Malware Analysis Report

2025-01-22 19:55

Sample ID 241016-xm4qzszfrq
Target 4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118
SHA256 649f22ae060c619fde783418f0dd30de18a71c4c98effebcfc92a3c8419d89f7
Tags
aspackv2 discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

649f22ae060c619fde783418f0dd30de18a71c4c98effebcfc92a3c8419d89f7

Threat Level: Known bad

The file 4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

aspackv2 discovery persistence ransomware

Modifies WinLogon for persistence

Renames multiple (91) files with added filename extension

Drops startup file

Executes dropped EXE

ASPack v2.12-2.42

Loads dropped DLL

Enumerates connected drives

Drops autorun.inf file

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 18:59

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 18:59

Reported

2024-10-16 19:01

Platform

win7-20240903-en

Max time kernel

145s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Renames multiple (91) files with added filename extension

ransomware

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

N/A

Files

memory/2440-0-0x0000000000220000-0x0000000000221000-memory.dmp

\Windows\SysWOW64\HelpMe.exe

MD5 1774a8b612e51ebb0986781c4c665b8a
SHA1 8a0ca8cd0053814356fca8402f27ed9ff74e66ed
SHA256 9decc2f896b3f353c132b8ed5284a52ace13a7f6029698b3c204e159aad5114b
SHA512 28f94daac624dc2c9b9788db994bcf7f4bbd78502458a92e1db073ec40d833a3e410ee9fc396a93bcf7c7a2843759ece4dc797df8d6f275d48e4b15f13b55bdb

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-3290804112-2823094203-3137964600-1000\desktop.ini.exe

MD5 64e085ff34879ddc5556b00db8be7fb2
SHA1 18893c893472b3ac2630d83a3ad5a8112111b912
SHA256 e5e79e41aaf15f2c2e294c5ffdc9b1b6bef4a8a84fe5f472718f284734ad45f4
SHA512 1c5eea59a878372b310a927f3d9d32b381d0fa809201bf895da5eeb2f971c873d092d6d5e18b63e8aa3e9c6bda0f456d7753a41b49f20787990b8270c73d0ff1

F:\AutoRun.exe

MD5 4e7c663a42020ca0d70e5ef8f4d953c8
SHA1 e011c994ba92afbcff3b7c64e1e8ba45592354ff
SHA256 649f22ae060c619fde783418f0dd30de18a71c4c98effebcfc92a3c8419d89f7
SHA512 8e4e4feb3b42764ee6354a8aca70a5226a92cd9db758de4f7fc8bf5c85f961b5c225ae299b1a35824dc3d1c7ff1d2cebd12dbfa8a140b14b74849d152c364abe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c2c733faf9e539c71deddf076edf9c0f
SHA1 141eb2823acac370ede80864b71a98636601cde1
SHA256 d3b22db749f0f866641f4f85787325a413610af7bbe5a1cdf69955433f4b10c0
SHA512 22e0e6c54018cb25f23b42496f9d280fe53475c5932248e2951cdb6efde1a631ce99a28a4f00129c6c3baccf9b4d13b3f1865de28e721fd97dc8fe159b8794bd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 10aad460c271ff210f015cdeb87f8fda
SHA1 acb70f569c73be577e25e95c3c3a03d498468cda
SHA256 d9bcf944142c9f2d1e24d16745e3d2fad1ed427ed38ff2b3921e117277acc7c1
SHA512 ed55931ff34aa8af9ca7df9814699ea3660d5f143e70226fa2f2102cf556ff0dcd2cd49121efe756cb60e23e4331d565f52520263352eb56d9063719d2e60138

