Malware Analysis Report

2024-10-24 18:21

Sample ID 241018-etasdawgjh
Target 556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118
SHA256 fadc26c2cfe7142500358ab8cf5c0a678269e4f675f4ce759aaefe5bfff5a67f
Tags
discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fadc26c2cfe7142500358ab8cf5c0a678269e4f675f4ce759aaefe5bfff5a67f

Threat Level: Known bad

The file 556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

discovery persistence ransomware

Modifies WinLogon for persistence

Renames multiple (91) files with added filename extension

Loads dropped DLL

Drops startup file

Executes dropped EXE

Enumerates connected drives

Drops file in System32 directory

Drops autorun.inf file

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-18 04:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-18 04:13

Reported

2024-10-18 04:16

Platform

win7-20241010-en

Max time kernel

147s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Renames multiple (91) files with added filename extension

ransomware

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

N/A

Files

memory/1692-0-0x0000000000220000-0x0000000000221000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 6bdfea67ebd2b403f9edb0e3e01e56ea
SHA1 9fb59f0fc0b4b1cf77dec0b7be2ecde67fa795b2
SHA256 06071060b1a3e3ea38a4589709d1489487844f0aa5dbc070561f57c0da103ff2
SHA512 dc1193e310973635cb320979f48bbd89da4a5c464c91d33db331abffbcd9aceee93120346f4521e098e5a506cd1cfdc681f9e6aab83e71aec26f6446f464e3d3

memory/2696-9-0x0000000000220000-0x0000000000221000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-2039016743-699959520-214465309-1000\desktop.ini.exe

MD5 7cba5708968da10c9c097d843031b2d8
SHA1 bedf27dabd9e6e52c0227f010234b2f4bbc4b3d3
SHA256 01bb752c744ffbe8c301ab5783b08e29a3e661f8c0ebe877e3495c69f9d57a9e
SHA512 fc308364b8087dacf57b8f61c93ea16a9c79c43a50ea16f9d52cc849bb688b7a862c8e5731db9ae2d3ef0c7110c82591a07433cf670c5e7ee6871ad4fe2094cb

F:\AutoRun.exe

MD5 556b72b555e97224f5e49f2e74ad3e10
SHA1 3685319836e955eb42628ffd046b1324aa1edd68
SHA256 fadc26c2cfe7142500358ab8cf5c0a678269e4f675f4ce759aaefe5bfff5a67f
SHA512 5ce9fcced30d056b8c198047a9a8013d1cbfe7eeeb5de5d85fabee2f53a4c3afdeb395d115ad90ad4c243e4f86d14cdadc6b597cd7755fdba8fd5bf99fee2694

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 25a2a790ee2b0504b0b500c0b17ca9af
SHA1 1ee8e74923f49362c6cc5deb9261d7b49104f6ea
SHA256 f548460c1ca14199cc367255d03f30d0b748929930d2bba42e21894be233232e
SHA512 5988f585d20bfea8ac9bdb77862171a5d7fea746d060377e67a61a0a7c5bb667d4eec141346df602ca0597b29a99eefa2776b7e7d58918b1a487b9eb760fcae0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2696-228-0x0000000000220000-0x0000000000221000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5974bb9591cce4aa3aa0b5ce2158d7c1
SHA1 9d8df8644ed9334fd581ba338427f33113170675
SHA256 b55db9e965882f8b65559453955d21154ee860c6195030bf0eb53ca519f54ee2
SHA512 c850af0307a4f94a81a5cc8d1250db1410f7081723fe51decdf648c276d1478a9e29c1ece2e4755d7f137490060c5f54e0bfdf6aeaf3380934944e8510730c4d

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-18 04:13

Reported

2024-10-18 04:16

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.201.50.20.in-addr.arpa udp

Files

memory/3948-0-0x0000000002220000-0x0000000002221000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 6bdfea67ebd2b403f9edb0e3e01e56ea
SHA1 9fb59f0fc0b4b1cf77dec0b7be2ecde67fa795b2
SHA256 06071060b1a3e3ea38a4589709d1489487844f0aa5dbc070561f57c0da103ff2
SHA512 dc1193e310973635cb320979f48bbd89da4a5c464c91d33db331abffbcd9aceee93120346f4521e098e5a506cd1cfdc681f9e6aab83e71aec26f6446f464e3d3

memory/4884-5-0x0000000000630000-0x0000000000631000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-2045521122-590294423-3465680274-1000\desktop.ini.exe

