Malware Analysis Report

2025-03-15 08:22

Sample ID 241020-2nrj9svbke
Target 64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118
SHA256 3a838d77489e2e60c77d1bf82a0d7a82a02ed1ba9c1bf1441cbe8c64eb348de5
Tags
discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3a838d77489e2e60c77d1bf82a0d7a82a02ed1ba9c1bf1441cbe8c64eb348de5

Threat Level: Known bad

The file 64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

discovery persistence ransomware

Modifies WinLogon for persistence

Renames multiple (91) files with added filename extension

Drops startup file

Loads dropped DLL

Executes dropped EXE

Enumerates connected drives

Drops autorun.inf file

Drops file in System32 directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 22:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 22:43

Reported

2024-10-20 22:46

Platform

win7-20240903-en

Max time kernel

145s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Renames multiple (91) files with added filename extension

ransomware

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

N/A

Files

memory/1744-0-0x0000000000400000-0x000000000047B000-memory.dmp

memory/1744-1-0x0000000000330000-0x0000000000331000-memory.dmp

\Windows\SysWOW64\HelpMe.exe

MD5 3bf6297fe0be5002a90e7c00a4aa83a7
SHA1 b485aed1d38feb864d4f15ffa1a469ff9ad83860
SHA256 994c585272c68e5bdb15aeb2390ac6e6c16dd98ce04ecc3fec4f0e28dd076022
SHA512 def5ef0b60cdedc83d75b890a0352b8421e5cdc94d07e9c3bf3e256e4f2934dd357c003935246ce4a07252677d502f6b8f80addc8995ff024918e55f53209fd1

memory/1744-9-0x0000000001E20000-0x0000000001E9B000-memory.dmp

memory/2272-12-0x0000000000400000-0x000000000047B000-memory.dmp

memory/1744-10-0x0000000001E20000-0x0000000001E9B000-memory.dmp

memory/2272-13-0x00000000001B0000-0x00000000001B1000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini.exe

MD5 0c02a5c1323e3b3e9076a9c152dc8ec6
SHA1 19fa7c54d79908607934b2548e7e4cce57c52203
SHA256 1529592d5156ff50a8d2f727ac9c528678d02101de2511c6a9f0d96813210765
SHA512 0a1f727183c458dfeaa6cf4ea1f89c3196a93f283d5fc88649796f3560373daad139db90bcdd1f87aa0e8a38f0393304a866b9867517291530a5f448fc054194

F:\AutoRun.exe

MD5 64713b6d231e03e1321e8afd9ef7cddc
SHA1 80999778729814821415559fa3bf4a0b06211750
SHA256 3a838d77489e2e60c77d1bf82a0d7a82a02ed1ba9c1bf1441cbe8c64eb348de5
SHA512 c0f4cc345744b4031e154cc739cbf007cab4f5648b199d0bbc1bc39a8ecd6a0126ab795ce14cbcb950ca6dafc68ab11559e10fe194b29375c5b4a13e100bb2c1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b09a8906642e399315154b5f62873a47
SHA1 71fde4cc4e5e7e572695296d626ed5d49e7a59e3
SHA256 dd4f798333514c9850527d5efba9c4109e6624c916481945dd5edac515c15aad
SHA512 4b8d8db295272b385ad7150a076543e0a5a312b86a7e085f6f084d79b0f52cf329fdfeb4d48aa1a353f633861482b3d0372143c78a1433ff5e625b890665e39c

memory/1744-72-0x0000000000400000-0x000000000047B000-memory.dmp

memory/1744-75-0x0000000001E20000-0x0000000001E9B000-memory.dmp

memory/1744-230-0x0000000001E20000-0x0000000001E9B000-memory.dmp

memory/2272-231-0x0000000000400000-0x000000000047B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6913fb3d3d7058476a4231f5c0c5a1a9
SHA1 0f5b575135d48b310e7ce7bfa68f8a92d59ef50c
SHA256 8d00e563309933112377de586c02b4c6a759b5327e33f21bcf47fd3eb619959b
SHA512 aa3fd081f33983fbe34370c41949e564a79296ff9ef888ed621ff0c948f852386b8c86c56180a5f67f44dea621d3a7b73f23952f93a6f3b683cb36a007c3c91a

memory/2272-236-0x00000000001B0000-0x00000000001B1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-20 22:43