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 18:59

Reported

2024-10-16 19:01

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp

Files

memory/3356-0-0x0000000002310000-0x0000000002311000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 1774a8b612e51ebb0986781c4c665b8a
SHA1 8a0ca8cd0053814356fca8402f27ed9ff74e66ed
SHA256 9decc2f896b3f353c132b8ed5284a52ace13a7f6029698b3c204e159aad5114b
SHA512 28f94daac624dc2c9b9788db994bcf7f4bbd78502458a92e1db073ec40d833a3e410ee9fc396a93bcf7c7a2843759ece4dc797df8d6f275d48e4b15f13b55bdb

memory/2604-5-0x00000000020E0000-0x00000000020E1000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

F:\$RECYCLE.BIN\S-1-5-21-3350944739-639801879-157714471-1000\desktop.ini.exe

MD5 ffcfdf39e6d1cc3e9423bec15ecfa0b6
SHA1 d502d7f14f0cf1a6fa33b1ac004be9f2751a8adc
SHA256 f20c3f6964de7a31198856fc0014e24544eef34f48cf5c5fd60ac403a3dd6810
SHA512 8ac1f37e541e1e61b85bfa2b2ff7bd3ba9047606cf2b5094169cb1be7d1a64beb3032dd36bb698b42b1f7c2231cbfd8b5fbbb604bc594094726dcc26054db56e

C:\$Recycle.Bin\S-1-5-21-3350944739-639801879-157714471-1000\desktop.ini.exe

MD5 6a92d276786feac16b0d113a1b5d8d2a
SHA1 9c161fed3931e8ad609f99baa1e08405b87d438c
SHA256 d6127b294fbdf3c5fa6be9cb01f4e6209922aa15beac4c3b78e1c90a78993b6b
SHA512 0bb96e5d9607e91e060f4bb2ff1cda5458b3beef433e080cbc760b9c19089d14a340a0accba605c8b317c18c4c869ae1ab73be332d03abb98d5d5f7cef732386

F:\AutoRun.exe

MD5 4e7c663a42020ca0d70e5ef8f4d953c8
SHA1 e011c994ba92afbcff3b7c64e1e8ba45592354ff
SHA256 649f22ae060c619fde783418f0dd30de18a71c4c98effebcfc92a3c8419d89f7
SHA512 8e4e4feb3b42764ee6354a8aca70a5226a92cd9db758de4f7fc8bf5c85f961b5c225ae299b1a35824dc3d1c7ff1d2cebd12dbfa8a140b14b74849d152c364abe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3356-45-0x0000000002310000-0x0000000002311000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e1112519841dd20b55d9a77e34415f33
SHA1 3c6324e3d15b4e21dabe440cca674f5326fb53d8
SHA256 fb8e6c7a942a1d84906680ef8ae51689ba1b838206d5099348d350849276d488
SHA512 d7008c9e58379595476a54eb207fabc2730467ddbe08991594bd60662b854cbaa463ea3aabdc181e2263bdbfa7f086587e970e56915e3812c4d09c92317ae60e

memory/2604-51-0x00000000020E0000-0x00000000020E1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e2746579f243558650da40c027cb8251
SHA1 db81a78d057bb498d84b65e5741a642e99611ac4
SHA256 f72678c2cdb7ec466448ce0b7a0cf3de40e1fc2038d935230073fff47001249e
SHA512 bd44463673fbe2b9af0577530db4d25eb06c4a2e12594882da69e70c6d6472f183b8e5afe9da71539a08560a7f5c908087d379d47faee09bf14e54b95cdd71de

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 04e77b15e7a95fc0b84bbc06b8bfc172
SHA1 2a26ccea405c82b3dc0796a17d824503b1b83d23
SHA256 ed17c3a9138ef451c474227eca2426ec3aaa13d8dfee84c70618edb32a07371b
SHA512 6c3988db482b13c1332ea731491c9d2a2e89ba785859ddbf0758b2d5267f2486cfa2e01bb8468f108611dd2297a1646e009fa62cf1c71d9e0592ee2fadd1ca53