MD5 f279742a7ef8f31a5fd7decb77fd16ce
SHA1 ee1655b88017fbe40d59c3591bb8925864ae97ae
SHA256 56fea53dcc116b76014630f4a4b97e14b67fae89a283743559efe054a303fd1d
SHA512 8b0525f8867d392ea66b879623f91971abc09cd6ba3a97edaca614a523c2e70ef888617539e8175cda80d92a24523d306e54f73e673f0d384f625fd40830f594

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-2045521122-590294423-3465680274-1000\desktop.ini.exe

MD5 d5aa4a9077b72da9b3079278dfbe9136
SHA1 6c02be409a707fc497818048efaaf38d18aab9be
SHA256 ab4bc4f243efc4c150240bdd180a5794c5be858b99c93ff955f783cc7828a40c
SHA512 544fe63666810707e9839574fad9a219b5ec10a4668aeec6f3de63b51d60aabae46fcec2e465e9abac8bb8ed9fdeacd7605c2f660f7d830f1c06b4ce4f92b5d4

F:\AutoRun.exe

MD5 556b72b555e97224f5e49f2e74ad3e10
SHA1 3685319836e955eb42628ffd046b1324aa1edd68
SHA256 fadc26c2cfe7142500358ab8cf5c0a678269e4f675f4ce759aaefe5bfff5a67f
SHA512 5ce9fcced30d056b8c198047a9a8013d1cbfe7eeeb5de5d85fabee2f53a4c3afdeb395d115ad90ad4c243e4f86d14cdadc6b597cd7755fdba8fd5bf99fee2694

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 da4e5ad8edcf5e01aac0b5e1858bb037
SHA1 e5c635d55f682911ed7645cd984207b394184d2e
SHA256 a5f6b764b65c06fe28bcf28faa3376af062edc5c7929a6aca1d5e03f3c2bc880
SHA512 c33c59c02e893dc45cef21ffea5db682d7e63e18c37cc90935f3d06e6148a26c2031d01ca95f3d1db4b0208bc4ba9dc9d2e005bc1841639142d4e309260c8345

memory/3948-45-0x0000000002220000-0x0000000002221000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ab6f2de6ec6411f4a81d1e63cbc7ed20
SHA1 7d68488a5ec2a581571944b28241b617e8fbe483
SHA256 80654726dcdf4ed1a1197a72f5ca1078091612f08a383f6638baeb9ee36925d7
SHA512 d9ed97254343957227c2a14424619dbfde06904983ff3f89e2bfbd5447290ec86151a8c3734aed906b6170ea065770ef719eb2ac16dc4cd10c796a842d67737e

memory/4884-48-0x0000000000630000-0x0000000000631000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 01e389dc566f5ac763af4470b8b3a40a
SHA1 bf8e22268cc0f409a3248e16f402e42eb627de35
SHA256 5e9a9de13c439d76a80396101893bdb99e9e011221876144c5b87f2f014475a8
SHA512 4c30b4faef74c41a86f25cb0c03650f2fad46d220e8fb8dd07714ec6f64408f5fefd76b10e079345d038edc5ef3c4ba5ccafd047f7595d28c6c8967234b7a9ae

