Malware Analysis Report

2025-01-22 20:14

Sample ID 241019-zk8chazeqp
Target 5e990fc1373880e155f0485eeb37fde8_JaffaCakes118
SHA256 e47347db75d04aa531b9f4e88c6d72e8164ba3e99ba5cd0b20aac80ccb42c35b
Tags
discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e47347db75d04aa531b9f4e88c6d72e8164ba3e99ba5cd0b20aac80ccb42c35b

Threat Level: Known bad

The file 5e990fc1373880e155f0485eeb37fde8_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

discovery persistence ransomware

Modifies WinLogon for persistence

Renames multiple (91) files with added filename extension

Drops startup file

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Drops autorun.inf file

Drops file in System32 directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-19 20:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-19 20:47

Reported

2024-10-19 20:50

Platform

win7-20240903-en

Max time kernel

145s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Renames multiple (91) files with added filename extension

ransomware

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

N/A

Files

memory/2320-0-0x0000000000220000-0x0000000000221000-memory.dmp

\Windows\SysWOW64\HelpMe.exe

MD5 1883021fddfbceca62889d9d98ca59f3
SHA1 cef041de78282f6c91cfc431063614756b1b6139
SHA256 fedbc26cbb0c7b04de19461801add9cfb4b35d5d2879b9cc5bb8dc130260a2c7
SHA512 d1fa378e8a05d2439912a6b78a3c791bb33df2cd7688ba8e731f3189d86c727293a9f4fa8aa15f6dfe71d893aae01cd9433c2d64361e0897323fa39a038caaac

memory/1248-9-0x0000000000220000-0x0000000000221000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-312935884-697965778-3955649944-1000\desktop.ini.exe

MD5 ba455739875e430e344a7cad537028aa
SHA1 d480103673e9cf426b0043012d55fa84c065c14b
SHA256 84fd3dd2b19fdc6209f035f281ec1364cf3c6f1893731c8be983deed461250b8
SHA512 074d17e9bf1562b79e20a885703c0fa30210c53557e318c048d51dac301ce4248e34f2f1c224d4d356ed797e6e56ff819f59613a25de3ffdf029107ca0442912

F:\AutoRun.exe

MD5 5e990fc1373880e155f0485eeb37fde8
SHA1 eebe2dbd44c6ecf140949df9f11b224848054729
SHA256 e47347db75d04aa531b9f4e88c6d72e8164ba3e99ba5cd0b20aac80ccb42c35b
SHA512 3ee013845e29b5aa51b00331691a08f9b04812736a963aec172cc82dd4f24bc5d5c9329e22bbc148944f9157e88ddfb860f7b986d00cc03916d6f1631dda8e90

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 798372e44faf3a6dea92a4685a3a00cc
SHA1 3b80410f5af069cc1b3187e50c2872726c26cce9
SHA256 80276d553dd99e2b884e4ba65c844085d8c7116f216051f8953d34ae3fa30277
SHA512 d149a2105c45ec03953619cf6857c9fd8f232bcab83473158e2cc7dfedd3b39145ad746f5848d9c092f37133391826cf7bfb67f340caa30477a3a0089ee892f1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 88ffd7d7fb0905d456cd466514cd8566
SHA1 ce0d1d7364fe702257974bd263f6140114057dfe
SHA256 c37747a37fd8f7894ea860b2ed5408d9a60e133a2947cc9ce3e4cc70b6fdbe22
SHA512 81839630449e1442162c7603e02b4e86e5803bf02c5da227cfe9cc36c2db0b736a4e7275d6adcbea389bbe91265e795a889885a7b66b3b885c621548e64e042e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1248-230-0x0000000000220000-0x0000000000221000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-19 20:47