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 462ad8f4d9bf07a8de89afbc77d2a314
SHA1 7940f5df434fc6db9c028e669ddaddf1bc4732da
SHA256 2bda3168fa18bb7578ace3dcfd39924cd90db9996ec761d01389067866a80e9f
SHA512 a1b9815791742698d8fdcb59d55b04bd9f843dbb28040099804c28b033c3630bef1a62eb5f495eddc4dc40eb02ee9e7e509a69c367f4acefdfc716768e73e815

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d8f584393bfd1cfef9421cd5f226b3a8
SHA1 163d14f391dddece3d512903447f688b21865802
SHA256 f3a09d6a18fc76cde0ceebc5a22d27cdafe817c1be041c84f366037120bf54c0
SHA512 413c03356517d637a99d35568eb2ae97021977ebf2291f7d49c06ce04a9aaaa26982b6ddad042bbeb5da7a8caf8782a7a68e1b4d155089704ec7a173475650cd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f85ab0758ab8435926806c7f79c8b03e
SHA1 52c2fb7f24334be799b839e0c1f9d8d67f2267cb
SHA256 36ec7b107821131b26fe6dd588bb316d9075ce31914f83453949e58d92d635d9
SHA512 f0559eb9fd11dd6985e8f33a2cb574859e0837bf587abdf26f0664aa6274c7bb80b1e83e093283b9e48eff69ad96440e64c60073bcc0912d3db82a5e5e87e70c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ca84288c0482fa2f8c543fa286250cb3
SHA1 c4ec4fbc07890077ed6b5541590a9d8eadc119aa
SHA256 c64ea8103931166d5f3d423da2f61edcf602b634a66c7637df43d4b3699a9b0a
SHA512 a456a59a05b45f3104793a93b151d926a58bdf8e1c4ec5fbd516143d341f83646d64a7d9fbd74fc58dc2a757c8d3b1f8696d7749a79b9895a7ced52294c53c27

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4750ca0ba59c4e5186353f5261824667
SHA1 452ec0b11c43649531e05f9ccb042735bee280db
SHA256 9cc40e8f1150bedf750ffc6c69be7d9e4e93778223add597cd0da2a8d75c29ea
SHA512 4344d3458070eb6c739ddb1f733ec176bcec53c7867b72cc41a321ef80077ee700c298abd79bc4a0df1e4f3a7b4dffdee7af8695199144d3f8cd546c4bdbb27f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0eadc6c9511f6dbb3f157957eba59373
SHA1 30a0d82309510b4dcca6855736863cf4b06159e2
SHA256 11ab236ef9336724da7e0e02e9f17e6faa1338e5be2044ea71652712ddd4f592
SHA512 edc6093fcf06d594e8cabffec703fd83802ce1080789d4a764b48158def0085d2ff9df82dbb8a7811c78449e73401468aeeb422c7c9e6fa07e2322df90b06936

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1013c30fd496e5e22e65a35e2a426198
SHA1 5f59e50bfbf08811cb1f3e65fa75d68f12bd5cd2
SHA256 89b00fcb94dc7d5188ca955dd49b05eeb4da043f9f2f6475f60d6913e4883109
SHA512 fca25b6b2d98b8de912f17556e98a34c0836b5a959435037340bc78dfde5609c84355d0a12532936afa356050dd9e4d7a9f1f8781b06b2c389102356bdf09895

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 84c1ba7a2027b1a455ce19e0126ef44c
SHA1 1406178959fa2ae7184c7a88327eb702d84fffca
SHA256 f92ee6aed67c38e988ac7c4f70d0056d547a99c4a2ee838e7cfdcba12f15c237
SHA512 0519a4622dcb9ad44a2502255b6dde11ea52401eda0a14d1fc8cfd4ef8bc574970d5cc762a4ba9d17e4f4dddce9f5279a66530c61180474419cded4d0f300525

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6abd198bc19aff61bc42bc65c57b1b5b
SHA1 d524eb0b1f72a28c1bfe98dc5155c5158cfd340c
SHA256 7751afd4ddb1e6694460f960a318742e71618b163bd6972eb40b6a50889f3cbc
SHA512 214d952dc298acb10710a5c290fab3d2c181fa14d46d3c10e4d7b3a5fd3aecce1909b3707d5aafa4cb5a8214249dcf35a63c2350e12a1a79a54f18975e05bd18