Reported

2024-10-20 22:46

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\64713b6d231e03e1321e8afd9ef7cddc_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 71.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

memory/1316-0-0x0000000000400000-0x000000000047B000-memory.dmp

memory/1316-1-0x0000000002330000-0x0000000002331000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 3bf6297fe0be5002a90e7c00a4aa83a7
SHA1 b485aed1d38feb864d4f15ffa1a469ff9ad83860
SHA256 994c585272c68e5bdb15aeb2390ac6e6c16dd98ce04ecc3fec4f0e28dd076022
SHA512 def5ef0b60cdedc83d75b890a0352b8421e5cdc94d07e9c3bf3e256e4f2934dd357c003935246ce4a07252677d502f6b8f80addc8995ff024918e55f53209fd1

memory/2608-5-0x0000000000400000-0x000000000047B000-memory.dmp

memory/2608-7-0x0000000000730000-0x0000000000731000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

F:\$RECYCLE.BIN\S-1-5-21-2878641211-696417878-3864914810-1000\desktop.ini.exe

MD5 2a0a130d371fc0a53b97949154a6462b
SHA1 50dda102bb263c4b2af02a87b40c33aa5ccc6db7
SHA256 62650859bc1e3648d7661050b029f01e73902ff64e09f5389563fcab446a170b
SHA512 60abc58126258d978a069b043d540d1b42e92013e03143d9382ed7eba8849b0eb03fedd60b403a4463d9bfde8fefd5203d100378010d47206ebde7be1aa30418

C:\$Recycle.Bin\S-1-5-21-2878641211-696417878-3864914810-1000\desktop.ini.exe

MD5 4adaf60a91e3147e2f5e4c151532c723
SHA1 60fd706c041e6a21ab9dee1638c738a13b474300
SHA256 d3ddd09360e6040bd55ab98b099b5ead7babf94f6ec3b704b842bd90b7099e7e
SHA512 e98e01451eeef8c62d8cce69aa802dfe344675d975138a1339e696df1dd03c392fb900f426424f2ad5dccbe5a071797ced482fb9bbc3dc6f3b4dcfd65bb77c3d

F:\AutoRun.exe

MD5 64713b6d231e03e1321e8afd9ef7cddc
SHA1 80999778729814821415559fa3bf4a0b06211750
SHA256 3a838d77489e2e60c77d1bf82a0d7a82a02ed1ba9c1bf1441cbe8c64eb348de5
SHA512 c0f4cc345744b4031e154cc739cbf007cab4f5648b199d0bbc1bc39a8ecd6a0126ab795ce14cbcb950ca6dafc68ab11559e10fe194b29375c5b4a13e100bb2c1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b10d3bbd94e1a734e1abeaf0650e56e6
SHA1 4096b82acb66326ee62704f08ab7d56e34373aaf
SHA256 f6c2d64e2c4d2faa524f64f7ade0db66374b87bbab6eae5ef83ea9c012bd1865
SHA512 e816056b9894d024a2af042011798d99a0db28925b52a62508c3e6cfe5ceb0b83f329908e7c5ffb9209be3c543ca9947f31f1d405ed43dfe48237c4e39d59bc0

