Malware Analysis Report

2025-01-22 19:54

Sample ID 241016-yylvzszfkg
Target 4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118
SHA256 257dff71ae5ea5b729585ff08d5b50673131075ab51d022ec0adf3f9edbefbe0
Tags
aspackv2 discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

257dff71ae5ea5b729585ff08d5b50673131075ab51d022ec0adf3f9edbefbe0

Threat Level: Known bad

The file 4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

aspackv2 discovery persistence ransomware

Modifies WinLogon for persistence

Renames multiple (91) files with added filename extension

ASPack v2.12-2.42

Executes dropped EXE

Loads dropped DLL

Drops startup file

Enumerates connected drives

Drops file in System32 directory

Drops autorun.inf file

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 20:11

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 20:11

Reported

2024-10-16 20:14

Platform

win7-20240903-en

Max time kernel

145s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Renames multiple (91) files with added filename extension

ransomware

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

N/A

Files

memory/2176-1-0x0000000000220000-0x0000000000221000-memory.dmp

\Windows\SysWOW64\HelpMe.exe

MD5 e787f79e9b5ecbda80cc29da69eab136
SHA1 c1cca20c0e3d9f47d068cb2667b4579d9e6da439
SHA256 c3aaf32c665441b6ce0b1cb4f092b053879f94b6d203362dfbbf96ac66c91bf5
SHA512 8a63139133b676c5c7bd1f300137c7c4cd680da06df34a02baf5b0657b60ad4125c6d974e2c5a4ec0178754670c7edcfff8d739179e6e91cb848e8f321b6c7b0

memory/2704-9-0x0000000000230000-0x0000000000231000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini.exe

MD5 d2011e6b50d9e1c733e9862b7737d286
SHA1 a5a148d9df609c56a35433c2c4460e63680501d8
SHA256 a38737651ebbf2f76fee0f0edaf711837063f482ab62ce2b1bc511f1c7a9c891
SHA512 62421afea37ee3a770ab7b696ea0685ca8213f1e657523bb90d0e02c354fa5d631bf31c3ccb0167ca2199e472ede6a73700f122e05bc828cd59671c238fd34a6

F:\AutoRun.exe

MD5 4ecaa18e02caa40c3d403eea9af3bc3a
SHA1 7fce7223a31600dc2b605fce597966189e2f1a5c
SHA256 257dff71ae5ea5b729585ff08d5b50673131075ab51d022ec0adf3f9edbefbe0
SHA512 a8b375acad8b9728017c777628d27a3209ffaa6523480b9d633d5f0e7b48c91d881c7c39bb90fcf6c07ee9b1cad67f95758995906fa06e66fccb0a9b8a135e08

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2704-226-0x0000000000230000-0x0000000000231000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 cc7539eb8ec82524cac9030f57af07c7
SHA1 35ff9e011d594b0190fbf724833fddbb5580d7e1
SHA256 8c73991f84eb70b9629d53bcdd530f173d50a164cdeab27e24eee55ec9190b80
SHA512 714a2356009539121495dd848e01b6e6db4020ac67cbda72fa63e38320053ae4388792cfb316fb975e2ba2a1263840ff6bfbaaab1a6075e5803a6e0868f758fc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c54b0baab7223b8ce0ccd31910144cd5
SHA1 0b43aae3671b2d47129688db899baa5a14625af3
SHA256 780589a08ac60e505ff34b7070312b294ab2bfe3fe58649e511b99f6d03b61d0
SHA512 e36b85718140f71aa5582e4e3d25aab74ed8c579d61808e8e91c3747fbc150e2c9789647deeba2bc2eb5fd37183e8cfe0d26cebb744346b7a1671c2b28f6e648

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 20:11

Reported

2024-10-16 20:14

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4ecaa18e02caa40c3d403eea9af3bc3a_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/4820-0-0x0000000000770000-0x0000000000771000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 e787f79e9b5ecbda80cc29da69eab136
SHA1 c1cca20c0e3d9f47d068cb2667b4579d9e6da439
SHA256 c3aaf32c665441b6ce0b1cb4f092b053879f94b6d203362dfbbf96ac66c91bf5
SHA512 8a63139133b676c5c7bd1f300137c7c4cd680da06df34a02baf5b0657b60ad4125c6d974e2c5a4ec0178754670c7edcfff8d739179e6e91cb848e8f321b6c7b0

memory/1848-5-0x0000000000570000-0x0000000000571000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

F:\$RECYCLE.BIN\S-1-5-21-1045960512-3948844814-3059691613-1000\desktop.ini.exe

MD5 71dff00cf1b15449a17c9516e8fe446a
SHA1 3a976027b3fda266cd33d76c09beae0cdd580cb8
SHA256 a7a30c0e114789781cf954d680d342ee8c14d1cbee70b479f830c4522e35762b
SHA512 b6743a9b00e03d7d398da5e1e9a3a9b1ca97c0dfff7e652342cb32fb463edc52fee443b8e2f504b8dd4f5475a54cdac23cea55fa175933637a5659f84a5de6a6