Reported

2024-10-19 20:50

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\5e990fc1373880e155f0485eeb37fde8_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/3328-0-0x00000000021E0000-0x00000000021E1000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 1883021fddfbceca62889d9d98ca59f3
SHA1 cef041de78282f6c91cfc431063614756b1b6139
SHA256 fedbc26cbb0c7b04de19461801add9cfb4b35d5d2879b9cc5bb8dc130260a2c7
SHA512 d1fa378e8a05d2439912a6b78a3c791bb33df2cd7688ba8e731f3189d86c727293a9f4fa8aa15f6dfe71d893aae01cd9433c2d64361e0897323fa39a038caaac

memory/660-5-0x00000000021D0000-0x00000000021D1000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

F:\$RECYCLE.BIN\S-1-5-21-3227495264-2217614367-4027411560-1000\desktop.ini.exe

MD5 6e4914418e05aa3c948362ee5c784d70
SHA1 6afd21ed847e66903100967eeb7138659ef1a459
SHA256 8e5404bcf6aa3df1d2385eb0810484d0c2dda425971dfda00f4c46bcb6a3a802
SHA512 d12e8aa6dcc617b6a5eb3a7bdbb5129422cc6e1fc2a28fae401985575c2266133487cd3cf9bfc268af91a1139bd426af8f7364ced1cb3a45f0e43da02aee0c85

F:\AutoRun.exe

MD5 5e990fc1373880e155f0485eeb37fde8
SHA1 eebe2dbd44c6ecf140949df9f11b224848054729
SHA256 e47347db75d04aa531b9f4e88c6d72e8164ba3e99ba5cd0b20aac80ccb42c35b
SHA512 3ee013845e29b5aa51b00331691a08f9b04812736a963aec172cc82dd4f24bc5d5c9329e22bbc148944f9157e88ddfb860f7b986d00cc03916d6f1631dda8e90

memory/3328-44-0x00000000021E0000-0x00000000021E1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c8b5507af6f01dcf209e1d7dc70405e2
SHA1 d72e5cc30549641200bc406f5433fca92c3eae6e
SHA256 391140895becbd07f377da5fef0391e227193d79a3dab51cf9ad81377e8e5b4d
SHA512 a0f497ef74f901e7c169e947f3b22b5a844608c1106a9c162af42671a60e47a5619bad6e4a0ba5f93782c2b089da05fa8d98feca6278a530561509142424dc1e

memory/660-48-0x00000000021D0000-0x00000000021D1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9163c5052f535298174a6538bbae3bb6
SHA1 e1194224395495ebda0c14c72a87c8a5ef997d84
SHA256 5ba8ac1058f8322525730fdc0af8a7f32d9b1844475fccb2d5c761b71818476e
SHA512 eba5e6b4eba1846b68c80ab310a810c6c8d2703a8041fe038f70ed6eb8c3a149eafe3c0f28032cc3ddfb4b43a4e1d363a3d6bfee689d96967697e19dc2d3564b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d680d56b781821e84d285a1445d009dd
SHA1 571107dd39b0600acc33c6b5402fa36fba0dd75d
SHA256 fbae11a0ed6f58b101dfc35f7419a39c2c2d1c4fc0bce2c8c7db638706756a48
SHA512 84dd471e72d97d0e7504e8c923f35eaa53242317d6f214944b8bb7517e2fef81b0898ad7db614b4528ba3b856cd2598878a214e68ce5204d96bd63815e6077bc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a49d70217df05c9efd063ef4682d122b
SHA1 9de26af59444fd0d72cb46bd1f75703ea7524131
SHA256 2066f84949c8fbe5f60bfd46ba8bd1829fab2e5093c8fcab39844cc171e2fe95
SHA512 9f1049598daf828792310d2e48cf03ddb32c87dbbc460dde4f9693515c21c588db6f3e7b444d74a4002915f3d6a6ffed9765e9966660563bfaf6447c75255012

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0b93f6bdc7216141c163a72af5530550
SHA1 4676a777d4f3564e39c1b064a76efe4f6b1d18e8
SHA256 201652382f32e3963f27989b638b2c02e6ce58b875caf98c1fcc7ad514cae867
SHA512 39948c3ef4cbd4b3834d801c4c444f80487bf2b139ae2bb3bbc301418f161bd0d57685a26a70095d5a93e79e635f70c7a054b270db7bfcd374dce4a482cba697

