Malware Analysis Report

2025-03-15 08:19

Sample ID 241020-t3tzyayapf
Target 633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118
SHA256 91f0c986570be2025ba3d5450f515e9692e253d5b6096df8819a3168f9500f38
Tags
discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

91f0c986570be2025ba3d5450f515e9692e253d5b6096df8819a3168f9500f38

Threat Level: Known bad

The file 633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

discovery persistence ransomware

Modifies WinLogon for persistence

Renames multiple (91) files with added filename extension

Loads dropped DLL

Drops startup file

Executes dropped EXE

Enumerates connected drives

Drops autorun.inf file

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 16:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 16:35

Reported

2024-10-20 16:37

Platform

win7-20240903-en

Max time kernel

145s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Renames multiple (91) files with added filename extension

ransomware

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

N/A

Files

memory/2748-0-0x0000000000400000-0x000000000047894E-memory.dmp

memory/2748-1-0x0000000000220000-0x0000000000221000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 c853a168279977cd88639426e1af524d
SHA1 b7901437e3c439106b6fefee2ac2fb549248d402
SHA256 e07428c9a6eb8f2332a668b011a432b61f736ad65c0516ed2ffd0ffe436aae9a
SHA512 82eae8c0d2e3747d643cc8ca9c79cad608d7956ecb1c9c7ccad952643aa59a837a89d3551cc16e9236f28b7b409347f44acb7f7a7c41b5a2aee67284bd1f238c

memory/2824-12-0x0000000000400000-0x000000000047894E-memory.dmp

memory/2748-11-0x00000000002E0000-0x0000000000359000-memory.dmp

memory/2824-14-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2748-10-0x00000000002E0000-0x0000000000359000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-312935884-697965778-3955649944-1000\desktop.ini.exe

MD5 996bcf6af4d9c2a4549d46e2d6b94d13
SHA1 7388452c13aff89292b1adc0ca2703ddc80d2156
SHA256 caa94544ae91c849f86db79e6327499d46aaea137c52fe913bab56f57f98ecae
SHA512 9409742645ca51a063b527341ba54d4a4294876484e17e584f3218a8f4246a568b42ea3567f96519ecc00243cb411698f06d001063901fcb4e8bfccbff018b50

F:\AutoRun.exe

MD5 633cf9d8d0ca1e2858fdd5261048b926
SHA1 6f4db747ac02f4a8db70826361a02243dd72d07e
SHA256 91f0c986570be2025ba3d5450f515e9692e253d5b6096df8819a3168f9500f38
SHA512 c1a8def8dbe996bee8c107359c8f130a62d6b145e87c6eb810fc49a3a238fed7fa91d2ddf9da6aa9d37fc8a5be678011dc6e9dc2502ccafc04af468b9ccd7e17

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a87db27bbcdf7f9ac82a8e64ce91a019
SHA1 fc45fe8177be2f9d8c22820bcf04b4950bf3b71f
SHA256 678aa9cf9382c7cca946e79b3d27747c3b1f1eb0ffe6bcac247505c7289eabdd
SHA512 7df52fa5bc6085c599e7708d08eaef913f4deee7f8a488440e0a9283efec00666d8bbf026ac99f7afdcd5014a54ce0711c4ab9dce4a27ecdf080e4ae77500457

memory/2748-74-0x0000000000400000-0x000000000047894E-memory.dmp

memory/2748-185-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2748-230-0x00000000002E0000-0x0000000000359000-memory.dmp

memory/2824-231-0x0000000000400000-0x000000000047894E-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 51b3f9ac3205b208e3ff5b4ba2e8d575
SHA1 21b0e73670b42748fcf4d271eee34d4a4617cae9
SHA256 d9f15184c7c355a1b491ba699d6dfaa96a0462b23397fda0c5090a29c8731a7a
SHA512 c14f680dd2c758c0a7ec8a0fb70e32b9d824b1be2b11dfbc4bf3d6b01d05cb6f316936539612db9535aa907d5c723dc008102a9c458ada272f1fd7407dd8e35f