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 cabe90eb141513fc67937a68c6418537
SHA1 a87eb00bf01024c26608e0b8d1a4b1ffbfd15a28
SHA256 2c0afbc13a48a95f71ace6fc2bd63090f2f4578a6cf6b9b61e12f5830b279916
SHA512 f8835f4126a1241abb88bb8aa1e3d990a2441b823c2e2941923b034f6e21646f19068b4ab28a085905f7d6710c2a79b5fda328e17053e4a305028efa175fbaa0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f2876cf5d929adb51d59ca4b4b00de0d
SHA1 1f0edf97154fd6ba53f0f82bc98845d2fc0e0209
SHA256 9ea98bcfee0fc70e6f32439e09a555fce3bf11ed63b118923acd0a2b9e82eb97
SHA512 f39aeaf25310d8664345076e6b1f4ea71fda05b61b5894af81caac199ebd587d1572a651f5b0649755d408ec7dec92aba90c90ac25845d3b7f2951008d3d1cfd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ae661a143aa8d14603336b910b5aa58b
SHA1 a460119aa75b7cc272faca7b641a1ce646c83d6f
SHA256 bf53aa06ca908157c90de46adac4d2fca9741c6a6bedb92a65759c67a2aee4a6
SHA512 a5f52b175738aea9dbaa9251ce5cc8b4ad9c10edab9093d8b8910d2fd8cfb1959c03cba2535af97d44f323d93bda9e376d93cafd1f5d7c1234cf2277a816cb48

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3e1dfc255c068e10162e63befc13b6c8
SHA1 92c918d254dcfc31857806944dcfcabff11984cd
SHA256 042c5b23bcf78fa2bd9c6fe91a62eafdb2ab1cfef11b5e98f4b72ac3ddc10ef1
SHA512 46f3d72d434618922aa0f3afa3611ee8f3ce05727a1ead8e3755cbddc08ef4238cb0d28df9a78d1b3deb6c338c9636d567f0c65c458c76e317714fcb46898cc4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 864b737bc5e4af110679ea328069c2c2
SHA1 9a9f5117608383116467f729ef9429a50a83c8e7
SHA256 9a469870e2c4d87c2c52df19691bfbdff50152da92ab1d5894f7582a6be48fe6
SHA512 585a34da384387a3a3999e9f62e36a079453ff8f54cfc8150ffcb109ca07041bf0f8e25f2e35a2618a16f916823e11ab124df97e06e89a94a76f80df8f791cf0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 436c1310a44b053d07a8b45764b83e8f
SHA1 fa39ef8568179f9ba7efa5d6e1906c635db81b26
SHA256 e4f93f4d3b55456a07002add92cf5b9a440571265e3f80e66da7d514d867216e
SHA512 323684e097af277d43a32b11d8fa0f2944a5203708b71545d41c55750bc595b660e3c2da35fedbb383db5113b4c92815c17704d3711f8a22fded3b561587a9cd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9cf99c3e467eacc6f7d9a847f7350f39
SHA1 08782d0ca72bd8404d5811ca2056e077a626270d
SHA256 3b63a7e70501976005e15e57e8999f816330c28bb2c826a70824de81454d5921
SHA512 459457f40c7c7ebf48dfae59403198ab196357d0e54278e714a20cda5fc5416c21b80f1bc370848eb0ed8c2494ce40b7e9631b9c6702a230bfe111e47f7b99da

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f146705e9d8777d3d546c099ae0372d2
SHA1 00a126d2858c570573c138a3e61cc4143bb1470c
SHA256 afc6643abaf44da46418b3ab9de21082c6a62dcd08a3aeb37f14ede1853dd918
SHA512 fcd984a3c8d4883078df3219d212e140137715161ed8d85302bb8713e508e35f7272b7031776a4862c979bc518a075bd359838bb74410369d87e50ad33d0ef2e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 42d36c0120c4e5d4ef460001263b996f
SHA1 09f306ee535d4d862e7d71c033618da9c2bbdc08
SHA256 e68dbf9ecb23c2c0c2cefc65f8baba0d18e8760c251fece552b135da6ae6937a
SHA512 eeb658bad00c93a6134d4b7b9dc66ff908532dd0602b09cc49eb8f2870a7e234d9cdec07ef1a7841dcb77107c054ee1964494b6310cf5a9703684ea206c7f67c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 80496036a0ec5dc48d268aaa03ace045
SHA1 3623bae83dcb2809fef79ca27ad74efa29027651
SHA256 63d988180ef1ef7e2a61a16966ca7119a82072875ce76e382b25639699dd4899
SHA512 828779ca46e43a77769e1a91a43cccc031f0b216c5d00d84ef352f29a9d1662659a8edaa57b08f87f9a8b0d625db00d972700b757b475e9bc855bdb5da003697

