-0x000000000047894E-memory.dmp

memory/4568-48-0x0000000002220000-0x0000000002221000-memory.dmp

memory/768-49-0x0000000000400000-0x000000000047894E-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5005b855958d5777e5a75ed5f1b02f77
SHA1 d7841973c1275117b6f9abdfd4d951a7631cbc5f
SHA256 0f4773b103771ef693346ce48b60db258749b34e474efac48260bf9c3429d174
SHA512 158110b8a413f11ac37d96f1f63e5480ce9794382f9bdd90bca77ffd9e99a52210bbbc9110fca45a695f6c8dfe76ef984c8bbbb4a8be979611236b01ff86eb8a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 032f9daa0d27246aadaf448a3a415f8b
SHA1 6368b9afc98c2a837f565a1b45e8da3c2154d580
SHA256 43e1b330ad78bd31e44c8e95a94e395a39bb2e74df6e545f4ce4b2479f403ec4
SHA512 dd18db9c9bed9709a0e1ed452726b83656cc77d47234d738012d2e16b51f42afcff7a871d3e5d5053a30075eb539889990ac3b1508157cc4c6a261dead98d59f

memory/768-54-0x0000000000620000-0x0000000000621000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 43fcac87205c8bbfda815a6e62872cdf
SHA1 58a436b2a184e362fcc463cdc6a4bc971af0c61f
SHA256 a6ee5356e922754a1d0a0e758c65c83897ca40ac6d39fc73fff9d89d632e2349
SHA512 eaa804c7f736a7b72f6d1669e6776effc0184f4c18eaec6939aec91186e116d847010a5da8f924c2a1963c2e68a186cae2f2ef565be188b119aac720cbcf3dbb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4a664bf3040f80803ed1380b90904895
SHA1 c7b62aba019f2bd6ec87ae6ab3e95d8041217743
SHA256 2d28539601c92495c2ee4eabc1f7701b5fab0eb99c0e78bd8bc8900b7cb17c44
SHA512 6fa26e4863acaafc4cf34e4c1bd240a46650ea872beddb3daba5af80972a538a5e338b6e764810feb1b9c6ef5afa3e55bfd243c689637cf46da584635067b900

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e2b747448b2a8b3deb381735c6f3feb8
SHA1 a561401de29b546e5328f5996d0f6a0875f5065d
SHA256 e848ec611a3cb38863c1e39557f2f758237eface5b82343125408b016333a264
SHA512 5d6b76affd9a37626c8cd47a916e1c6dd1037f4723fba7bfa514519cd36e0b8cdc6546d890df1ac3a4e0c27a5b18a5a7af991a2a280367dd3c860f67e30282ba

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5fd7d1efad5b03e331c028fd70b167be
SHA1 456c7fcff0e31de5940051e9a80a841609b685d8
SHA256 b901bdb56c35d07cd2f33c7de7779f3ab479f47faf6de9728515f7476cdd56ed
SHA512 e6e29d04adb484d95b5b44b7a1fc26e1642da574e6133949fb8b49b9b84e93e8fd29cca89a661b502406d733e93eb58b10605531d465520c8a90adf0ad8f79fc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 eb476d299710a12645fac3328b0b135a
SHA1 0b9bafe7422884ae7871755cd9df6c33960a3c6d
SHA256 521c9ab15d1d28ff2a03ade33284480727a13c4d1ee6cd1123213f7dc48d29c9
SHA512 8cb0a537a5fe69820f29c490d4ddc273363fbeabd4a51364c8d58ce967973fd4a2cd60c5487d8634b3f5e645519be8b5a65ad276661c518c8027e5287f00e930

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 df3a4e10ce8ad43629369b07c3df5b5a
SHA1 9a5ff3453fb6653c8305c21816c5714aae9755b0
SHA256 5dbab445f29e6c05f68f0b9cdaab60a5b508ba775c6ed56404e88940821cd24e
SHA512 1dfae61760551f25f07d8ecbafea36d3d4351b97e798e55761d6395e4e8ecec20036bba0556f3b1f336640bd22dee44f1a9f265e3270f793e904fbbaf969d3d5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4521c00772d3137fa9b7ac469640824f
SHA1 9d2f8f43ef5945b4340f5d0e78e6ab07fb8e2bfa
SHA256 367f7da6b2aa9dbf8c120d779fed016273684699c6935b2fbeb5836f9ac8e09a
SHA512 15096454e4aeb588f840b55d42031f230bf695f5a06493b7c7127f2fdac6f8ec67f85a143939614a9604813360193da68e20a35d0cc4a1b779bcf1e40ed20763