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-20 16:35

Reported

2024-10-20 16:37

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\633cf9d8d0ca1e2858fdd5261048b926_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/2544-0-0x0000000000400000-0x000000000047894E-memory.dmp

memory/2544-1-0x0000000000730000-0x0000000000731000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 c853a168279977cd88639426e1af524d
SHA1 b7901437e3c439106b6fefee2ac2fb549248d402
SHA256 e07428c9a6eb8f2332a668b011a432b61f736ad65c0516ed2ffd0ffe436aae9a
SHA512 82eae8c0d2e3747d643cc8ca9c79cad608d7956ecb1c9c7ccad952643aa59a837a89d3551cc16e9236f28b7b409347f44acb7f7a7c41b5a2aee67284bd1f238c

memory/3056-6-0x0000000000400000-0x000000000047894E-memory.dmp

memory/3056-7-0x00000000020D0000-0x00000000020D1000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

F:\$RECYCLE.BIN\S-1-5-21-3442511616-637977696-3186306149-1000\desktop.ini.exe

MD5 d676eb42fb866616a0b0a441c93132af
SHA1 9186ee90cbde1b94bdefe88d368dbbf8dce40564
SHA256 37439bec7e5bb5240ed414912ce288d9f168f61dfa8261c0f16d7e8502ede821
SHA512 0ad0197ca960a3b217ae2a4e7c1c75ffc7e823bef49a5a7c333ef1f0e129b0c12d49ba42f6bc4df16d16972021beef72b4823f6484983876d58a62cf4a4ecdfa

C:\$Recycle.Bin\S-1-5-21-3442511616-637977696-3186306149-1000\desktop.ini.exe

MD5 617030a917ca74ed69d0e590f8e91352
SHA1 22c90ed4db970434d740e4bc8ce2105b7ec74816
SHA256 ffdcf2c1fc5adb1bedb34582229facd1cfbb8dd54530e55fd77bb631aeade075
SHA512 58b6819ca8196eb0a01cb59069c40cf32c7a787ba87864755dd40209c32116cfd18222be5d58d39414294c2f9c1af9856becc65282902a88205925449eae63da

F:\AutoRun.exe

MD5 633cf9d8d0ca1e2858fdd5261048b926
SHA1 6f4db747ac02f4a8db70826361a02243dd72d07e
SHA256 91f0c986570be2025ba3d5450f515e9692e253d5b6096df8819a3168f9500f38
SHA512 c1a8def8dbe996bee8c107359c8f130a62d6b145e87c6eb810fc49a3a238fed7fa91d2ddf9da6aa9d37fc8a5be678011dc6e9dc2502ccafc04af468b9ccd7e17

memory/2544-46-0x0000000000400000-0x000000000047894E-memory.dmp

memory/2544-47-0x0000000000730000-0x0000000000731000-memory.dmp

memory/3056-48-0x0000000000400000-0x000000000047894E-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2c0f4237eb9cbf136fba814391c33ed1
SHA1 35690baf90fb85915875cfc68c501d00f9193aaa
SHA256 7e67d9d19a4026276c84fca8b82d45bd8ce6c02330f23f91e978cd0c17544519
SHA512 2ddd6bbe7578760314d254feb630190e1022fb94bb30ac0429748f8f8d4a44a17eb4e3be8d3066555872d0886031707a1a3478814459082b043bacf35b4cc18a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 cc5f864ee51a4b541fa23fb920232734
SHA1 a7d23b308a3bf13480b43dacb3d6b93c4c8d65e6
SHA256 8b1ee75958d266e06fa23bbc4e8b579241f6e1e40c7e774875362e32eafff038
SHA512 2c632f03123330467e3c660b876ab9420a120be88c03b1b0ededcc94337b1cd9191e5c5b63ca9e7204194cf6f289e07d04a055eceb48ff6190862376c44e70f7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 87d8d7d3c9550ebc8ff31407fae9efb7
SHA1 16919a5c4a31b3dfac4c702329314fbc6ad0bcd7
SHA256 358d5eeca195f6430f1b5be8bcf0179f8623628add48a7613e9190296987841e
SHA512 a38298a3a813218d1e8c90b2a9941ba196e6e033f629288e4f9f27c8518138e934b8d52e8d3a0c22c62e08ef0a484d98ac8d874405cb544b7142a9da502d252e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3193ca06826a9cd558b2ec38dfb1fa51
SHA1 329312b6a000b4e1f91944cafb6d24b284afb5c6
SHA256 e1c09d830ed9815604797d64ee910c4236ab8d779c2cbf2b988ff14d69e4a658
SHA512 1b99387d1f33f5b457a9832e30f56e19e412dc99afd202061a017aa8f7e8301a8c75b7e0b9f7860cbd88e972a660a33e2cea6712cf769bb3677d181e4e6cf994