memory/1316-47-0x0000000000400000-0x000000000047B000-memory.dmp

memory/1316-48-0x0000000002330000-0x0000000002331000-memory.dmp

memory/2608-49-0x0000000000400000-0x000000000047B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7c9e6b04bc98d12baef0f217ee3cb17b
SHA1 78590ee4624753723ac4f52b870e63c2c82459ef
SHA256 7809d41c645ff322876df3d9ef8779288f3112419f4f572fa0101fb57d3a02f7
SHA512 8d7306a9fc4593b4e87bdf5eb71814be0c2dafbc2e3cd933482975c23825d8796e017f38448f8eaf09289a87744fe967e109fb49c781fe67d5dca43672abba7e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ed7b69ce5b8f6fd4344fcc4dda610af7
SHA1 71b46510b2cd578ccfd39e5b5bf5415ec07b2570
SHA256 504036f5ba868cb9d6bd0a2b007ea43c139a25e13765418e08cbe20a75380fda
SHA512 1316c74d3ca135272439d0d9e4f26ba18a456ac1d21385dd869634677937147e84be9b279f6f3fb11b5ac80dff3b99574b22b566d0e3a80b2afe855f320713b2

memory/2608-54-0x0000000000730000-0x0000000000731000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 55fdb49e71ddde2d57131c0b7836e355
SHA1 b2a5b2faaff6950bfcf3a3dd4aef5b479a73e6ec
SHA256 42a1a832d645cf207551b3c1dc2571b377b7975188a5e31af6d8b6eee5b38734
SHA512 54507b64932fca4dc2c33e375cf053114527b08f48d758bc515128961b028ea61f8671f0e76457df39cdf707c3a17a9211723276d2900df7141020b51d728584

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ca093565c1c855b282b2b515fca33f99
SHA1 6b1039321559a6f57cb2f6fa85f5ac5d5d062137
SHA256 f1c6b80cb74c2379a8b76ff5f5103cabc5ebdb91514abe5e795e228bb0c95af6
SHA512 6d3ca040eaa6cb80e6d4cf3e96ef7d9830dfed9a0bcd18526652f932d0d786b268dad8feaf8680c0325e9402d38c7cc9087d88ff843136d27d0daa77a79384fb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fa117a4ce088810e3b7fa2f306cdf35d
SHA1 24b56029935e46a3d8b4690481f79790ac130947
SHA256 75fd758b4ad7805224505f5ad33ac037916f1b607123e7104c926136424e77c6
SHA512 89a6cccd9074f39b32b18646d4234bf5761b1b7d0c60c61a95008fa383aa747cb8d203872afbb03f5748ed0dd3acc5f3784c412a8071d680cc9b8dad3b0f251f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 69c52aa952db586c65fcb3b742b1dace
SHA1 2c980ba41dd103e5959173b6d7b650a781447399
SHA256 886ef3b1988ad917a689a83095c3e8d0c112232a01e30f91016c50effb523327
SHA512 571f046497e9133c8c39e5f3eccc5f0cbe86bf2c5d28112ba98fc18619eec9e0d574a5cab6201ad537cb73582f7df87c1f9450ab49ea3e212831d8f91762a868

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ceba25c46c1ec3526004acc4cdc01d59
SHA1 5ad703b0d27043d7e3379f6075339127bc8ccb5f
SHA256 1fe6ef9fe632c4df45bbc52a2d6e5d3542efb62fd46cc5facaecb264ba10aab7
SHA512 38fbdb107067a9eff843264d77f19a0a1b413af8edf54809f097ab15957f3db3590ac57e5b531138cfd3cc09241af728d43ee628eb94af1ed216ed3f582c1a65

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c9c9aee795736f49ef5af6cd285e7e78
SHA1 f8e1bd78b1afbcb3b2c0cd31654e44972fccde09
SHA256 79dfff15a5ebec5ee7b3e5599e84b0a53ddf72dfe1af89ecf556d92c28b4d09a
SHA512 42076bcb245196fcb4bde89e4dd02b286ee80db1dd0aec35bb31b20e9a202d523f9b187111a2fa4b990d68611275fd647bff90df0afcc207255b84898f8e4a1b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 187e0b0260c8ecd8cd1a91d5b5bcb559
SHA1 213f855da2c6ea0a41280d37b25eba13adcdc8d4
SHA256 cb4341e8a9a2bdac17e1e766d3fd16ec7bcfabe19c9c7726e310049fad0f2da5
SHA512 881581ab067328ee42c7e80b6c52a0451607ef10f2a99ebaad5aa9582ab5005e4868536f33e211691d1e3498eb9c97d84d357392537c830258a84665c60841db