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a12286b22d9ced758999e08edb5bae76
SHA1 997c7998d9cfa31fdaa81d3b02878ea23c42acb1
SHA256 74218f2090bdb2086bf1288165337c231b997e90538ce18d0d7644f61f68c2be
SHA512 d04f92fdcc6d32ae0f73f5c4de7db0be2979bac89df2bd96ca8446f83d757efd1358b14e44c724ecd960c26e2414f4ac616a2792296145345c65fb8ed19ac651

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 838fe17c145d81937b18d37077b1ed91
SHA1 144f934f8b467ade88f4503ea87784b91d1a9d79
SHA256 d9b1e5a31c8553d25862801479de12ab313b8b34fea1c5cbabf7fa75615edeec
SHA512 3911936b19059a29045efa5042f88775b671c007ff207ccdd70cdbc8325d0bf05ebf3b6da2fde6b7bea75e26b2590fd613a43da90d7e9346739b67211ad13ad1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b76a7763730bda09123d06678c247973
SHA1 5045bd3757b781d4727368f4da26695806b0108b
SHA256 00edc9157dc65f069799b6e2caa41fc7d0e83c206ed48b2d8e456e8055cd7559
SHA512 5a39be263cedb21c0d1785c31564d160a4ff7d4c7e2b8c5975f782d3653d2e6c47af59842ccd96444c6d1775392bc6d3a20bc8304db8d49b8e625434e1029fa4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d8a7eeeca1c3abbceb8e89a451d1ade9
SHA1 2be91467459bdf9eda2d3892a80163d1005297ac
SHA256 0f412c57e24b79f8aa51ac09ae4f9a199d8061748a41f61af0d8f5ee34d98db5
SHA512 dde14040bde01e88abffc6eef88da240227c17ba789feed40410f970a954f921deb471ad8841d78b14503c076515f904aa67ad558631ea040183b0e4e1f76ba4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 68e22b703ee31fcf0c885d9138ddafc6
SHA1 973b9243bfbc75235fb3a26534409ec7970fd108
SHA256 c9ec859d335c0f41fa52afdcc582e97608fdb5f40e20b109536ba72cae9e30bd
SHA512 6f9da8ba80cad026a43156b59e3a2f154521320e3e966d3c146be85a9967ee5c0bbf17a0ffe143397fda64788fa6fc594bd947060fb4bdfccc71ff6c739791f5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 86cdb3c11fd318e1106d905492189894
SHA1 2b913b7544c023e4ffa6503c5beb4e760645e0ce
SHA256 2fb3b549df56cc8b6f2209efe49e9903a896eeba5d019db1fb1832e6d693defc
SHA512 31f0fc29d59a32aeab7649087a39d2569e7ca899bab566bd60147216b8740a89bad294648ff29e883f704a4524d20d3d677ee1ca67e32c1004eab30eb8077ea7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e4dd01fdb4e6a31834cf9ce7d75b329f
SHA1 93e91d11ef867fa017dc04ca260cb832d6741ceb
SHA256 2fa32a565fb86e2ff374bf0e918725304aa85ba825a78f9b7bbafe5aee4aab5f
SHA512 090c307fa9cccbe48b7a89abc7b689fd4524844b6dde7899e5a7bd44f38f2423c6478943394f3c61eba31872fc4923e7ed02de03410c3feebbb06381b032b42f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c00d708d6484a0496d2bfc6f8e3d788e
SHA1 2dc6936e7fe01340f18cc0bbe7ee9c8c175fa86e
SHA256 6a9a93262866128a36c099facc96136c966279b003060350d81577ef7bc465a1
SHA512 9a26b40fe19b0278a9b494029e1c0f7a77ea6cd87d9d808e2987403a2982ba0ce675bfb0ddb9ad003bbb83d707056679ece68332c6def2f809c089c9aac864ba