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 af93f90eb8057146dda6ba03f589e0df
SHA1 cc44132da09f0506510ace6474444fffafbcb3df
SHA256 df13743af8b09ab8baf57637fe27f188a56008bfd3cf131cb785429d049a5183
SHA512 377508c93de84f36490f4a8a181fff3920c9ebf1dbdc2a43141a8f5e0fb293cca744806abf78f796295270fec54fa42b18a686d25c77c4ffab521bc4d1c0d85e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 28cea5041a63b57341d1609b3360de14
SHA1 0a2e12320810170beb9fe1d9dac9a462a716d819
SHA256 d19cf9b1b68e46198fc1a7cbc3bf6f1980307351ab35b3efe0106dc3addc5852
SHA512 754730db750dbf9ce55d8fa0a52f2c9d69601206ace81ebdec09ee7b89a41340bb77fe7df69408b33f538742bc2ce20a3cd51fe9802a0ca0bff3f402a3a9bf94

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ed68ac1f2e770fc3da97edf62acde840
SHA1 adabf10e7043da92a00da8f0c6669498f2997540
SHA256 525c1686e90c74e9919cec800606fd2a0ccb6ff3501bd8c4740772e5aebf3377
SHA512 c708a12ce8a97f92039baf72944d9656267e850aeddab01b9ae091af70b69d12e9ca84139eeba2c316aaf2a13deb587e961962ea6fd432d4b079ca77edb7e10d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e62cde6e67cd85dd47411d342e636dc1
SHA1 e931baec5988777ecb4b9f055f993840bc585fff
SHA256 c8a410bd67767425170a3a58b5426463fabe110d0066f7cc4eedbee058450424
SHA512 7a0e46996ec1cca49559c91fa995694fda9066df16ed04f35c5b0feff0c7e4656bf8214016a1d6ad22a124b1feb64cb4dabc99fd0ade4e439f1de0f65d5849af

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 acdb41f408153556cbc3516ea2d36029
SHA1 ce4cec0708b39b559bd43ed6e726a93304d947a8
SHA256 2d8b1b1e247edf202bf2c24644ae6ecfb418b09e19d1cff8af0bb5e7a2199da5
SHA512 8708d7b24a889cbd376db310f5bd396df7d482b4c677115bb4b982d9979bdcdc7cc1671fe43ff135251c6f50f9557fc17bb0e547b6df378bc1795a776a03364d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 faa3db966cd2390688fbc3a104b59b88
SHA1 83fd815457e08c322b6d9be60ca20082f08957c2
SHA256 3c53399ce2c012c98f4a5ce5a6af1eff0525eb4a26f5fbb88c2ebe18b5048cc1
SHA512 0b536fd01c177dd4beccf9cd6a395b419c89de9ce6a61f8958427c0ee69322b0fb7a44177781d83b04e4fb212dcdd317f86ab5e9072a4068fcb23ee02926bd0f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e0b18236e6e069c6b1c5158c7ecd3b03
SHA1 c5f812d043660081360b09e3d41c58a93812385b
SHA256 af8d7dd47ccec17254c63f0f8fc3cedd26627cd520e5517ee8d6f592946454d3
SHA512 5bdf0ee967e60b810c49fec69b4e1ede83900e8e59a30539ff719147274f67d156d48d1677838fc65041ed6581042521582fb9a590da5c42471e980e545f0b10