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bb1e16a1755fca33c32cadb3776704f0
SHA1 3bd4ec23f662f218438bf635805848f826c6477c
SHA256 f5688a40ab77670b8488626e570f934bfcb46201740c57aa6b052a6993c69ea3
SHA512 7ac2ab362682ebad0eb60f7bfee2d43576a3ead10a961c891004fe0f6faac4456e1e7e8797b0697d975a66033104ccd78a48c3c8b0e44a027af8befd1141dac0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0c14ded81e08d4e295ead558a3eb2bad
SHA1 f9faf7c25295d9e7848d05393835c44246a91d7e
SHA256 eed19d1f420f5636cb064b544fa8137465a36b2eca677f6f8d1e7656c7ef0d34
SHA512 968d23054eb63a532cc7bbbc4db252998229f00620dcccd5c8b7f33125e6d4a18afa87b9a175d5682e4711ccb98eb43f749bb34527eb17e6b3cdab15a5f56b06

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 411fe5d900767e53b4f37e80e9880546
SHA1 fe8504c54b627301e119a76682095e6277a8d00e
SHA256 d4baca87cf8f586a6896d03d2de012abaf4eece8d4a0fbd1bed1390fbdea136b
SHA512 76a5d32210a8003ca9e5d37003e924cf3a6e341d4b06741c022165de6e4916620defdd6ea6cf161f15682cd34e5b19b96bb7e78f52bd9bd044705b73c87427fd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5599083539ef323fada48c7c8ded0e3a
SHA1 c190c9c258c4d6395475ae4e3554665b09c458ec
SHA256 a4e505fc263f189d91fe8cbd536e53586e06fec32e01c1e3e9e447824fca2d11
SHA512 563470815617d308b3747660f500e22b6ef2502ff743870bf7968b6321c539acf0202d56a5366f267346369bff9cc1566d6f51d003eda0a6d1e3d22cf32e605c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fc56d03bd3ab9dd300d3f14e2d06ce4a
SHA1 0f5d6e449d101ae86d1a2942486a7b7834903144
SHA256 decc99980020e59031e2af90b545d3e85a9e7fa982ae1645ddfc9b1087390138
SHA512 878250ded2212c75e127b58f1555edd71217272d9ce20ba8757b83b66b6dede840807dd969442d00edf012602ef72fd9880f7b5bba6312ec80cf5be5d486e244