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a471c5e88b5abaf16f0561daeb87256c
SHA1 eebc7502a541c8b8ba9c13adde76d809f46bffaa
SHA256 9afcaefa6bb93663701d65fa711ee47a22df00c0f0d05142a38ded99f8f35ba7
SHA512 16540a595d4765aef183873571020e84e4652f2022c2fa9ebecfebfd437d194bde56750136dbfeed9fe43505558805d3db51d563eef028478a3585371d42233c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e36f163972afaeebbc2fcd29d93fc5b5
SHA1 598be3660d6f3178556a6469ee7abb21c141d8f5
SHA256 c5455bdd5b15dea33c8b4822cad27e1b82a4fc7ae5e4db3a9db41da911bb5277
SHA512 3e3f55eae4cbfc5b0131952f900e3e1f72045dd189ef2be29be51d8cd4a794a42c4acaae2dd2b746cd06f0550b0e2d12f5b6b18b77751ea1fb21bac23f55612e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4baff99dfa8e670b9223f40055250b72
SHA1 06c2ed7deb1389926827bb144b48f26564569295
SHA256 a941eebb56dac508b0500462410a6c19c31712ba2269a741732d1b40f71b547a
SHA512 38dbd4fb673d01d67dcfc088c32678c972c460f6f8ce971fad6498641d618b8ca9f5fba68f7ebcf9b4efb2829a883ea364dc2e1cf19639f0fbff19207fe84f97

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 be7ee66a39876655f09337325f142ee1
SHA1 af499f43998d55b5853b61c860f69ef3846018c6
SHA256 fb371e69cf46bf591d87e156239973cdab0a31c1fa528878dec8700b530636ab
SHA512 fbe53176077011628539fbd23e3c2f3779ac62b36aa6a955920ea2002ba4a2f89a484dab97c98b323f3840a3b5268c17fd12872391d2096c0f80ae30556375a4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b7ae188b29ed0972b106600310075123
SHA1 d51d19cb5538e0859e400958f1911db185894d5b
SHA256 9f5634eaf645f046b7b498d82dab646fa006452df1adb224c7498af991c278af
SHA512 130fa4430ac1937ea7b86bb80b8ab8e108bcbb45cde9dc22fae67a54a4f3b77b1683498cea2f0cef0be8431469d686256a76cd2d2b420675cdfcd5b34ad03969

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 54a7b3edc396e6f093f54ff7b1f79500
SHA1 2ff9a2ddbdf765cf9682a841003229990f935354
SHA256 102a972a1684e075138d2d7c6260b59a336a2a7c420c33f5511a48f57229a45c
SHA512 db736f5b8d2b6106c88295237740ab5395bb8bf3689dac51b1be31608c188d611dfe9cbd54bbfef6135663b1a39502660c60b6f1953b7642da404a3fad31b663