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b98d656215e23641ac0b9d530aa38d98
SHA1 f29f2b9bb0dc1566b6473114c0076a6cd6a5f99e
SHA256 15dc7581ec042a14830848f8d17e3cd0d2dd1514e93068470206f7b109ad5312
SHA512 b974257ceb85fc6873198e4b493f3f0b7c4f4bb669ff3df52fa3e30949e34ad013abe1d03bf2a3694c178de8f33987c06966a494ac7ded04d0ee8b8b53df545e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 eae13c4fa29036cd01bce97278743325
SHA1 892496a8f70a6644766178e9ca44224c232b2715
SHA256 c165054a0aad6d3b0688ed6e63f32f4be2923cd32c1c141952ad12c7458211eb
SHA512 2dd8b1182d07eb2ac429da4012f8805d4f4d216aabb005537f2da5f5c4e483dda05955072cca5e4ab6a37ae315616f6823366b097792a573239b2f889aec496b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fe14d61df5fcf008f9bca34a379c6af9
SHA1 e71cc1c38d7d8d8188dc98387db448abdcd2dc3b
SHA256 16cbfa1e80478a2b8d53a1f959ae70bb7a1771de6162ccfd0a03921dd0a5859b
SHA512 8cb7e580aeee5ed48391803ceaeefe0e52a2bb7047e30f9499f4a07f2153fde48fc4b3f4e490fcd4be68029ea37af874bd71231f0f142f8675cd21504b6875e4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7693b6398813843496ca378cf9583867
SHA1 dd66cb9e109c96628054c47dc6df4c9b4acc04a3
SHA256 8802e73805049070980322db27408ff510a23c8b6ac8ff32d9087fdb439b9850
SHA512 48562d525f3068361ad69e4120292418b9d4b29bc4fe863684755bd9728c0806c005f7febde615644a29eb4958a2822e581617e0acb0a1ab21a16bd6735042f4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f588bbccb46eb8ba5f786f34df8a785d
SHA1 69b76409fb51b9a68e5f406ee90ea5fd5a0d1092
SHA256 3152b164ac44d06f41dfa8e16d48e29266b85a0173df12bc51560c33dfb619ca
SHA512 d872ca26446635011aeb0bfd70e14eed8d87713043ac627056bccf6b1e80502c7a9c2932b555da7779e1caa3ebfe25011c06da433d56e8552ae61237e7fc5274

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9b62ddc21b574016d5c6587ac7ebb9a9
SHA1 7ec23718385700f6a4f795e40a5931d96ce0532f
SHA256 68d940b098d70a8112992c5d5dd9133329182b33c4d21e4a2b023685e343a10b
SHA512 d38664674b713e045a36a2ddddcf672bf266e18e76c62b422739db4033cfde8315a4a2235722b65ca0d1984edfcc589531be91c8ae4cab659f0454068dfdb561

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c5741cb570a9f3af2ff78d455ae4a4ae
SHA1 eb837fff610f08d8347bbda1bc1bd5a75b471eef
SHA256 ef0c0d79693f0bdf3727bb10d939a034b43df0593d8437be46b093453b8fa56a
SHA512 df765d992cd7d172cb37c859804bc9501af974721726a1d0333bf409e99f56c5116308c843e752bfd6b857ff0475cf97459a4bc8efe9ae6269d13cf43d4aee5b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a1a263e2a8a168901ba1859af1f3719a
SHA1 32a0d80be67df8be662c93044917c64b08ca5302
SHA256 98c751b922ea6354b7171e377218375687d70b15c10f03fb3496581b18c78026
SHA512 ecf512aa87b4def34713428fefd4db589c0e0fe83c6a2eef8310628b78d6c2891374f58cd4e51799b1109fa36f0117f9f9a9c1110bcc7bdc4f04e0acb98f5ea1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1cc22cb3fdc54df04a5899a5efd6a6b7
SHA1 77946edceb43ec8b758e63354f321d550c13da14
SHA256 c08f6fe5daafe5ff27c583f5fd606d65873df89586b37447ad7a4af2dbf6866c
SHA512 6ce4978c4d7ead9108fd9af1439994a276e7655e8d60b762efaa9890cfa9495bb2bdc97b4bf95190e9caf38b1858c57ddbc13898d583f992f59b3a34ada3fb8b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0aaea1fd8ba795f144af8b38e06f9dd5
SHA1 4033471de0e9e698fd9b0ce7c04cc09fbdcccc43
SHA256 33160660e81dc2307862dda2f6f8ce5b1f5bbde5670d9ee2684c4ce4d64b2536
SHA512 92f4cb8533c1557d25fe5d08dfe38b8802ebd0f2a629a9cad1aa04a457024d4cdd1c6fe25290367f36577a4010600a686683bdee93234f8dddc34f95bc7fc0fb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 744f4b82433b7170b1b5824dd02bfc55
SHA1 2495f4e1cf061daf24e1707817f2e830d86af23d
SHA256 d37a40a2e0af48749c41423647a44f93041829fd2145b0b4f52bda2a3ae984cc
SHA512 22256a9fc336ed8ad630ee878bdd089c54ae9a3b938a94b5b214da6f11881bac55a978ae781a29536d94626bd67ebfb9a87c2157943d8f21a627e0d1644a67c6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 49780d2487919ad6629ccaabc655bae8
SHA1 3a8609bff625057c56e2865345f87d6ae00ecdd6
SHA256 3fa2c615e203a0c1d450d7be43dd0212e01fa462866ac9bac8d98bf30ce83da9
SHA512 2e67e52bc25fb6af6a75fa75946e3e0ef786ce9efbdabc00b6e0a2f053c577856f2f97abe772e34c94dcebcd79d966ee4141456c5bd374e18d6f3fe50015cc35