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 dcd7cb60de7c1eab6d873afdd747c574
SHA1 613f43852d719ee43346dfd1852307f8fbf144b7
SHA256 d248f2ace1ff800f524a0b24c20ceb8325c0c20bfc7eeb310b383a4b25f3ae60
SHA512 ef25b744c7fc34ce8e6be29cb00b225ccc1dec9ddf7852eff23ba0818ecbecf6105803a8a96b19f8f438ada28c6f0cd6a9fa10b966512684b15e751410558d4b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e736345745e1fd62121f2f831ba803bb
SHA1 8e674a9e96c64b2cf2b3e930591a9dc55917ff81
SHA256 f416c6fa41a96b32102c4a02d5242a9784efb51605402f9f9ddaa3ce40629504
SHA512 3069faa2f09540e2fb6cc48155f14ff17240ed7fc3996776962ecf603796332b0d3845f3809f0996b184e168af83871896d50a87ba8b070a90f37ef9fd6372dd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a25ca7258249f964ae1921cedd9c08cf
SHA1 9b405c1a1abaefa56e209547f13e5366b703aab5
SHA256 1ce67009fd58c8faad87f8f17796549aff20fc955d76e29674aea0740488b6b3
SHA512 4985b1861178b44ea97e745ebefed6f7bedf04eee8fede46465a1451f4b1123fe8178c3b996691d48f8d4c944f11a0812aedb3622c2e8a4bcb255f9bbfdcc51b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9731c4fd6a6a845f0786db7950b19ef5
SHA1 dff611ffb04073fb586d1f145a14412325ac39dc
SHA256 b3dd0f4099beda2f66e27943fec7ab939788157b760a09e04d5cf56601076b50
SHA512 09a22f3367749d281ef16baca9a37d781891f5a5448c80c68e0e9aa6fd1872958165a1f63be410b9ff758a1e16761cad54f351ad5a26bbc6a332abc7e73a30a3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 caa75f9018bf9812e9e4756ec4cd36a9
SHA1 36213e230fb2022a98ffa4038be3a5363392ce11
SHA256 2b4c35a428f7d7c1109f5ef785703360a4a8f5a5096acb7db1cceb8d462568f3
SHA512 882228d788f6055437b4175c6e103e05840946eea15ace3ca82e77943934bab76e70172b5185f8edbd09a81f2e8866028ec0801125209c43df61ec932b5da9bc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3322587d94d128bd77d0019c7d853ce3
SHA1 a517aadec394139f8d78bb19fdb37e9fab974120
SHA256 c99eb60a1fbd11931a6aa7345fc7dff8d33c54eaa17a135427bdfea0afef2b52
SHA512 1cc2c219400df117cb27be21310460ddd49899b316b7f6cc8feeabe68f8c0967bb1fe5608959618cfcc49dbf72801edb917f40bd91a51d719754b6427714375b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3d40c40a9a958e5662e7a6e5481029cb
SHA1 1b32a3519bd1ede8ed48ab18473dffb2d112d102
SHA256 bc1058b46fa14cdfc2df433fe7b8519a7cfc3990a76f9e9b9f359081e670cdd8
SHA512 faea1707e4ddbd388a7acfa034e5ab395f9f77e483a1a97f09dc73e0b00b80f727e212277838f7c78d2b07583da402bfd6dda1dfef15e62ca0b35c8613c38be7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2442b903e44690635443ce7933e3dde7
SHA1 3db61f7a255a752f7d4565054e74ffac3fd516bb
SHA256 46780154c874ad09fb9b804a88e8c13dbb339b6e24b6dbe049d46914b17761d8
SHA512 f924105d7dc30b0d9798377e2372761e33d2a4106a1bddba73070a337bdcef27ffb2626a7a893781a035539c4703aa9adc92a8f0a7a23a346c3f47adcd2e2a9d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7c1fb716f3c6f9f1f32ed37c5fe0a5de
SHA1 551d470e33cc5d1529945fdd6d0c06ad2e487699
SHA256 d91011a6888252db04c21d850321bd2d995a362a967f27a3a7681b398a680802
SHA512 3a37f806bb68347cdeef509b99948193db34f6d83b8f22cee33ae2e512f48d9e851f6c80e855f554127fb8234691236d3a6e569c3e1fcb4d1c90ab814902416a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 94474c8acaf9d6221401b7fe7c4218b0
SHA1 527a8f8593c25eb187f18642dce8a7034070ee1d
SHA256 6f81e7f2775b1c98f205c3324b0a50f3d70b44e2717b8efa5956351e6e9f5341
SHA512 da4081145f79eaa21aa4e7952fe10bbec2618c8226d4ad46b2f9ddf90e6b2ab6a6b2a94ef263e7518db0d67c2963fb460ac1fd4a2719379864fafcbaf326ff3d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5b3afd4d5021b0a43edce94e9a8fc18d
SHA1 365ae7801c35bd7ecdbfa872f3408a7a3b751924
SHA256 67b73f223e8730901d9e16d90a951344db0c0abe88f0a3c9fc54d5f51d59b1e2
SHA512 2756ba9374cedec7fa89baf90efe6f31be9bbd2d5b80f15c5c51df98e5fffb2202e199d813df674c743251c76d11621d53634ec697b12da2faea078f72e1611b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1942b3e1865428953a173780b7fa19ae
SHA1 00b0ebcfa023a619c80ecb7292e5f5d3322b3b11
SHA256 32b6e400e35f60c98f0c0647b2621ce9c8afd776dbd70b8bc6ff608411205dc1
SHA512 eafff058c2e49a5c8833283d2e0ab7f4aa2fe5d5f438d05ac12d02baae75731cfe47f3130fe076707add60c81f524b13c1ebc6d35d6949a079055a0f5cbfcb95