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ce6a70f585f54a4bc3d8148bd192edb0
SHA1 2bf7e793dd457c134b056f307ba0f5b9a4df6c72
SHA256 8a7c460fab46cce25f5c32d94847d0eaa91700344b002ff433e3eb99d8f74f73
SHA512 1f144d4f6bd63e079df677796ab03bb2310ca71d2b28c2665163c8a9aec9ee9343d7010d0ca79b3d0ab1511b7245f2f27f2414cb9ef45d03e2651fef67d224b1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3d3c0c3129a74d164b5771d3a3935bd2
SHA1 a2767645deb41a77d2a1564890265de4b4e3e5c5
SHA256 922088b2154098a675d0afcd23c1a0985912b4e541e63ba12411199f6ae94227
SHA512 aff34de29fd0b1f1a3710391f10bc66477d6ab82db5a106814db3d156580e7392f747a4904559b402455210b6304e3b7dc970f93566797301c4b7fe634d6e49c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d4a12a51e01ae86fcf1a304b2b02cd16
SHA1 ba71c1ee2b8f42fc360d544c3f9d615494b9dedc
SHA256 4fe27aeb7c5eb5330c0b49f8e6a30ed09546d395424a614c330cc47fc8f128a0
SHA512 4c1414cdab651862bb4079ccb5ec4ead3d286e1aff09cf4dbaa867f389ead2997ebf03d9da08b7d82f5b538ce6f2e07e7526f7c419ac90dc29e599ffd7305e2e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 406a874e9fd6d9b5db9c35130fbff180
SHA1 7c76a86c7aca44292b3910d3d8d4e7b31117e5fd
SHA256 66d6e0cc938e5232908f8a62307db839e04091e4c19f1c01025c3a04a28836af
SHA512 d08f56c87aac4515c0378449eb5ad615fdd724bff694b6d6e72b2c19c9d9d773a5b160c3806891a4de9261ed94d5d0bc668e5c1c5f3869d3103312d3bc00e7fd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 debc27dc93dd5e72329cc3db8a5336e6
SHA1 f3daa3ceabb71346204209ee5db880ed2f68c844
SHA256 37571c1bfc4e1ab1ca398bbc84ba14d8916c875868110c928d3c4dbc167fe331
SHA512 ad029ed0583e76068ebd47e91cc968e1aea93120fec532d956a6943cad76a8f929e43ad42f517b18c426bde638f87497017ee0088b0d700aad8dc92568f7267e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 efcb711847b26cedb9ecddfeffe5bdb3
SHA1 2657ba35b995e97b8fe6564e4af1f745b73a09ef
SHA256 65d8de42bbdff1d81323d2bc03d6a8260be03db2c04e42010042be5975c2aa7b
SHA512 9e715a8f1ce40f757e115605f5e11064ef50ca5b728d8d59c36374cca7a06ca96c4cea778d0f9705fa88b1893fd80ea055ce52c595cdf49bdd2f898df026506d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d2c9ae217985c246d2b9b3e7c872a54e
SHA1 89c5d8ec9a7096b9844808a70b4773e7f4d34795
SHA256 f9b8a898ad7ca4027ddc25d7d93692a3e0b2e67ee4b3695721666005f859025b
SHA512 aa130479294aca525fcaa7d61a0b07004c9fb2c338196703f77e98bdd996b2b38d290048e55ae7e7be701da7df978bda22cea683fc42d6c3dd1df8292814ff78

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 634c410444bbf03c55aea48e41bca391
SHA1 713d204e0abb250c9e0765d324e92ef17a636e05
SHA256 39cdccbe7d32c5b0ed634e37c1c26fba074b56bf7fd7c13066cd5a3322d151e1
SHA512 0312d1630b079056ca2eb47174a3acda3c2ef9662255b3defe23f2140c5d0a750eafb9129cc1b6f5ed74fc76afe6f2276ad2bf731df976db0b5e66a91f7bd756

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ae56a90d55692ffacc68ec7f5ff22792
SHA1 6aef26f34f0ba17e21b1a7678dcf3c4cbcc28cf3
SHA256 36e7435247f1172f290754ccb78bec33b53f1e01d2fcb364a45772dea4a9238e
SHA512 418e52710a40a0fddc8be39bb6d15ec6edcfbb41c2181573acb7c74bac060cd1e28385a3de2b97284dfb6f48b96ebfe5fd2c3cd9cd14480f4a7a93a84f3f0e19

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b9a265d2168849c523f6dce5892b7826
SHA1 5ab7dee54743f13fbfa22065c5e70564eb57a1c2
SHA256 341226b3ff8c927c7e75804084800dc0fb3f0914a2f2469e1070e07555c06b44
SHA512 d7266a04f563c9db004507cec4c14b214974d236d50eab415cf1a7e81c5052f5edd8b6cd8eba8e1205030f1c87cf0c57f4a1af0c0507101abc5ba43e35411865

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 55443a38ca1da25490901915f069fd10
SHA1 ab4b94fc351444e59f75041ce69171d7bb3a97fb
SHA256 a5f04c6ba0014669cf0e3b9689c03d68c0b9a18fd010bb4a6219d1896ccf07c3
SHA512 2932fb577f6456bdcd883099d9535e82c6dd16de7cf6b73f7bd6e67bfba44f8522a3af479f085b311f373bb8095642a4f387d31370ee6734093646d91ab42362