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 29950bb1791757fe58bc82c82dd24be2
SHA1 41394227effe10df1859425e4ba3643e1941e1e1
SHA256 1ecfc825e92d5add1d66a5e0f5569175a32e242eabfc8601abff01137252d68b
SHA512 32fcdeb8156eebac0680a270de8f0a17cedd33e9a9e2d88379f01adfa69195522a489bf8fb0138c1509fd1337df311e277f25e5bd55c19107bd15bdea16348a2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8a8e35ac2b217289e1ab1af15d7d9634
SHA1 6cbdf78bf2201445cbd57cc14ed151caae8ec5f2
SHA256 587063d43ce3642bb11e6038751e1aba1a0f882e2209da251bdb3ec0b3c87f6b
SHA512 0fe98fe958dbbe166ac28ce4ce6b68ccfe3c8bef544f5ebe59272dbe80b991608399fc2bbb3d4a7b9e415ec9a0992a408feb7a12ef1d01571d4e064e1f37368f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1292de7c2ae7bca1edb075f4f25f70eb
SHA1 375058835523b12e4e40b57673cd1471c4e367e4
SHA256 86cffe2f542942b5f4bb7b0913911e529f3ad475a2ebb8228b63b8bf1797422d
SHA512 d6e37754dfce282f70584e821e44900481329fccc53e024bc0b0423ee13b3491eec6d2d8e743d78ae3e4eacb9ed8f8921608b7ed79eb2cd0f15102cc57cdfe1b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bc976a76739e2cf281c642c86fbaf760
SHA1 7a7fe91cee1989ece87271cd4bc03cccce08484b
SHA256 d4744fd27942c62857aeb4e15176a7cf4413009c4f8b0219deb1c95638e461e6
SHA512 2a5528ea11cbf5d09404b28655a0ce0b67bb9d8bda4258d1009719ccd40fa26b9c4f248ec8d8c5e976f3f757733872baf9c06e2ec0035ba3d1e36fc51711f848

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fbcebbe4ac2b3597a28ba3fec909ecba
SHA1 16b3f2a6a0cd7d75fc2d8e729085f13988f4d18d
SHA256 dc29f57e3f1ffa0d54ab2ae952ae21588e2b7128f1ab6b27a4450291841c84bb
SHA512 9cc80b05c319ed9bc08d22df07e35ac870ef1516b7778fc9b982c23a71037756b41fb61187c90e0a55a9f6c47903b233ee5fc54e5c2b3f806d9bd53298365c13

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e9771511a54fd2f7222368cc65cf0c14
SHA1 d0db2a327f4c387daef9158f894003ed191c94f0
SHA256 5c1213814ae36b251ef6160c890976db8b9ab6527045d8c8e5931c7fc05457d7
SHA512 8f4ce0cba4808d5a0799f6d6c8a77ded85b000d49ff4ca1a18b36c95564dde9d63e995557893a4591a21349b523df7fbd7b8238aac28fa28da294b06183e4063

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d6e055bb92c9c0545377c6499acaf81f
SHA1 9016a8dd4edf9953c4ae5e1a25fc34d8f4fed569
SHA256 fab3d8c9c9179a2f620cd1fa0e7fc4c977fe81e1bba6626c05afe3a55c56edb4
SHA512 f0525f7087b4725d848748c7c1f397f4b9c573eb7e2eb04b4d26f96012069693d8e290d57d1a418e7664448198720db1bf2cf5756990c2b96db9fe18126e84ba