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0ef84073479b4b4d892ee781a7215d1b
SHA1 827c59732f1b67d6455c64ae727a02256ec4661d
SHA256 a396cd9289c7ca90b4281918235f5916f31629a6c18bc30e01ea8185a6e85080
SHA512 f79d3d8c2a365f9f6bb9d0b725bee13872583b6fbd73fbbcb583eff9086c4fb5e2e4c10997ad5b1ac95b8e46b551f893cf3daa7ef1bb49dd97a611f0ea547c4c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 78b449ccfea92ea1445901144890b68f
SHA1 db11709ded582665cfdcedbc167fc7e53f82a647
SHA256 0b609295ab9a297e15fd5ec914cca02f28a55c212699fee597f66fe9fdd7b7f1
SHA512 ceb6711379ae9ca14f273db4ee57626f9b346d02cda199797c185768f0d31be946a147d4b0ce201cb37a9640a584af9bbf5bc9ae44ec229affbfa31b99602ee6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9fdcaab0f1af4118eb97aab8af7aba58
SHA1 ff74bf00cb993e9a63dece2eea18d9995f55817b
SHA256 4ba9d6cda229b83a350f3d4d534a6a684b6aa78ebf9e2a3faf3665a61a03173f
SHA512 2ecae5274f6d09efabc650a5019a23f05b477939e86f894cc6e2e6c1025addc119857dc4fdb0b358eb85ab78e247f226bb437cb8040e790c4d60fb25782c8ede