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1d9853acdcab3ad34c15f8fab070ed70
SHA1 67d1599d4c06b8f360d4318f150b9d58abbce5d9
SHA256 07fce48dc890c2697a6fbed678cad08f2a1787b5127252d860797c56279f7324
SHA512 23c3c7def9545302caab6e84c8fc57a8eff5b094c489a94acb48e77c9f365ceead5a7c835f377f4b88c76e1b3a2d3e28d6460a7d1e3a8914376e5dfd21f55041

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9d6b7e072aac3d2f096072d6c4d40297
SHA1 f907a61d8477eb7d150c139edd0f1e6c8484f1b5
SHA256 f9e771a6fb2cbd0657a19bae72020469b993000474b353b7b4b50e4efcca1349
SHA512 6c0ebd19dc1baace4e2c8a3a1cc4aa542e12b969ba6bc6dadf61c34bdebd844279879a78ded13232b877658e8f926786f2ad5982120f0f7da6c81009187bef18

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f679679f9f2c8c112ef20d7d361c5cf4
SHA1 1d2793e0696bf0dc60cc79bdc9c1d3bd8832d5e1
SHA256 98ca02073ba493b8fe1622340c3dd3a2abde5e86ff70c7b2d9bb97ecbc24aa69
SHA512 dd9640f3ba246cb4770b1e02b3edb8717710832a077bed8a544797daa1d620f3c208cebfd2f62fd5f19f804ca2193f5d0eaad4eccd76c899f7e04b7f40668851

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2e1eaab8e960f8c0840ccc0f7056becd
SHA1 ff4de0f575680a81d327ed67dc1cc160e40d35d6
SHA256 819a720a8f914e0373d7233de054867898b4b6639ea4fbac323ef903ecf7204b
SHA512 dc8830af0c9096455264856c6e1108f99392b9ca7abb588d03ed54517d0563067baa17d9298de8336926dafbec97457be73e1ab5e59d83af3264b7b896bee509

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d8935331bec87ead68fff51811bb64f4
SHA1 dfcdae3036d923350310a9a61bf06d4e42c36a00
SHA256 5cc6751ebdff0d730e81f8aef956e078b43c4cf3df639facce6e0fa797c44783
SHA512 f2e1335d4a7d6282168b29c4b2df6a5547c422a6ac0bcd7aef9c331f0195ebd5dd6e5c1f95298e1af5d4b044e6957dcca348cea34d0ebbbc83a7c49d12b12324

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3b1b9e618d1500f8fabf1ddf182cbe1c
SHA1 ea218b13f7c347ecbc98783d281c665600140c7c
SHA256 975b00b4e314579ccf48d176d057227010af94b88b5758d5e456e9713d221bf9
SHA512 4af407bbb88bee4f8a1a06cf1d04b98fd48bbc1b15393942ba617aaa2f5154447b294b0e5af621763124173aa12ea47fa22d64a65442f0e3372be77156b99b8b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 89b59f80d6c2987f17ca3edfceb25b4f
SHA1 67347a11bf8205feb0364310fcbb87b98133bc8d
SHA256 6c27d72376083ff73fc19c7ded5ffe615f92aa41cca98d88cddefa4998d69d24
SHA512 4e3b13cede4f6ff562155350bc296b5c7ad669946af537c9d2b3809c71ec017c37af2d608868a85cec421e8f0e2782e7224b2c97f7a541cde9231c1d6e57a3d6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 770dd8df375d4c1e207f3565b6b9d6ea
SHA1 8e317c6869f857284c3c4adf2e37cfa31bb60340
SHA256 b56b3897224a08debcf00b9a33da395e746f59f65c402bdca11d0896e7c4a504
SHA512 138a68698e868f61509759d1365fa0d3c57a0909796a796b5972e880f655b57a3fba2c1ee561ef6d06de205bbadab84acc1de940cbca63a52305bd3fd3457577

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 67f5653c27c1c3efd8a288d28f116e92
SHA1 0df47d821d91571278f6f1e67d4d88ede7b8ba71
SHA256 e3845a6999c6141bd999be1d89d26418cebed1a8fede119352aa53dd2149483d
SHA512 666711d11ba384c95484e6043f8f41061b86421d2376b391e3ba730dade0a3b31d59eac99e3f384259bff95980c9123810b1616785d8308d8b52ce87c16cd936