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 32d5e14b5a6227681125865f309deb56
SHA1 b9f7b01c429d549ad5b473de0b594e7ffcd0cac1
SHA256 2e20f624163638c6a7ec1119d4fae260c1714c52e5286378dc76bc81df9a7a85
SHA512 09f99b5e11caaec0c54048288a1fce383fe2ca1ab15256572c5d5835bdc33591707115ae35232361670e7f3033863125d109e71b593ca44b204377cbef930071

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0c2a1042df611fadc7d53398818940ff
SHA1 db1d02886de8ef8e9a759c738ca8b5f30f7f19a6
SHA256 1ad5f8d6ebc4a8f539e4b2edd8b8fc89d3c59ab55d06c664f9c71236d56f27b6
SHA512 6bb89740337127fb09de068cb8b3bd6da3f63e8e219690736ac41756afa494e76b736b0ec035c9a0810e06b9254e3ae31ceb679134adb9852892bd3dd4babaf9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b68cbaa5d9f862c46f52682e684eec34
SHA1 2b5c178a8f7e0caecfc59f2928bd56c73d55fae1
SHA256 d8b862420c61863052a8fdd9407daceae492230a7b5e45b56ff821ef7a97bcb6
SHA512 c57b8568b413e0d03e386e4843cbfe04f9e913dcfebb7b5fb7495b67c7982b6c2e20b06261d8ff989fa8edfbb698b08cf9e25ab93ae18afc18843da0ab3d2df2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 685f2a2634265ee0768b5ee45223b94d
SHA1 2c890da1f56b1d36ed739eb906f24ba801611559
SHA256 3a3b426bf1101adbd0e9403435981b95392ad0182b6eb80b7915cde40692631e
SHA512 25dc8bd4d364ab0a09c72a91c52a6a403b0105002fe641ffe377f241df23eca901c9684e02180b10ed1c6a4342d21ff9a6c54e464d18a30b4e3b8d37e4a440f3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 952bbdd3d6de637a342237c94fc4ba1c
SHA1 63bc952f737f075795092518f6bc0bda4bac8232
SHA256 45ea558c90a89024ff7c9995dab42232a20e4514f5d3613b5ca7eec2c7a5f3ae
SHA512 45ed3d205a8f72fa7c5e0f41a6de4c7d26c48886acafc4b9fff9d82ccb3c112d91d3f151a89a0fdbaf2b84ddf943a4c9716cff7de868b3ad82dfb2695f916d0b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b5f481b25cdcf58319dfe8c26a22f27d
SHA1 45a5d6fe0a77f5f77e9aa90b76314c3df071598c
SHA256 0a234b6a7255f8b46b4f2625430b574f2cf4f6eb2480c91eab89b695a1b30929
SHA512 2074eb370b7e0a99be468298ab6dd06b30a7f2f958d2f2d628bc54074829659ba3794e7c27bea509e0299be402cab67ab6b4083f7dcff605b6fddfd4d09a1e9e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a817b2778b93e495ed250f9517b95031
SHA1 865b58ea9c30714b4c2613ed61cf65bff6e7b7e4
SHA256 c8810142a18b14edfae0eecb62172193a803628cacb296fd32cba3e4f37d89c6
SHA512 10568410e69ad4c18a2637358f0a769fb7b8ace646510361b267d2efe5de58f1275a1e53b3681f29ddea17dc7cc00d15fa0a5d36fc3ea05167f36e217a22f637

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fbabb5930a63889ecede125ccff45c50
SHA1 eaf3045b02fe51149146b6c4189f391792e4fec2
SHA256 d3dc96bca9c2c75ce79cbbb18ff13ef009f5724c075863fc7f09261ddb34e016
SHA512 98a31344779eec37c5de06ed330257e1e5f45b66a0c5b93a8b03b483c20b55ffad587584868e88d30eb84089e92e596d55b4cf6047f04c04ddbc045ea9a59b02