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b013955d81d9fcdc67483ed0dd203cbf
SHA1 3d5b95c8b9d81961985d230c7b84b9ae12fa18a9
SHA256 63c1a6992e1e417d5dee5b9f27e8a4f0003a3852476d8e8471d43ae758098031
SHA512 48c4d5f5cdd1b3066d40b188cda7c3d47b9ed70408aad1f39d55304073d028c5eee33dfdd018ce3b3f226f2b8791a75ebb008c0e392014fdafd9288546766eb1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b708f90491ce07dc5b23fb49ad473dc6
SHA1 065d85b17508f5a03e504aadc728b82231d743b4
SHA256 a47c643a54360ca08de1a4094cecd8c00a8fef6e027e7a34e7f645233e8fafe3
SHA512 d812cfdaeb8012090f00a3e3eb03b4bf0d982e6e979fa442cb0dafa4cf09033bbe411be178b634dba7354ef74bb76bb90cbda27f10f2968cf1e471f9ae4822c4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 79a6025e5bcaf2e88c2cabafd13b6e92
SHA1 6fb62e607af47a376172d56cfcd709ecee693e9c
SHA256 12977f3a0b1fc78f21728221163a59f9e3adfed73779d83ecec4f58f9e3cb5b5
SHA512 4461af5ce28ac47b8b5778a813235a5ecb7e12c9309c43c8d655862dbdb367d64ae76570bd26d024a88c57c325cb40a810ab1487c682e0f55ad2a1988341fae8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b26a93a837bb8b1e182ac8ea3ad938b8
SHA1 e4808099e77e8a776f7c9347b5ba337566e59383
SHA256 1de3bfb6c5a34caa146b857d8ba97e205576de55361196682cc688e4466e979c
SHA512 0351900654dbb1026846d99ce9fd79e1d77adb5a7e7e5039d915ed0360dd0bdbed54dc7b8500aa2392bd71470c626f7c6ae23794cfabe66a0e51e1bd2b934e5e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 711bbd1049f68dc5ae3ec3c89f010307
SHA1 622d929cec1c9128b9358d85944c15a6b0fdd469
SHA256 592aab006f951426deb9fbede1b9387549d3a69a645d81268d069ec2401ca89d
SHA512 ab1777aa56ca003dee40bec99ad06346570058e1dfd7e90f8eab46d187861d436ae6ba4c55f3edaa3d0c41fd7b00e4e9c19133ab76eb6d962af1b447b22b1ff8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c61d3fcf49a26ddace014215b5213f2c
SHA1 7f8cc392a0cb812fa07eefaabcf67ad047bcfa82
SHA256 19662c07182bfcfed9a4c670564cfcd5bd8bd562d02ddaac11697527dcf8f1d2
SHA512 c724e86e6024529a1ae159cd3e452baa3eddee8e85897286f78dff24bdc75b231e3cd279bc85c852c156202bec87f35dca5bcee0a52cdcd708d68e37f63e54f7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2fa8fa68ffff5aa4eddc2575dd4a528f
SHA1 0e68a90448d9d8dcbd726a0458965f7bc1fd215e
SHA256 0004b2afdcd935e46dbdf0760e89e8280b15eeda692601efd5472c1ba9c2954e
SHA512 c6b9b6f5bac3bf63d430dd46ab6d12b3e8efc6b7bdc22bcc743f31c078f2d5832ca6bf4b7f47b89d6e100bcfeae59799d5df7af0a547bc504f94ea43d9e90470

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f6261de3c23736ce472a2888a9b73331
SHA1 7a013013171cd675bc9989b76249e7a96471c486
SHA256 7e50097dc6b20f19fbede7320bf657e73cedf070b7ef74d66ce61921bbd7cdd2
SHA512 d600ba5a4cfe996a4fa6f99e62df6ade8830e3dd3c1119b034a33341d4d331c33820238c04e3c66bbd69f6339000dbe0e26afcaefad4a3a52d145506ce8e4146

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2aa7a7ed2dabb1343fb41bfc9f1952ca
SHA1 41acc759a2356175f7a971f82c6edef57fb176a2
SHA256 542d132d5bb168088087d638be4d1e98a884a6477eda036b266ee206eb13c496
SHA512 d7f09569a71a873fff95f5ff11fa75c3a90f64d97cc261c1952b6b2d6f7644003950c6b40150b2ff830e38f37ac6c69abafd58843bf68a380535f4ceb173880d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 30371b271fb49fc7199508132e308dae
SHA1 35fd941968d8edaa321f7b6b97f3f1f0821550ac
SHA256 2cdc5b0459134cfb6bfe11adb383b844058b9922e3ae2b41062f9344c108b8a5
SHA512 d66e2cd412362d0af03ee68d2ebf4a649545b74d0ca07b0222a88e5059672c9fa4a0e91c717c934d1c23a56c0b59dce0d7ed1d8dd271fb38755c1ea5f690f0c6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 eb95257e46725ee2ed960b642b5cf31d
SHA1 f7a80684dc69d03dee67186135757267d259e08d
SHA256 d87a4097d4aa14fe7d4c031b306cbe7288fb1c5613d13e8a5cc4ec2508aa4b2b
SHA512 8fdecf217ca17d59876b9caf4b59f62709c64cb480bb681a60fb6087a647477250411b0b3c866515481bae99dbc904d218b5d3de04741c0ea9d1fdb5672e2015