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 787ef45b3e568328aaaf31b3ce9bc70b
SHA1 f67a51bef522abece4ab4c47c3dcd5a67d27ac3d
SHA256 a3f527b8cfc9d6c8a02a0cecbc15d8ec2ad879b3659e03da99667c388d96e9ed
SHA512 7de7b1379b7f6566caa7a9088c15e417665e6d3abc529356eacb7b53a979e6f5972cd031f15412bc9a7b2d8b0ff66d4b542be0bcdca28437f87a91e34c0a2bb6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d78b10310496bd7298d35892695dd433
SHA1 a76887dff50fc70441024faaab57392a25970a7a
SHA256 5eb9d900d1255ddcf862d40d2b352823a4d038b5907e05d3694160e83bd95d68
SHA512 dd42b4f7d810c96334a2326f4c5ceeb1b83c6172881ab11d949e7f3402a86a92757395666dbdd88399b932e6ded5d63e3b41239b913a927aeca9c980c2022c27

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b2436e1ae3e1fb8a8eea7ef486677ad1
SHA1 92b57bc93ad64b1a26f6ef17f00d7ce723c3a3a8
SHA256 4f47179a3a879877bb0ad665a171aa945f2c97a0d6f2a64ccba185325d27fd37
SHA512 72b3aa0c9a11bddd776d7c3c333e7d8a0ae62a2f0c264aa3e45a9c6983d2b76a1eca6b0b519ffcff5e4549d8a0b8527bc5ff6924dc91c8f1c5dad6989bc4571b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ff3afa4b2d5170c73a5da8bd826bdfb6
SHA1 79b730e69fb6a9d87f3d44ee73a78230203dd1b2
SHA256 f1e8b71053a0d9eb645ae4be9d443656beca5f7d4ad920d99e2d697ce40a3d1b
SHA512 18f426639999209034b56395b05e81cfa895eff490e0c322c24051555b5faaf545785441323536eda4c9025bbc6c7a120856f01950980c1d9ac0d202ccdf8060

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2d6d5c513fc2ea4be91f04117b73e8e9
SHA1 d045dd53643c72402d662b78f46984a172c168d6
SHA256 be501b55e3f56f4929c55ac465814b091df5e39b1e31c41eea63d4b28d011811
SHA512 ff2f737e29693df8b7c07e5f35cac6790572ff6f21ab91d28392b43bb27c2ae3ed1fd1d0f202dbefe1e07e881303b4a5605ff1fe29194c96532516acb375ad9e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a5a873660346ba6c635014be502dd754
SHA1 5273c271b3572b6e8480733c890a31687680af8c
SHA256 3ae42f9f0d5807f44fe7d398dbcb2de447915aaaf0a08bf018b2ad252ddd3100
SHA512 33e99bfa5e6a8025f2d0fb99dbc43bcefdd4abedecf8a21bb507b97d10ca88fecea0b90bec36d18896d924cac87b99fa04fdfbfc1cff53e39e35219c47388952

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c8ebb33dbccee7a24d0f7c09976b6e50
SHA1 f5297d0ec12456cd5e97d0817ee92c81d8a685f2
SHA256 82bf66de1c0d40e7c02840845a40095e833f462b8bfbee01d51f3eaea14f3d15
SHA512 4e5e820cdfca4d1f8b9cbe1867fe9f6dff3fcab8db4f3c67e5eadbba154fdb018ce38cff77191993ce8037a8923bc2f18b88b4aad66be216ff201a61e6809b22