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f2f4ae94928339f8023cd23172a83933
SHA1 612fad61ac7db38fb003965385f5d3ac55fec9ae
SHA256 79ca02f50a1a84726563b1f173950087e6c4cddfaa3c9f75f5e3fefe5535324c
SHA512 07849869d0b024f3c2fcff4c01c8fc8a463281688d28e56ecffa0bf06796efee4189fa857dd71f36baa9cba9a962ad0eaf5cf9dc2ebc982f9308c389809b351c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5997572c61796299f33bf2120a2dbb96
SHA1 93c6cd2be25a8babbc8a866f1b25958982425ba7
SHA256 ee8d4b933c6951fb95aa94e2a17069ea72b58aa28afccbdf52bbb13d35e7cee9
SHA512 c5e9d4243b642bedf8b25c7e0ac3294024ff53cd8f4dc752c5d34e09c450609faa314ffdb039d0e63b2f4b132d791f309fae85eb31d088760d75616128a1c5c4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 edd9954567624973b3968e6d427911b2
SHA1 6ecd168189b5c32eff3c5fb3d73095e888af733b
SHA256 93fac12a77f4ba00e04443b238afa8fb94547388a1bfb2aad2533d9114a7eb56
SHA512 83820e88e59f46e73e23da522750f40fa5bbf4abd03bf962cb51075cde0a56061fd2e5d57d121cac1190c6029e21278b541329da40a736a0468a8e4181322757

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 caad2f9ddac7ee7d0b757331affca1cf
SHA1 2eece64320fa5605842809bcee52b01fd54d82d9
SHA256 82029a591581c19f74df5363ee322ce75045295c861138c038996efbb2eec5d6
SHA512 2a5eaad0739e3f28c6823ee92366a03fdc0f20fafc4a079f1645858a27ec8efb8d65b2311b9edcecbc55573d8d9f48f27023269e167a63dcec38023898afe808

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 80bd6c13336de94cad29ec298953a52b
SHA1 dbde5bf207b5d0e604a761b97d109f0867fcfec9
SHA256 5ee7dfacff357d91e48b725b5e102f674f81feaf6edf2ffd89d59c1c68ca6d53
SHA512 b7c29d45b69ae7700c006074c101957c66704823f5e81a559aa28805647f314fb128e26d0725f9cf7bb019b2b9b6fa0a9b85d195737bcf2ab4f271c21c3b3df5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7e51adb8f7c72a5adfae3e339c0e7083
SHA1 fd64cfce70c15f7929bfeccb36a6b5d707e1adfb
SHA256 ba2febd562063ed2fd3a744982de433d850ccd91ae39d9ec8431de036acde910
SHA512 15b7d75ce6d0b23985f5ddfcaeb4770aa8b8eb919d479b55e37fcad66cbd34b24d71fed89260475a1be3b290d05f658208e702a10debf5a3f60dc4bfcf389d95

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 346ca55740f39e6369fa7e5a3097a962
SHA1 62bc199e04d41ab73a93d7667e3a8669ff5c238d
SHA256 d63f78e2ec7701b69041619f3615b2e79d771940e395b8ba08cadac106daec55
SHA512 3b75acfbe9191a224cdfd7df595eade6a5937db82b2f951b52ec7bd4ca1a7ef16cb91b05d8ffc16694b555e2ff64466fe3ac973491af0f79f6962afe2eb1e56a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 cd1fe97dc43255379579cc4462b09000
SHA1 81f0809e90c8572ee37d603e96b76fb5e241d54f
SHA256 32f00cd41ebdf27047ca75a6a56da752cb57b5dfabdeb6f1d6fbe8fd19e0ec1b
SHA512 ab6359313f81dc8e094ef6478e4626235fa66e1afdaf7dd632a7faf264142e9f3cc85432b122b266286dad8461a45dd8c7085e8cfa029bad321deefe4ba63f44