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 77f64918e216c5be58ae7ae057fcb9b8
SHA1 9882f96b9bd98f9b677035cd1621987e3c2e4afc
SHA256 6face5d9517e01cccdfe742b9120c47408d34175b10ec97a962fdaaccf4b3f53
SHA512 69f67bf860180e8c5e87e5e6337d2d68805d7fa618d32fb01f5f419624d3f1ce9706784edee92e18f73a72bd1ef2db0dbbfeaaf8024da9e96212f66fe51c7970

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6b5b8fb0cd544dfdd07abe68d07923d5
SHA1 fc6dba9536944ac5cd18d532ecc46f194cce0860
SHA256 eebea3aac7a36a4d9c911c98837795e05b7d8617a306773cebfde323e5e6267b
SHA512 973e12988813cd48377f8659394bf96af5bac35a418bccf2ee7b2fef40ca57778f5ba0142316cee7c097f98b57aa7a64ff0081c598136b52688504af12666e1c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b6762936e87929b0b6e1f50a49642fde
SHA1 f0b4e01ce1bd9df1f171e2932f3a1fb0a62178a9
SHA256 1c95d02f326741483bb2e303e27e5eb5b3f07f97dcfa6fbfb156e3998bbf5ec7
SHA512 b141a5fe6d9b186ee454686e32b921de432e41a932cf76016246d675a74c3e84504655d8478bd0ec692bf02bb87c5cac4ca6894d7928df8426542567b81346b0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 068a4d7603ae3f2196c1800209e961b5
SHA1 4b257b46d845e327986773cfc03012390535da7c
SHA256 ae0c7f0eaba9b3abccfd429f5dd62ba7505c8f072a8183573cd9d433bccbb293
SHA512 790fda4ea0028a67426a7d0c09c4506bcc185336f0984919495b05e6a2b95ce47d8d332e3aca03c888abe196193ec13e41f3208701cfe55871989e1f71fbfb85

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ba8aa626271eef76c17a2d5585620766
SHA1 b2193808507bbbc9c0e79909d436f3f47c1bec4e
SHA256 04f597f017fe720dd1fb1512620a53e52437328f4226992b47a458628501b470
SHA512 c3c79b10f8373304fc54805ecfe62081c5dc756aa5ea52e89d6804823bc30c97025d499abafd73e3ea5d3d4ac7b1ca742ddb69bba09f1af31d806384ed27d676

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f5f8b743617b704e3c909ee3a1b91b78
SHA1 36edb4d3585a2929a10e8ec3f47e77f1802ab90b
SHA256 4a4f9858ff8ee9c5345e5e30f3a272183290b0525c358507eda56e69c2abd42c
SHA512 1787b37002d3dbfae337d265f9e8cbea9450dffd93c436c9ee09e92537ba47a3182ee2af018c723c43e784c754bcfaafa3a3aa11349e89f0037118b891138bf4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0b35ac22996b272d99e881e403826430
SHA1 17d4912f51058069315496dc2554d9a6a310caee
SHA256 8eff6c4b60995ef2e99ed882b3bf83bf5877bb42ad67f1fcf1bb5963186f1b45
SHA512 0f841241103cf78e8aa0070b7547a0f8b00fc7322d6d2dffa2778be634a2ccfc4e6c63fa36ca1569402d5de0ec5ee5716d70da177ddc667a8906ebbc8e8566fe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3eb0222610f1efb71314e454d7d4d3d9
SHA1 237c4ef6000bd2b071255f7b3ee3200b852b32cb
SHA256 2cdfb02e022716091dce22dff0f4f03711426ffe1addc8be807083e10d935ae1
SHA512 d132c47186342e810d67712c27c3ca078118b8ec40ee8f8d67151746cfecb1e87079312f1679998eceff9dc94475aeaef57804b918419f2cac074d0cbb753ba0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 76d0103cabbd36aee1f996efd062f137
SHA1 99a6d656cadb49722a11a3ad97ea21c47e24974e
SHA256 c3296954dfd2b28a5130de971e1eff1f3e29c3d67bea7c1fc4f421ac98b86f4a
SHA512 57168809dcebb9a2f298947d5daa6aa25dce9e3558cdf7049c252ae291113d1d08fa5ae98a5f507edc865d3d1119c99df5a288d4896877c004e11f8ffbc12aad