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d22302ad0f5a688f727282a1a45b75b8
SHA1 3b672e27cdd968cd706bcf985e57234abbf47c6d
SHA256 888e8270ca1371ab6a003cb9b1496af193de363c0c6d20dfe783e315fa09f42f
SHA512 dd3f50edc27c74e40b3f24777a330afe226adb4f159731e077b357589dd6ad27819d6c1d008e90c71e6c8682c81632d0de9e9e1a4f1faaadd2f4af887798ab4e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7e37eaee894b42f9b5c9615b8cac0369
SHA1 4a164ac6dab627dc275ff3a2c247ade83562820b
SHA256 55870df7ef5a1bcac9eab67b1c95b5975d9d66c13cbe104a833ff481a518155a
SHA512 03da0a55a4ca2e1997f5bc7e6b5f127816bc50bb376bd5063f3ce787ae5b97c25a1556e0df2883faac637a74aaaae3cc7765614250d553c93a46b33f33fa784c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3d908e993bffa2c10c72eb41894a8d2a
SHA1 451d0e2843ef91731c5d4d0e6d51c893b1cd8be4
SHA256 bdcaeea38656228a8190868c9075e9594fb5e57d669c7c235bcd0e5cfe8f21b8
SHA512 ed4124c18737971f646d32ea7e3e43b0175404d9acd892bb3535b85953ec820fc035b91b26dca25f58bc851aabf760c3fbd375a51293095cb20656be4a4ca5fd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 538a4b9e8c8ebc01a5113d7d9b3e1e4f
SHA1 3297d31c4d69a04ea393eea58a78e75e108f4915
SHA256 5f7870f86215a2661a5a8ca75ce6c69073685aafed1ac24a82ee30dd7f956e27
SHA512 0017e8da0d58ea1522edfb4a99c378a7bcaf2c7bc3b9e1fd18f3507bee829f873f2a934705aad001980aa97da4b04a68e7cd378a95e5389c9ab4ce19433dd5f9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2408a637a65c9574163c7986be0b5b35
SHA1 67b24195c321454b881ccece72ed8e83127fff19
SHA256 7af627aa1c61b35478fe043c5a3563c1bf89555b2f2faedcfeb8f8cc4238bcf5
SHA512 22481a94aa7f6d573a739ca79fa6d50afd10fb5bc7431ef9d8a0f9bccc8354d95943601fcd694507d762f8aa3a8d88b1ea91d65bdf06909d9c90276fc7fc4d08

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4553451a49c9c98cfb4a9e00405e0b69
SHA1 7accd146653e190ed7200e0063e1d9a97b74093a
SHA256 bb34d37c2fa8f1659b3bac9b38319c7c9f84883b1dcbdb5f262aa74132a6bdd5
SHA512 14e3ee94aeb2856c7908d93e717688caa853db687bac8d1101896f69b463c732ea37b7fba770292dbd5214a2f5a48fc1555a7c7b2c8ed9f36341eb553bb5bbf8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 dea879129e9ee5d3e6f2d44d8acd02ec
SHA1 061aa418c0271fe057ff208b1d5131666a0eec4e
SHA256 63a1dc6901ecdfcc7d7933336efebee81052f877f99d1e422ca7eee79f1d379d
SHA512 e15422994d4a23e21a5cc934b2d8efe86b7fb9e6ccdf0651a5507016a77ff3b5157a2bd4225289cd7ba01fb5e56650fc2f97574fba249e01f7c96efb56545fcd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9f6235ecb56ff2d132556291a1cfeaeb
SHA1 b63f8736ed9aea6863b5e39dbb6064e317be1ccc
SHA256 8bf3ceff63fc3b4c7aeec45f6c489199a61a05cf38f8c2527896497ec074e0bc
SHA512 dab043819f5221a4a68d2a9717267c559c483109b824c8cbfe6741ac465b570d5af6024f89facf6aad844f9bb96c08fb972b57bde7fe14aa5e2a825f8293af6f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 61ff3b02fd9d8ee22add6ba79c97b1c5
SHA1 37705c42f62772653d3d2219e31f47f596a37986
SHA256 32513f651c7c5692adc6f0e4958ac771fd0ca20a31ee369bdab8eb913ff5d2da
SHA512 903df61fafe359470122f49d7dd73650ecfaf1792c4767189aa8d1a379af4a0718a43c4c9cf6e72985b6a0950f013cff7d08abf3aafb1b03a3aa7fa4355719fc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 86d5b8fb84c4e9f4c57bd96d84287d4d
SHA1 76cc351121e322e6efcc28720289cc8d1267167a
SHA256 81faed34d867957d04ba8c03998a08a59eb7fd0e58cf9e772fc401c1998b3933
SHA512 de97eab4cb9e318de02d6b75353c32ad43a24178a03c4081b1a40f600a109d8268cbc4f2477c01c4c0f7aacc8e7e799a3bcd4a85172eb14e9572b43816fe17d3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a08cd089f1b8d98ea6bbde11efc43f1d
SHA1 a2e15a5e35f0ef8dd19c84e90b299d7cf5147117
SHA256 1ba8f394608365cf0bcf8c9223f54d9dbc0c17569b7c2e8aa046e1bb6a270897
SHA512 6364802d1cfdb1aca56d8965f4a0a429a80489b6e5aa71c7aa3ff225a37ba3d4f726661bea17735a3b9d79efa10c2c1c6e7d8ac1ee52ba16962065d9e4849dd0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e45ee63cc0d3026505279a6f68d44e0f
SHA1 681df8a05b35d0187e34ef7d3bab1a39cd1a1c20
SHA256 6f3c6e35e35c71af7d9d1bde96a87947afe9c9239070f2eaa762dcc999c9b47d
SHA512 537af26aca258b11950629a72dea52896d379ab504d2a4f6aabbda2fd83a3b52fcabd68ac7fdcb13519b1d7b6d735fadddca641bd9df78c3bbe5bd57e0c308c3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 404e23b40d901f0ca3f1000593d89cbc
SHA1 90748dd9db32ca56d799ee2cb31b5f72f64fb2f3
SHA256 b22bafd5de2c14d6964dd5b4e852427d5df07b9519c987243d1c2891b625fa2d
SHA512 a1fba31ed19bbcb26ce1e01df47c07dacd20f4083c7f3f14aef09c4ac774f16dff6b8cfd4aad51687d1cc75eec9e9b5814355f7c389090592aa1366af286e0ad