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1207158143df6ea1063a20bfd69e5ad1
SHA1 91a8b605aacd9d6c05aae9fed99ee75e938b25e9
SHA256 8e6d54148e547cb5566bb199f4b6849ffa997c7b079fce88aebb9ae1d13c0d5f
SHA512 52a1bbafd5d4d2ca1681c11b93cc78ac0bf27ee0f90af0eaee7ef5c9a32a748e49c201915ef91b3ca3b5ba26714acd2e2b0e754ceb5b33d820aaac75201b04a8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 875b4ec115be492da620d34d6a364900
SHA1 c7f87f75f98d04cc61a2975d176183318b4732de
SHA256 f3ba9e0706361ada542e0d388beee6ea1d89d2565bdf0c75dad8a6ec2e91a6dc
SHA512 0e5131fef6fbebd0152c91d8edfd238da13a3e3ba7e8fadd3668bbaee31306f6d9e6bf88aa3094077e4ecf7470c8a5804e9bf8ae5408bd40a0d53d761a544b45

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4833d1f79e671ad99c6046ed3dfca9f1
SHA1 5428f21b940105e9636a5f1fbe828ebba2355146
SHA256 9981e1ce427e40c1b79dc9c3fbeea94d64a780b86fc34a2bbbf495ad6b51cadf
SHA512 12f4a38bc8beb88f8dea225a842c62a48b2d7b910c604bd9270da99570ef9589d4f854fad2c11c696b8df3a4a43efdd7e2d01dbee6b62bd0c0df12fb4e6a768e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3599e4f5932904d4e515bb991e38461c
SHA1 b20aee8c4dcf703d9b6d7c1d6b3c612cd5d320fd
SHA256 b8bc44d766ca5aee15f563f63e524c780ba0d7d2249d96bae8b1b66060619b03
SHA512 c46fa1c932c0c90deef0010c9e98f83b9458356bc0d4d08ff8db10a3bfbbdd18a089dd29d05a8798e5f1e82dbe2a6bb9eb903e8f4590a5a695dd4c2f4db12f84

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 63d88570b78ae661eadb73586e25a225
SHA1 cd41be26c930473e9abda92f0ce689e7db6e4917
SHA256 74156d2d19c1043ee4a8fed9a48891e995179f8e3a1c5195f12606724a0e1650
SHA512 de5625cd92680e18b0bedbe183b5eed71a849e2d491fe4e5e1caf5984853ed3f5974f3773faf14a0aa4df4c588112056969f8ba0b44f7ed4579066e59f1a5aa0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ddb80a288bd6dafa60ae936af7460ddb
SHA1 d87f817258f273f8b830e82725f1feef54211f89
SHA256 9b3e72ad73ac0bf5470fd00726d8ef7d14cf82a3e3cd461ad7c24fb7f416dd2d
SHA512 ef63c1fe37c43bf271ded89ffa2f607115f3a495e2d5aff7acdf3608fba539317b0938689ae22064749cee51388b45804b6823d03c190657f647ac1e96d39b7d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2a03af24140c76e2646888c142d2b8c5
SHA1 5813f64e79cecb95403290e4ed40464851680f16
SHA256 012966f0f5b218907872cacf335b0404dfe240555aa65ba59cc9a6ffd29fc1b4
SHA512 7e937324c827fd13d1a23c83178fd9718f91bac9aa2d8d6ecb5a76c20af748e5201e925573734915f58c0ca1432a800f3bb6e5209f0474cd90922e0b5b89c130

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 528c1aad8857fda9896596de156df7e9
SHA1 e29faadc5c051b31b1b6fe59a4ca0359592520d6
SHA256 1abab871090686438e0d4e241369bfd7e065d27ed54c610fe60c412655a69c3e
SHA512 62ce22145ac4eacb32c1cb092102041fea46844e21bd04c44360133efa4338d42543b889ceba1604b062bcf88a1ffe50c650f219613d8bc07b6cdb5b487a5779