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fb5278ea6c6bd4a6e5e45f230077d878
SHA1 43b3694d3be22c97fec2d2b9724cd5a4e47ce9d4
SHA256 5f5e662e93ad7e100b23970d01bbcf671b20275f1991eec4c990624d84e0335c
SHA512 411bee976bf70ad2ab811c8b9cd05f77d21157d7de7517a2cd0df2bd984eb74b18091aa9b171ccd8fe8656d00de60cec39d3753968c17f7c227c4cbd1556e4f0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 eca752d5eeaed10d25f1eee586e5ab59
SHA1 268821161f479f067cad48200342598bab6b3b1e
SHA256 5005fa96e7dd198db6dab96fef1fc4825152eaa384fc1d1cad0fc8048045aaa1
SHA512 704a9a6d24e4f1896e5a663dd4f36ed3d64a89f980fb2a003754000b92b7dca0ccbc4ac0e2b16110e1e8dd05bb6489bcb8ee179cee17cd9dc10b3101d9d43518

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1d67a8186fd1d00c819cbca69614beaa
SHA1 94be37d5b147dd918410d7213b5bad98dcb6389b
SHA256 46c44c2c54c8efb85e46a58fecd9a2360084ace2737cda2bd1fc20eb92d3d470
SHA512 0b7e12812704a6cbc54d580d48deee6c3d4cf3b07ac94a18b70e3db00faa278265de9d407628f837419cbbb54cde437cd31aeb5d19a49f3d83826df35a0f300f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a6b0684ef248305763ee2abff93b15d6
SHA1 45f2cc2d5d803da79dfa63d1fac5bc84538c6b0c
SHA256 fe6337b4940010fa6bbaf3918bbad97f31b755bf384b11765c8c25f13ec2aaa9
SHA512 aa52259659c10214e7a2bdd435ae28b7171d50d29a33f4b067e2a6eb68abae1e665ecf164b5495f173bf04e8baf6a754cdc5f6ce37cadbe0221dc2e3dccdf92b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 008955669c9c7361fd3bf0664ec2603d
SHA1 f719160b6fba98926102e0812270fa7f78d5043d
SHA256 7397ec8f38ce996a734acbf2bbf18870774b193af56fcabed9987c91ebca2e7b
SHA512 9be0bfa88f465329d32ff93f8bf39ba9cdca6f04b6078036ba6b52c3d5ddbd5751b67655b002eeaee72c1f722b71b68ce24f9f34015c406aa6846bbcc0a82ad1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4fa5d595f87f6eb25dc9b105e5e78b5f
SHA1 123f52f7199825c544abcb1064cb2341c3b39147
SHA256 3d7de3a5daefb07269d94b512f937bddb786c723f956038d2d67e9797fc063a0
SHA512 634b51c0e929d338c41981902379b4a2bc9bdcdc90c1cfbf5b4a239caa092afbe3fd1ba4eda8029b2549fb5479a9164f61a3b74c37b8c44f47a28c46170df9e1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2cfc5bb87e6a0756c170c29fe3fca66a
SHA1 222a09ea9eff56a4429bcf62e41779d588b573c7
SHA256 6e77ad1812b221197d2c3f2daedb3aff0e3266f077c1bdc14d1f957d673c8f10
SHA512 584940aa96b9d4d087c1e3f793dea671db45ba7f84615874fb8a3b4052e0577cd85f2d9abceaca8ce9cb114740c23755ead9862ec6ec796106200323f0682505

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ad39a089586e848bb47c23d0eaae734d
SHA1 defb8391c86876dee3bb7bbf28b2565bee0fb8a1
SHA256 e822d8cdabc87b2e844592415580d47832f6ef48d7fc9a7f48500dfcc0e3bf3d
SHA512 88e85487b249839e279d88e2cb688396c3c776f0edb87ec55bb944f4f5e3f9c7d460b23f166d88b910d65752b6cd46beefcad8db7a70a4db8218e8dcea2658bf