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 26314a40b99f87207e1612b7c7c24a13
SHA1 963c68acee5dc5e016a8adb52dd1d2fe7162b291
SHA256 10c7db67d870ad480e605b8aaa38afaf722e2b668bf9d092c745a88905d1e7f1
SHA512 cf59bf32a67fe77c8e85a05fae5b31a73550b2313502e1217f0bf6683743586ace8922d9355362eadb0e662977212d1edc0553b9cd70d402a7b009c0d6780b4d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d6080e9bab32068e918ca2b4969a6cc7
SHA1 dcc01d92c20e29d24a5c06af44c539bcb6a702f9
SHA256 5768dad086b03f50410085ae64a6478d9bb2bfcbc12a2a64b46cb87624c251ad
SHA512 c06d5f00bfe39717d6ffaba24ceaaf087673ffa5286113c33e6626283ab3e0a016027e0995149e73b9a0a53d78eba1bb47e7e8fbb9968c76628ce94f1887e0cf

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 badfacefd4d12d1320a1cbc8447cf544
SHA1 df19644adbcc96545fe11996a979206b96441c41
SHA256 5b9a2bfaec5a6648f773dd268653705afb13510d9ddc72f118d29cbff7812898
SHA512 60b704a75f6fb454dd956dc769015d1edd466a11a56fe70fe09bdd21fd708449dab14e20d94f6009a72f560124b670a5bdfe245c8346b189b706ca9cd637dab7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7e161b4dccaee6dde573f90681a191a0
SHA1 b39928b4fab81dfe87b7e1b4206366f52324129d
SHA256 40652d30811abbab530549ac042576bb4d149e307f3a9c7b7f0687ef42fd9a5d
SHA512 a0750d67b18de14609e6cfde8cf57504066432c97cf17ced566f802c2f898ecc3ff528560cd8d83afba3f33a8cd023a3917315f3f78db28af7345db24a51433c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ac07f5eb9dada8b3ab7c4e3f2959ab9b
SHA1 1ba02a37f11e0c34e90a1130c599d5ddbf257c27
SHA256 2a351ef3a3ab7eda0a9f84051009d45d166af9ee9c62b1297b2740feaf743c78
SHA512 65a44180e95a6f6b0ee2e3d4a0dd074ccdda8183f30e312175d7011a1104d736ff048829313f44282a368f0da0e88d0eee4f6a42bebe3361da2daa376fab5760

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8b7b7b8a7181684789609043206d1388
SHA1 67e4dd0101ba94426f00184312769c506d685abc
SHA256 bfbb433cf09d8fe139ec35935a98f998ec7b9ae3eaf7080b5239dd7b140d34c5
SHA512 2ba6d677c39d339e3b3e90508eb6ef52bd411b92762b46beceed7e02a29aa5ac2cd5e77d43078f5894b85d143dacb67cdbbb36d542776299c723baa2b02f0c7f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bf8ed22fa5256abbdaed16571b4e2069
SHA1 4f2c6472bfa03b8018dd8615969d7f6289740cd2
SHA256 5859269537c60a1b27788379d5f1a812f87bac97b7edaa5cb4ed728502d8bd83
SHA512 b979f2225fdca46328d48d919e04fd3bff9a24bd4e5243b17e465a4a481eea5f39b8d040d7c63e4d972df81be136ff4acdeca1e7d84cf77a962c3821a8f2a4b4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 11f20df0923d21fc2f6dba5c89a160c2
SHA1 a592395be88443e7491f80c9809c78dca6885444
SHA256 efbcc26c3188587a79501625e803903ec1b8f685b1bfc3007847225d67d1ba73
SHA512 b41c0bc58de33c4737d97534e5ac65f4a43d90d7555d43834b770278d5a371a5dbf3209511bedf44b8b46e45391c034dac91628ea22899262a460ce41875984a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ea1880ec93f07ab18814ef5dc1d2e59c
SHA1 6b35296e26e3337ac18bba427ffb4b4308c1648f
SHA256 3cf2cc93deb88c7b12a32a1dc6e84c0343ba9934b52cb322ec126ec3e0690846
SHA512 c1308411434adb5ec9e3fed777f801eaa239b4b5131cc3671729815715dfca270f37962f1a434c9b3f1a14a04affdc0d1fad3e5a250780178d70563b885c03e2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e5222729af0c53e9ff04d3b7aa39bef7
SHA1 e6a73147bca6674fcbba91ab83ea703f48602345
SHA256 f977938cb681fd0ccf493540302f2ea86e3461ebf24196f481c1c5010019f643
SHA512 5a57e9bf3ecd5ef2bff21715fc7ad4925ddd83b9fc6cb064aa7303f68883f06d7ac6c5948cd506ffde2ad536cdfd2869c01c5ce3fa1f1f573a32305fc51937af