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d6bb300f737b617a79337f999164fb8f
SHA1 8b3064671efacc7d1be614fec1bd6644a5a72516
SHA256 22409c89f909a7a9494e7affe1aaf0e2e6c9d73adb5bc56a5296ab7cc731e390
SHA512 bc1a5a1e0e720275909215c82c4770e50f3f6ddb6280287683f688e4a5eedfb0da9ffdad338f7f346a9a1c59dc8dc4c106323d1536331ddffa8cb4d785aa111c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f95d116fc3b47f5a37e226d0365b7dde
SHA1 111800a20badc31950eab77388b7991b06269196
SHA256 97b824db475dbbe67eef968d4e7db94d456f96690fcc9bd047e4664f8dd2a702
SHA512 27354e9cfcfe4c4e69eda02031a748fb75bd3e4ac298a41a1250d6e3a8fdd54185edeaeb985c80dd3b4300c87bda9675e51e57eb708417e9bcfce50b914f8bcf

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7421953d599137100edb3bbb0041979b
SHA1 6c4394b17f179a7b1763565832d8b3d05247df00
SHA256 16e4d0345adbf37d41e3d6c379aa8d49695bb73e0d0f29a5f4df316ea367a519
SHA512 4383f79f85f2746599499bb5014930df6403adf22b120fd5e962242c244d528fecf1e0a406ef003676e9bcc9afe7df0254624d99ceeca8c16e12e73f57fd18c0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1cc66d9a36e1b28902e94201b9d84423
SHA1 8c0e081619533b4b420574ac8f9328567071cfd9
SHA256 dc886326ae277704beda76436ac86c2aba6bd1b2631919203297266825f1ccc0
SHA512 7f37ecddf143cbb22e515b41f423fd054d06686144589d77e859a6d997804fd160b9b8a1e96ff2c70eb254325d81a7c0de8e8eda2e0cc9e18acb541a3cbebb67

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fd01764c1d5abe2ea7a097b34e45c74c
SHA1 c729c3fe7c0ec496207f043d08ac4728e3ebf876
SHA256 703cd2c7630bdc5df3d37e06880122bdba48323aca3e91af2d1cabd417ce65c9
SHA512 0f29c72f76b532eedcc72b47ffdb2c3c3dfad7e768a7ed5e4a2068600d1927a556e40d960af4912de31e3528526be183697c7a342136cca6cc389e8522a56a99

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2e6a424727828a3364ffff33de17427e
SHA1 fafb555c81b37b606fe954478872a1fcc32f923b
SHA256 42b261880b052c230a54b626e3a6856249a16fe6aafba41f3afb5c626453e344
SHA512 c6a969ffa4c24043ea47e71d11ed3c72fd41169a5361521af723ccf80c3865501bb792e184c53f5e0a41eca6a827bb811b6fee7eb8113c6c40f76deba4e7cc92

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 cf07d816db09533e1d37021856cc8b93
SHA1 8c5b3132736cfb6360f5b1a540585fd91880816e
SHA256 e3347c6f7171a7481b2c369545741bdb1206720d2c7c3d37d82ccb4ee4619dd4
SHA512 ab6bc076d68b21a98751d8b92bee3c2995d1152d053e914ec3b26f71be635318a3dd52f482e6e96d376ce47cb4333b542f9fa26f309fd5a2e9e050b7910a80e2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8564bd882ce0aa4d131f1dd1ebf8401b
SHA1 26b5aa56d0e291226c321940956189887fe53960
SHA256 06f99d3d57fa0874e263b0964813365f50a406be7730b763c18faaf6da864934
SHA512 7380ee6ff3a2b8dc9eb1344453d1e4c277051f9e40a122950446954c2f7083f076b660d75ca6a1cdea0bd29e8ddcd29c7833f2673076b07650b3b039fbe85b86