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b388dadc44a9f1590f4dff6aa12055a6
SHA1 24def0be7d89764bc9e9cdb1268d92f49a3275c9
SHA256 0fcadede473d609be828baf64b751dad3affa7e20739f7ef1e439f4beb7f1902
SHA512 b702567ccdf54bb0d7689601536913bad383b72533073148712e29aa5a1b0298ce21a8d3d4ffbfdc03c74d3db714d9dfdf1d892ed3ec11b8072c072782de8781

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0ff4de8994a98bbf09393b8d1230f543
SHA1 00ffb7b6d32c2b0c9e38996565796671bf14459f
SHA256 fe9f9ea87e3b2c362d0a3b30519a2188286c1c684cae92ed7314f8624f9dc9b3
SHA512 aaaa611606527644af3e10db1b7a291bc26f798f741b2e11384aff33b44ec2f1d62275c059a34101d8d92f8073559e55be4c0f66080cb0fe025fbffc0ea9dc20

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 35344390152cc9637a239394471145e0
SHA1 468ac80bacd1c3f880b80c240b31dd09bc83b9c7
SHA256 6025567c7aac2dcbd13fbdcec9ec9442a20b2244e98a13581dc2e4121d4ae385
SHA512 a38cd301c802152d8b34d13930bfbb32fe246dc978098b625489345072146e7b7b4ba05ff4f610c15739bfb09b0779f213b0b02f74ee0ab5b3dbc8b4f99bf11d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2b5f9fc8e0a01c9947a1e340c3ebac2b
SHA1 bc43cd21b6aa7f758fb0a4642bb2e751fb1b527f
SHA256 0f2a582f279f2c47389af2983212ae8813408774515683da121d68faaac93698
SHA512 200a99213206aa655f01190d222e61b35df679c019545f2ceaceb28a90001274ca6898cde473d097b4efdb6386c892a8e091876297a83a46db0a9a537e9866cd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 cc9d32b5adc75278ed9de7b0d0cb0e55
SHA1 51b4a0d86e635d92c308610150c1331f8592fd8e
SHA256 1efe0b66ea5f02f1400ac1665db658958291c692b929dbfca3bf1630f89289b5
SHA512 f243cfa203b5118a33f8fb2d0479f82abd0a70dfb8eaabca561bd957b98793ebc46fe56017b34860229a4588277f5ca09960a72616bd3b084c8e72d272373c8e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 531a92f442072e4019ba313cc53159de
SHA1 94da0804608dcbde2c30781e892483897f8c4c30
SHA256 2e43a070e44755e74530e63e97de77ea665c7bf993df16b2957ca95a1e0f220e
SHA512 032b25fbe553f419498cccac99216553618cf9ca8ef89af61232a9c4ea39942f31cc4d04d0c5ba63890f1a5c1b61a7a2bbd17013e217216ac9b68ee659b5fb44

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 89911b2e0bbab595c8493b8d217b7d4c
SHA1 97758526db7995ea5239b06e3a58d694eb09be88
SHA256 bdd2c28b35bfbae9813c7ceae67b69005e8817311f11ab3f82ac9a40035797e3
SHA512 401d9d0eff344824c4344299ff09b4e9ce2dc752c293c5fdca809bace2e64b4fd458433b92c43d4b03086726e4d12cc7f13933a966213b9a37ead80aa2baeecf

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 735331dedcb7eff6cbfb2d243212846d
SHA1 2371d1721b42f3d66cd2e9494720003889bf6296
SHA256 c4a3702f4c41744102fc31e0647b8f8312ac41105fa9aea81594db2901f76c58
SHA512 d9c322a593225f0555fde522d396255841fb9b5d5057977a237e17b77355852afd71f5b37f1ed6cdde9671c1b78e37f1c3adeaee5d3df5867416d338f66203dc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 df7a33b343d8744a1de4fd988dc9cb3e
SHA1 d19451334abd86878df75e975cfb30575555558c
SHA256 95d8c3e63c3521e220c8cc5c997e1fd344c840817feed2b8a677a2ffaf41b14d
SHA512 95c0dd501b6c3e7f6f0d8c89413632e2831d3b733db53a4bb09121e53afe86b147c2bce9db1e469379ad35fc30183449783030305068ac890d0103d87890fbb0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 eba4fec2645a41ca71669c9ed98dfbb2
SHA1 304b6fface8d66dd1cdca3c5064cca9b5254f008
SHA256 0270604f8529f9305c2c7bf41c32898436fcdb0c70899bf6db69d04c1a0095e1
SHA512 86e3b6c23e15b2667f4d93ab5ac2ffffefe5df8ce20c65ec95a3bd6147a853e76ee4b03d29d21a3d43d60ff0347b99ce47255898a9d80426cff1190e3fc41a90