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9ede79d988e0ba2909ccced66d4c90e7
SHA1 907d69c64e16bab93a12c78a394e2ef72ddd0384
SHA256 9d3e1f55be53099e23641b24cb2fc334e2602e9f954126cc21f12fbc57312957
SHA512 9ea58aebf0782bbdb68c7502b7c28c82e6f2365cc17a347abf701017a52c677cc56bb1667bacd50defc0b1600532de2154832139a7fe127fab9b3142b8118994

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 666c49cbe404bae1c2a2163fdb58b2f0
SHA1 395cf450c5ae27bb40d86a68392b0f9b3b7d3863
SHA256 02aa1938c98da59479c0a8c6b0e653cae28cb5f3a486bbd1b14d47a4db985e9c
SHA512 2fe1b47578a255a126f6925d1dc77167adf77c9f023b2732f4f8e1ca2e9c6a39077fd446b870ff5424f416e238b2ee71e320872ff07811abe8835d53832e2a0d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7ddbedddc78fb3bd49e81e24283ac2d0
SHA1 36708cf08dabcb8f54a9b34e61655cd9b89caa10
SHA256 17adc06dbf52c9748cd6299088f94bfd480cb5010c1f2728d2aa3bdab0da9976
SHA512 38ebab465f6cd9ca6bf5d2f8e0f9e51b43c3fb8ea46a9f6281a8f364c15f2f6379d7ff55a6dfa9d6227e48f1911a21d75a19a384ce0c398d3f84b915d83e726b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c5a7e3c998a61235913297cf811dc456
SHA1 e5054a71888772bd63c70c7365bc0d5a04ac7211
SHA256 184937d6a2dc02b1efd676472bffa591771fe1b79cd1a9d0c8eb3f47ebc988c3
SHA512 7c2decb3227c61545501aabb9ff6069268ef5958e092051c65a43d944771e3287fa9c30536ca0ca7c969bb482862b182cba125a9cbb14a5cd73d3708c0179f2c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ab19115f08fbcb68351528ef82296dc1
SHA1 3a3248aaa989ee12abc8308486852b0aa286306d
SHA256 4bab2d6a9dca8ad23a83211804e6585aeba1eb9c337ec4a2b98e5366bbc06375
SHA512 b35c2f75dbce20128d0d7dbd0d18e15d736c60d49eb13e535873f95aec4b0e5edad6fee5a2cf618420b1759b6bd19c7ab612cd64a882f2568a62b74419e26b8e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 50c908810f66df23baa4e00c3229658f
SHA1 bb039d07db19e2ab7ea956f9a1dd4ad5346fcf60
SHA256 79dfeb3d6c911972d609cebfd0c5fd98de9a65a899b30b21a65c7fa98758bcc1
SHA512 ac17433cbc898c2fb2fdb3e156a62f4b778faad7bf84ead8c1e8d709ba2cf0fe565ae8824ed40b2576c1dfdcb806d7839b33cfb38f5f1b133ea88318cd7dd757

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f7449948f2e68f9ffc4c0d7c4ec9e2d8
SHA1 c6089fd1c16fa79b34e4882d9af2b5eeb12760b0
SHA256 d370a9a10f1645d29f5853f45bf1488069a50e7e0a2d982f5f1f73e8595aaebe
SHA512 19ac443132ccc2456b91029fb3c8b3d10226172b82dbc58f5d24b11ed81d893c679e8099d28c3eb7dd692be9b3a7bdc1c0178d7f37a37b87dea896d610fca0c2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a0c6c2b11d8fb7120af637c552bf2324
SHA1 ab9850966bebfc8543afd7f184f479b475a8654e
SHA256 0ede07c99a02a45138480c468d896fd50c6343940d30dbbc05ad26c13d9ff8f1
SHA512 754921b7dbbada97a10cbaab204e9e1bce23c1052d3c35939fa11262cc80cf8605a4df76b434c3a02dc8c7c33ec051bafb2d9dbf9782d4c01a46734dc5bc1fbf