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 af005f0a291be71f98b14c3d356cf9f6
SHA1 c1e789170cb606bd86846e00988ea8b2d9950959
SHA256 9b30dcfeb89913d332f29c40fb60a2175a1783058cc601e3c208f1a9a27aa4ec
SHA512 c37711e42f1e8b2c9c2ce07cf9e52633659a250b0f4bbd0cc8a7701e1b2af09a3812c6e66b74d0e9b77e90f15c18d24839ad51eb6890a03f40b3dfa056590b54

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9df1948ac31fc3bab676072a8ecd5b33
SHA1 8e0b3c8416a16c041f98bd40b5684f5e12c109de
SHA256 d8470c99b7461ecd4faae77a11cbe31ea44203e5eea5788508fd3db59775207e
SHA512 6b8128ecdf3dbe83ed3dbcc180dba1ad02b6fbb210e4761dce66b009c610c211454af3b2bd9306b4966efd621f37c6afbf30dfab6dea2e195fadd732c83f84ef

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c5f5038cbb9c0ca042655d7f50471f59
SHA1 40f43ff95caad9189b12e76e65a35af42f2d916a
SHA256 5ebd3e5cafb23eb0e7030ccc52c564c4651a1ff2ce5d126ddb4b271dbfd03ef4
SHA512 d8bbb40e2f7d6fb5acdaec0491f03421dc7cbc9a5fe0d820d7854bdae70011b575702f4d158d9a6a460f119657d14e335918d5bb1a0c741391951231b444a32b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b24ef66a20cc174705222b1d436a72e8
SHA1 0f3351e5366d089a4749ae74548ee1b8b8e5ed60
SHA256 ddb724eb860c9a7b7d8b00d3861b546a57a3677982439b670cfb1b2d1be95025
SHA512 aa536ec7ab491d41fac5c1d7b16724ace800bb808987b79a0c845ee635d24ef0ca7574b2e28d1cafdeba5f89f567fd066410125bd50b490f645ef81424e72666

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c6cd4c7edb4cf55f2b1a26730e7e1ac1
SHA1 a296d8e38cd49be46eba95fbd6b01f08239b2b5a
SHA256 c9d152b1b41b386b37a21446ec476f78c5fbed07b326c34cbcfc8f6610fe1129
SHA512 afc01e3f2d376001ce874d19a45e0b359dbb9247250e26e0de2c91ec724463852b7d4d11cfb9680d54971ed4cf448d1cd8433f0750c983e2aa2aef6b31189e36

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a1d6f614935e93f25fa8d0085d08e6ed
SHA1 e92de08221cccb77531aec4de56c1df128a089d8
SHA256 0e0aba653a213d4717698c7d7b9d537e86d4b6df06e0e757176e5b278811398d
SHA512 5b3fb9d960faabb4977a3f547b5d882e69beff2bfd21b019ce7b5f89476aa952193538265f8ed589a53b2a1ac94b5c581830be170d2ed0f89b53874d58bccd64

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d142937ca9c110de99cb332d0ae8db1a
SHA1 11fa7e2ef7e9cc7e26bf71292a9e1471146866bd
SHA256 fda36db1c2844bebc4558b003c05bd7510d57a1908b6a561fb695df0dfd3be20
SHA512 eaa876d30188ea52a60fed289c74416e2c01b18acad5ab362fdf2fc27490d7077f2cde36ebd20df536a6a33a99a8468110b9d18c1fcc13f7e682d579a25c40a5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0413118bda879056fbf496cf16ebb5f6
SHA1 b9ab0cbf701a6ce886deeb59ccb5268c7a4c3758
SHA256 41541b63c33700a4366d9b2ad0479b961691cc0c3bbbf10327ddb0eb0e86cc98
SHA512 b56acc26ee4879146d6299996f058f354931d10e23fcbf710e2aedf4f65f4f3a6173c19a70ad0ebbbc76da4b79c4dd0841106009fe50b011dfda5ac51a495a5a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 28c70a742d50d25580c2830e518cbfe4
SHA1 41d09f8a80c1083f71572195d2950a649ce19de8
SHA256 f11d3613a5e1276df967ce1079814978825a95c28333c887a692ac5a0a384277
SHA512 c4850f5b5014c4e12ff49a0df84c993d98506921cb93b4c8069b021a997fcf34edc8a8182c17ae223c3e4511d94847aa6e0514942bcbdb67423be0dbcf066915