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5d324d7f8aa37573d80447530b071888
SHA1 c8580853c36834f4b6e0ac97435a987190a6e5f2
SHA256 e511fe62a6a29c556f1f4584e6a93c0a2a8dfbeabb754e149bd226891cf435af
SHA512 674194a9eada9d0da41f19074e088ce8d5512eded031b360d439e2d81e79c7caf387bd7ca722a9ccfeb9223dfc7d334d102de53e75f0eac59e2e190514e09bf2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9949c7e8a6622b12b8a40a5aa4f20e3f
SHA1 77f3e92002e10edc654978f069cfcc3b72063f25
SHA256 83b998f3db7a52e352df260597a0f7f5da382793ae1bf9096173bb10462a3403
SHA512 54adfb31d4a9d8199162149de0f58620e389e45d5c8cb954701ae3476837bc8ee4f24a36ffc0ccdb07795bfc75952df7db531a372c36ee338fd94c64755d7845

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 19a02c37f82ca2a441072aa94c47fb4c
SHA1 bf1ec5f3dc5d377d927857e0c5e4b6503cba2bd8
SHA256 063b200e7c4b833825d3468af80489009910b31ecbbc82b7f7db64ba57124d57
SHA512 78d8b8c9020ee0ff86996c1a90c72d97cd4b9d35b0524d06a80d71dcc86c19a8746370a38b2072d3261473c7561ebf9d44f865ca742287ff8724cf35ff9af8ae

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 dbaff85a080111658358bf7e7a5171b9
SHA1 98899139e30c20c8cbbc1eb681948713fd46c15d
SHA256 1b5a33ba1f861e5e63d1b662de941e3987cdd68b6fe79b246e7d2e80941ede7d
SHA512 82372284435ee3b85ae8ee42872a7504fa49334b54021e5daea0264cfcfc856ce0fc24c1ce4a9bae74ce2e5b733b5c4b572851b3f953f930ce7b63e1555f0558

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5a7db4fd99de9d7be7f0acd5c1741142
SHA1 761edcf6c7d17f1c021f8aa30f20cf6fd5421a51
SHA256 190be77a16bf84d591ce81631342768a07b0d9b08341d9fc33152a0db369a527
SHA512 8d9fd6604cda6230ebfa442b972b5afa0556d85c7dc1d1832332ecb03d3e6954a4176a1ef15ad9298f445ff8d857f7a00848832991e5fb19c95e408875c01961

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 79605a9eafaf02426f4ca889b1ee026c
SHA1 15535a81f42679973e841088519d4277e0c597a9
SHA256 bfebf952127f4095241586077b781b4509d17d838cf3a394bb007c21f5181a64
SHA512 0d2e26ebdf79a38698373fb2ca37e1d89281def22df4f1a458577b5f9b792735c0fb6918154ed61bb207166928aec08898126e5a6f3635e2a25e6906f54584ae

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 39cc834b66891ca19b6c783d2a2eeb9a
SHA1 1a0160407e4ca199af002a502cb66c874a219da6
SHA256 2f053c51bb6e915879c3aa4169e51c6b02954041e666cc2f17d73c7152741cc5
SHA512 21fbd3502baef8fd004afa8981bd82e523bad48e99aebcdc8648e63df881babee4984380cf447bcf7874c65fc6318cef49f499ff19bff8bc864256537772e4a3