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1455f37fd703eedeba37cef6151ee08d
SHA1 bd88562078251af5904c3ce3018cc2e5156557d3
SHA256 18d1812be75bc954924065e8428feeadfe43fdeac4ac4a5d2eefac918b0f3fa6
SHA512 17c2449d6542533553f07ee3198b7d9890b810e885b49a06a0f15ec3c17b5630f03aaaa8df3adaf8aa1340245364e890b2c34c68df2d968217003d67b51cdc51

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 879a6cc3f4446606090a207ab556c238
SHA1 817c65682b616f6a5f5148463b58597f3b05f809
SHA256 227e04c8b7453f5788690c942934bc07a191f41f41ce697e634deb42f6b0bee3
SHA512 bebf03f41561ebfdf39680a5aadf574f5240fdd3a52e83684e9a7ec9a6e1edc48180bacd19ba1ad085bd19149de6f32d7f1c600d9b44905fdee06987f37aecd9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 98e7ffe2ebfaed0fad8231cf7e6f63a0
SHA1 d3f7c49b4eca2c3cb6e50665e0fc0f9376698046
SHA256 6ef1865f27c3176b8cdd4a6de326f24488f948f5a7a887bbc952cebc91b776d1
SHA512 4a2cb3b11bb9c2a36d768af77985ed28d8c524049a12434c6b80297438696abeeff81787990951a742e180f47f0e4f5c03bd7bc260e4338891f14b47003a1ea9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4158aba4ee74c2f8c04f1f0574d0ea18
SHA1 f35c673be1e170d783237a4ae47ebe10bc16d0f7
SHA256 889dfb8230191d245192be94d484e4135c4b85e7c5e7d1e1bab8a62852dc6b15
SHA512 8e4570dd1c760dab205ecac7e498809c9b36ef87564d7acb9c8ece677109f9b7ef05f3810f6bf7df8627789b8f680b4a1c607282de91477ca136af7d6479e743

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 85a394aa4fd53ccfaa24a14172a1ace6
SHA1 3c41d19a8fb45a8677e70580f06a8aa6588be9e5
SHA256 efef1f9885ea4d2f94625ea34df92a8b68e5050937d9e05685503272d8753d89
SHA512 fdf90bcd0376211a9853deb03819749919d243fe164a4f66c770ce4f9300821b68d85709e7de23c92f2b2900571b88068590a572803a883428fe9180842cdb9e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c38d770930540cbaa1d08adcf9138764
SHA1 e22d931078eb24a7cc062f4118ece48a5f56e9e4
SHA256 ac6aa5b328d145b5a6468254fe1b81dd8309386b748aeab0f1c8023cbb0bc4f1
SHA512 bcea21a3a3efbca0818e3e31eecd9ac307d01d17e469d444c753f914b4374da159b77188e945a742933ea3bc3969806342f2b8187aec66d3b7080b1093351367

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 dd4de0e7c75a672e673364f2458eebb9
SHA1 4969305bfbdcaf88c3fc5abb8dc85ebe9d693a71
SHA256 f15189ac5458673ac1f6530962f80bf060a87604f3e2d922945e1646be21d056
SHA512 4deef3768bcc180bd6c405c5527d14fe4a7438a0378ae6ef8466ab2ff20654f6ae8e394fee3ebf3edfc697b34221157bf0a926ea7022dfd2b7833a9b1aeb03d1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 28986e475e7b21cbb7ec689dc98a9364
SHA1 499bc91c2cc0816651c0b87cebf9fd64be3c2d4b
SHA256 300a886d90702c00c49504f75d3f16dd268e0a56536fe1e5f4c55497ffce3f6b
SHA512 639d47ddab5d2426cad21924da990d428d8631771f2a1058275c63f9fa2b09a71686dd164f5b26b2bc240556a42d309e1b4860ae2a73cf99dd43c74570e83668