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c4da073ce88b1d3403c0f88e6d15557f
SHA1 9255c2d8a14f14d8af13defa3c6bf49d7a8d2639
SHA256 fa5fb973c72642661ad3165bbe1bbc01c5ade0ef7b8b4ed659424cd2595c27fc
SHA512 91f82681a08a4ad67f1227c1f54958e5edca1e1b0d98da0e86eccd4a8105d8d78b9708e49bef6894b03f8eefe586e1bb8a42816161abafdc75a4129ad8e646fd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3a46b08ccac4441445c9b761dc24af3f
SHA1 9feb74316321ce3e25963324134474ba739b1520
SHA256 1abfb6cac10f70e25cf2efe6152b2e25ca40c5293d9b6f9ea7551f5baaac993f
SHA512 157cd3f037a33aec9bd310b8284e476f64ddf36eb7a47f0b2276eba8c4ace3dbcca495b78334fb50d96ae0110ca73dc68b0385985f773f04544e0d1541c5c507

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a0db81ffd7bacb1eacbec065e1925c83
SHA1 d0d283d47a2fb55a0db522e87293d04257025ab6
SHA256 6ea3c0228610a9a1ad061b5308a2fcc517a45615c55e6c0d86dbb2ed492d579d
SHA512 9b7b6a688b77b74c12e583ab59af028b0ce9501befacc244aa84067f67a1a98958c46ee4222e86f1780d632dc012c4a5811513df43d3f956e3f232f7cbf726dd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0e9a5d48e4c44c0456ed378258e9e4c5
SHA1 3c64d07fcc91ea9e9631a3034ccd7f20859684e0
SHA256 a615cdd19591f6d5df8a0e40a0a1a31aeb9f39c1cb52bd146b9ad6a56d90acc5
SHA512 c7ee97d681089cfdd8eff61fc39744d31b8daa66ec24743516d2f37da537f66e608bb992074617fafea94e602c1c4c5dfe1a8e85e64d1561441a7a431c2570af

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 072247dcd350af490a240e3d940dddf9
SHA1 46695560db054c382c87b5ed5d43e66d744bb529
SHA256 3a4cc0e23c2ca905cd511e57e59fd1404de049d8c8280acb134102d540ec6d11
SHA512 13a0de3da382f0ba18273922aa197534e36e1348ae987cef6a94509bb247d9f1477f64d7c0d35cda3ec514ff2e6e7b2461ad4eeabfd41fd6b663b302024af3b6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3777f353de66b1be0fe6e24bcb1b594a
SHA1 8569d2c6ef76026797040c917f7a93f06313e6c8
SHA256 8fbb858e2c3cceff57ce7452578f56c5ae7f856e16047cda11070b28f664624e
SHA512 6f040b45c98f4750a7dea2351beca04b43b3b6d0cf68821a95b10a2ea40a0f98273dd3ba1ac8f2990f4fa2e71f3d7c37bfc3c715fad689a45ea72a1c703df236

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c8f39b4415355e202bf7834254bbcd2d
SHA1 1aa4ea4300af0c709ad265dba1f3cfca6140a4e6
SHA256 0aaf734191c1ad000fb72b598223bc01cc9278609eeaf486aea075d733484341
SHA512 979c4d8c8863e576f3c6e1a62fba360842452b4ac18f6073e1356c2589aa494595d9efa7137899f199ca4a08c8b273361215bfdac450ee96c8e9416797938df4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b02f2148b95e65f63ee1633d15d187d4
SHA1 bd55938e58c599a6c09041e31aaadb398e2e97ff
SHA256 d0a4ec748f08632bc8e99b82e6382f877ce14f80f9e81a93a13e2cdd560604af
SHA512 c3889f6bb7d7c4fa349715a4acf7cec244eb158c4868a42c8fd10756087ab5e5ffa57d5280b3ead88de060aac8e79f8cb938dd038ae4361333696190a22ee401