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0f3fec1fdee48565440bd18c67446089
SHA1 41fae402ae598d73887bc118bab39d7e77fd952d
SHA256 9289cecf2a96cd14f14e4198f1f0638eb10774887dfe41fb88d9457df378665a
SHA512 b0951e6c79eb38c5c2bb4a98cdc95e1320ab55580a5a8a2072afacd98c03a8056385a82e14f4a043c3afde45ca343610ccc682a5f344034cc96d7acf8ee349c1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ad427fd3423429e44620a7ff17425641
SHA1 e917e420f949f0583d37b8ba48b7bfcd40a5691f
SHA256 9285cc5ff02f597ff0ea6dfb5a442a0cc14a915ee0184d74775849fc6d568e0e
SHA512 e7e25406f1387c00e9a637524db785c7622654c2a637e2a969875514fd971f2db3b4086ec2ae9a8e6e30b2862c8ea82abae4a340028aa32f38ebb7c1185e0656

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4d5359d72449f4c3ad0c975b9d7cb1ee
SHA1 c1bf997ba55f3313b1a828ea2f9ad42adb455e12
SHA256 2d56106d928c3474b8e72cd3a636a5b86bdea1581ee9019908e5b60c182a2351
SHA512 b0701216b59cad4398625ce8fb12a6614ac3124401fb8f1350933a6bb325e5da106386f31542ce3faf98eca6e7888cc35f217b8c62813ac30c0332b0d19d8375

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 299f331ec94fe5feec82f0d9df00a241
SHA1 73b59dc56d05635fb82a4529ae3a39a2181af566
SHA256 3dfc106d75c2595c2495fac21aa2e9a2af5d0e383b252cfdf9c6cf40845fb2f7
SHA512 eafde363a32dcba90faf3683a65c2efc1be68f36b78b56dfb21f8d60d7a9c406939e617524d2952554bb3f695cdf831864a8f830b5600767fc423aebf8d10fa9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a8c9c92adcf46f42268de77293f2fb9a
SHA1 7f51019f9c440cb2ce205b2c5dadb8adca18272b
SHA256 f72e6bf749dd33e20981dc3eb667ffebd52b25b7bd8e3bdf7067cbe8d73568cb
SHA512 33d9caa6cfb59cea1ab2e9419177e4c50fb08d82776418a3f9d1f375189dd4c4023e8efa7a1028a2c0875c7242b33169614bad073e2e3da62af0b37ba7908412

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b0b2f43093cf8d6338b625cd4e0a480d
SHA1 05c3eab3e8648a81c97e56240d653897ba63b078
SHA256 4023a6928f36fc565aaf7273a559276ea8617907b91824e10dff8f8d44f04320
SHA512 31fe62543a69772c0cfe1a097138cf0db4dfd474d37746ebe617ece1ac602bd3dc4b9656ac27bb6bde001a2dc8cd33fb146373e4a80288d07abb31256432d844

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 dfbaee7da2fc0314b842650b58663800
SHA1 35869a7c46a528b78bab2ac1171238ef0c2b5def
SHA256 bf7f0f456cdfe2faf3fba332f224e714291c58a173eca0c94c0174b186bb25d1
SHA512 75c5ea9fb5af9c170823a24096938780b782ab29881c1b9f6b49e2eaf2535c60a2cd9c48f2e4fb3d730cd35e107cecfd616635c4fb6c7d8a425f34460c7e4325