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 916f683a1a61bf0988fe8846219ab2da
SHA1 b67eda2e2a658a81bc3f664ba26b9a790afa58e5
SHA256 bb562ce4dae7819542468d188b959896ca5c47eb442732dbe8c99b05ca218ec0
SHA512 3081fc585f8a33af441462e9a34979b58113c6c967a7f9b6ff502725b0cc1c5484a6cad9b0e73750bd6e5feb45d036602fcf5cce4e7c81124d2cb0edad4d5b1d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d3b01243f5df88058c1be02538aac5e5
SHA1 5222a4233b39d742b7ae3c4434ead86387a31fe6
SHA256 6cde07ca6da1ba2360899c0dd2505c0956ab180a527ae1ed8d0ca304197abb5a
SHA512 e9bdb9fc3f54c60a85f76098a2ccccaa629363d11d55811f96b08a39d495cd81c712a426d1f913adc6447fa0e1c77e175e9abd1a309cb87cdac5c9031c5034ba

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 78663778f3aec66961d7065bcceea8ab
SHA1 a4986a93731146828a1250d04767cf9bfd6412c8
SHA256 d386a1faacf9f0cbc2367064d6d8ccc238cd28a8decb13d1f3ac2c9bf5e537a9
SHA512 64a62a305fff298063f1f70b7c752093fbf6cdb5efe71503d6b388afd013d6ced34f3b5ae98ad198f76919d772f30dfe65e252359deef533a7ec1b5033468bdc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8c327d75fcbbb23d817cda9694c404ec
SHA1 36eae838629bab123b9f573f6b1b87d82d85f95e
SHA256 afeafc1a46658923251f6efdfea774275a103aae2759aaa064254875f6429b83
SHA512 5909761236bee05e7571dc4c8c6633462f69443ed57192060ff5afd1191e23f5d692fb369d6647dbc1d44bbe669389e6713681bac6293f03f5014df1e88fdcb0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 aee29eeaf22449c6229503cbc7f370da
SHA1 574d74fee16ee59b5624f5a96338c0b71681bae0
SHA256 3a9d86ec14679ec268908f9acc9c4e2020a1f84f171decab5455de1f547e8b6e
SHA512 979eb4cc9b80381f81eff26550f6fc8201dc974d70228da5952cbb309c481a3d1220df1a94075b18249a6ab3cfe3107a17cd5827560ca3b2147167d07dc8c37b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d0e5abca2ba6877f232fa4f59d8fe923
SHA1 093ee5fc61e236a50de76334a3f06c8fbdb96df2
SHA256 07fa7077f1a9a0b21447ec604f521d0fdecebbd0babe4d1ea2a9c4c43ae00f7d
SHA512 cea86bb2a8fdfa9bb7788edfb8cc0ba49b847b14cf16270c1d1844cd7ba26a71f5eeecf0b2adc55e1bdbd446ff0aa210d196d84da224ff875cbce4aeae36a1e2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 55acd92c0021dfcfd15aa01a7d1f5f9b
SHA1 ec1facef1f0b3c4d0e68315cd9ec24d1696ad23a
SHA256 c732c463adf7456914290ed3bd5e4ee5ba27081369dcc442116f9b623582250c
SHA512 87f6825dcde2bd1894b4b0f2d689c0572b244f21d3badff56b4543d5390893e145817fcdd10e7e01cedfa5a9019d579e0e694fdabad89251b232a2d09b01dfdd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0bc827a167b7cca3e9d27e66fe177ada
SHA1 5fb4079ec16accbb40c7972f97ed9da7133ae7b7
SHA256 8073f3e5a44ad0c1384e976ff204f3b06da7b3a7dd84f0a585b38a63c6b9350c
SHA512 f0657cfe5c217541715586c165e31ae9fb9476ec16917fd6b38ba0a63c8cf52e22141204ba709416dcf6eba23bdc1c2f2a79f4aa553e953814e5f366e3ab049b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 53b094bd3d739283afbb5230546c8fc4
SHA1 c0248e833628ce07cfb144388f9eb28ac609a508
SHA256 adcd028cd6e73fa11d582dc5d9e994813f01f72721c93a69799dfe7452971c4f
SHA512 c018596772007fe560ba0b1550922db12ccc81cdfe6e626d01946b39684c4ed4c2ea280710abd28cfdb49bfd153c3b184b7998a8b9803bb1040784493d359cf6