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c9a9000fb269054a77fe59b7511c7cc2
SHA1 c308c7f79e93ac2c917711229d5083b88a3deb96
SHA256 3c154b50a8c7df3b9bcae7419946ef84e31e1babaf056c54418b07152caf71f0
SHA512 fe079436caa3b7e078dfe4f83f07218d259359a58be3e678651cdaadb5c893a90e630083012261950a1918afda30706675021844afa75e37f049c8d1166708f9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a0bda9694b9d52eeb0328935356339c5
SHA1 2b0257902c5c4ef22df95b764280255d9e4435aa
SHA256 aa5eb23ee4a63d3944fedee8350ab46dee77030f95eda8ad96030d92a44c81f1
SHA512 692bddd820719802981cee8782307e630bdf3abda7c68e8187313589103b89ad1d72fdd8e8fc5605d18855edbd818c0ab885425cc35ed8457241fb85c8105140

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d078d81cc0669638c303aa4894565ce6
SHA1 4a6c8c5bee2727cace4ea8b6fcec4fecabc54887
SHA256 1e20d0332b9c261d0210992c272b0121af28727129b5d8e9da3e90a384ecaf1e
SHA512 478a93cb49112ac2897a395b522a7c152bedff65bd7fa5879047d7405f9d4063d55fa361efc46de8ff51ba94e8d28d8e2964e087cdffaca0dbfd4578f73e97a3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a1f156c07d2dfdbafb2edec75b5439e7
SHA1 e2ce16f3740e2515cd8a47526dc0068cd90bf2cb
SHA256 390c05faf73aa49fc4c1d2fcfb5b20f62599fea42970c9c391feb09153700e19
SHA512 47bf9e27717795322cdeb24ef03d5a144b316d579c93c2dcb0bc36aec9e60e3fe875ce915b0a83d10c661a9703e0e890c94695b055dfe1fb32b80d27aec24947

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 be33ef4c2e1cf71dc8d19eaeb83c513d
SHA1 730768af771dcf7373d8442c3a0ad70917b4d08d
SHA256 80cc7dbea132a719143e2f6115241e989da538a8050e82433019520a70bda2ae
SHA512 cf41cb0df51b192c969d1b260ca1562785d2ce3e9ec06fca93087a9eb7c9a2fdafeee4ff79f13141e8d1e2878e1def6e9e0052d07fb8d9df50e5a7e0324e323c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 341529699a933c65170d872df4076e16
SHA1 9c890f5c38e1196a74ff9ab88559e2aab58daca5
SHA256 4d63940032a47e628f2ae59de22a48419456eab99d644d7f7f8015c99a9ad457
SHA512 c808dfc5c4cae86dfa6457777a1a74eb7e2948999fc30f6a5d78205727a7ac7dac8f2012ef69dbbcca4e9e1ea481b75090fd8bf1899995205b2e7c873aaf6005

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 995bd3f09dc7a3e51c7667ef2ecd2c1c
SHA1 a2687bb251719d6fc2f33e7791fd7730164b9670
SHA256 9e14200321879fc66349f9825c026ef17ae41506e766e43a58617a4740958ae1
SHA512 e6d7f6e7d7210f087fd73ca29df690efe7de1c72d5627d4744bd87b3db952dfe13684120e7961d702e109abcecc2285cd318c70a116ba57d8f9a0c7ffc0059c7