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 81e0ec54b8b5becc890de1fd52fd7ca3
SHA1 12b2995cf9e6d5a8914d0096f8dd6ec94cba9326
SHA256 e20c131d1d7b7751fa89410cdda2b506dac61dc005fe27137a7c160860c32442
SHA512 e0c87096e9f32c8850151a28e645c5c46126db4fb86035b3433080dd07e6814fc4c16b2b7630ebd5dec532aa2393ca3962f8f8a688c9ce62f5d5bb14f82588f2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6e27a90804f95a401400052105d45f4e
SHA1 3dc02cedb25fa1f0ac2c39a30287ffe16c4cc88c
SHA256 1f4a0f2faf59c452fd71ac19e0c4398e627acf1cc3264599814bc0588ea623f7
SHA512 5a069126a90ff50daf93bd6027e5a545d0fe8b0eca87a8bbb87488b24ad83ef77e2b78ee951ca629f9b7a099b7dff3be4c9ea9c47c7012da5cdda0f8cd0a877a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fe13530e770f215bcd58b1d62a382503
SHA1 1cfd9f807560107021a27e56e625a54609f5952c
SHA256 46489e5b600633ef3f68acd75aee02321a898e0fe73c4ad6569f66e9536f4867
SHA512 43c935ecaa6a4b39a91bfcc961d646fc32dd406527ab13cd5063f240f10dc15c978ea78491f41d9df0736ad8382502dac056d4e45a535902286a6b50ebd05eb8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8d7b184ad7508c537f81531ebfd78912
SHA1 a3d6669ca04894bbe81a60d1b4268fe893496faa
SHA256 2a6bba063337b1f390bb40447adfc1bbf73062316b946ed982c263c967dd03bc
SHA512 48b955c6edaffdb9cf1ad06f7a1272c75b0f5edb34b18358701b21aef89d43839cc260c0e0a8167ba766647975b9b26a8d1d8784194e5dff3a85c9d905515f0e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e4a4d0c1013943d79150ef6f42731e55
SHA1 fd7092534b37300e5498edde2c808222cfe0e414
SHA256 585840ed955b0b375bbae8c8153a28c5b2a6eec06da1ffc8547cb8e30ae1a729
SHA512 09aed4ffe84051cfba9d93e0db0f1b5733ab5034f0ed0040a2b9ac2739ac12d8fafceef9620b72e8e20d41cdb874b5ba2c5fa7d77bfb32da90f5bca310136693

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 703f4a326fe3dee95d3d5790330a3e2e
SHA1 26d6ada82a691bc09f7ef9f633b5a8e012861f69
SHA256 18b79f03552b52a8e2d5787af6af3aff8b75e1e83daa45f50d709894f44041f7
SHA512 4b1d36262304510cc473b640df0e3d36d028185047bb10425baf460f22e33784f1c1859f112e3334d7f7c82387399b74fb87898184c9eb2039748c627c467087

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1ea9092d3a5bb76d6478277c1a7f3fa6
SHA1 6783cf8fc99742d571adf4a6ca15bfa31bdcc1c9
SHA256 fe86111d3905aa29d0094aed17b9b9931193fb11634bb4fd9ddcb99a8ce83dcd
SHA512 003f2124911969bacba7735729671f8305ef7183521588859ffcb3eb5fd311a2f5617dde2d5d9c3d00d5e3b1d34bc5499776a72aef65087de3ef9c62b8d089c9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8df6687da630f80b10be76a42c0369a9
SHA1 2f0cb3533daa2fd2a3cefc2430b8d2d12714c15e
SHA256 f6bed6e514eddc80b5a4677a6f408471e7afa38642e1fb05700331859f1ed1a4
SHA512 f9c0889224e15cb7b42af588aa0794a18d7bfcbd03b351dbe7b0606eb0642d53725dc01bed59212191ca2b27fbca7857eeee30e341a64ff93681a032ed0145b7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e13050f336cdae8997d1dbbf25b73280
SHA1 0e92c933cc3394c5d5509cfb57408740500e28ea
SHA256 63f68ecdbeef775eb45141c2a10074fe382ff15f7e780c7ed237f51bb4979ed6
SHA512 353552baf77b96e832be80b01687fa3ebddc4801e5563947cd0cfa6e79388c8ffd29fa50ae6e5571fe5445eaaf772143f54843f3ab0b51e32efc5e5abbc8d95a