C:\$Recycle.Bin\S-1-5-21-1045960512-3948844814-3059691613-1000\desktop.ini.exe

MD5 eb48232393f80d5c2b02f32fce4bc82b
SHA1 c24f34568641bc2321e875fa062b36e73a1b72ac
SHA256 5571205bc1ea6c69db1750b826db18c150fa430ee8466384484c3370311b8203
SHA512 325ae9f1032ba873d6eac9cf61142f4f3e1b862023df68deee36ace2e953b8ad77ae65fee3c9c30a2e5b72e962eeced5b113e970e29d5f3b0dfccbcc76a9da32

F:\AutoRun.exe

MD5 4ecaa18e02caa40c3d403eea9af3bc3a
SHA1 7fce7223a31600dc2b605fce597966189e2f1a5c
SHA256 257dff71ae5ea5b729585ff08d5b50673131075ab51d022ec0adf3f9edbefbe0
SHA512 a8b375acad8b9728017c777628d27a3209ffaa6523480b9d633d5f0e7b48c91d881c7c39bb90fcf6c07ee9b1cad67f95758995906fa06e66fccb0a9b8a135e08

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4820-45-0x0000000000770000-0x0000000000771000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d8edcd97bbacdd7ee8ee3eb4160b79a4
SHA1 5049db4918a7bef9c956860829e65b0d8164cea3
SHA256 f161b2e22529b35120f0eec01defe5fed12365e7d4934e13bb0eed74bca647aa
SHA512 079e1fe6d21db6d652d6fcae531ac6d4027fa96139fa02e4c8168b09b9bb0f9138e803e948b82fe565c3f590786dfad360fadc80a86c485431d476ebef09f472

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c812a3e17f38ae6e6d199d83b2973249
SHA1 57738274e2d5bde2cc015022c1d896b29400d45c
SHA256 b23b146a46e1085e149ffe2ea3ec35c1270b04171209dc044faaa0e3d9dd339d
SHA512 d9eb63e453eebd2fbcb409e6d95389fb015cdd944e17c757823e4f5c980e9e55ef6c48f2532c06ad5db1dceb7073278a52b9b04c58643487ce8efac4427696df

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 995393cd3ad663ee1da91b3f4a0f8af2
SHA1 8273a888ab5aaf92cd6be72353ffac933c1eda78
SHA256 75654040eaa330cfab0a2dddb614d99d1696d46ddeb875f0dda0da843d4b0eb3
SHA512 0664135f04f0d121ea6d281d104fce326d335fca8c52bc726fc13531cd0d830061c7a685309ffd6f10abb731202ecec9b68b6619d497c0d55d7bcab8dc1cc66e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4c805338822379c1c761f55ccf0ab0f6
SHA1 ae042d84645bc9d0c3c2dea00b30dff7c476fdfd
SHA256 839b6fcdd0c50837cb0d9014844ab74002f4e738c848ec9ea33ba70e5ebfd763
SHA512 f8e91aea10f830760ba87cec8ee7cc4b29f6f678c0e38b7bd0aab12e88a48a1803c65c0d977030c9547b8af31355ad44f4633bc7060bb135a4aed644000f3419

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3f10ab28f3f13422cf667af6641edbe2
SHA1 fb6e2a58768df68ccb0061a3e0aea51f8e80248c
SHA256 f4ae1e11e13304e2090a8137079f1ddf4dedb7b0e444ca919f687245769352ad
SHA512 5384fe620242a09eaf3ead51451e531d2fd41c36e522b335541217cd2c2c7b008384f8bff8f7393e0af5a7904857d51d30156d1d724ba43751563a33989db4b9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 18521d24fbbfe11238c59af436c0bdb6
SHA1 af69c820935a8552b2bf4be71ef29ccdce7cca19
SHA256 4d3e26e86ab0c102f964290afb1b2c9a63b75487b5aa510d2b92c37338fdffb5
SHA512 05f4776a96902a0b644cc9c40ac7e80ab44b07ab7992dc24ea52c1a7849ab66b3bf0e2adc5a588b446cb24a7f2423e01df10c7f387d368645a873c78bbb87126

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 efbd299ef72abfd1b6953aaab56ba412
SHA1 b394d751518a1e1c5f1e0d5c4954c2f3ef2729ce
SHA256 7c2aaadbacc46af6a6803875adf2c8af317f98f65068c53e1f95ecb8c2ebcb31
SHA512 9f407d1e705d245091b6acfb0d6e4deae5415e11f8923b7d579e0fc0999851dfaa029d94aa2ef3cfaca38cac00b8db49e20544740ffc01db732d5e196ac3cf1a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 606d16c51a3727da6cdce6deea264a88
SHA1 0ea0c2884973d399d13aceb694a4490aa1b0c370
SHA256 8670f78d50086017abcc743919f0756833193f399c196b7ebb23b0f4f674202c
SHA512 cb41dfb4bf3a2e0331656ba789a7eaaa863f1a1e647104fa0068c0cc4972ad31c749d263c00e0f68d97b951f268d10d9b51bb80c7ad902a1a34fd8879cb67f29

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 368f7f68fdb61a5c88a865852d095d02
SHA1 ce12463afea08047d265cf5dc54cd2947a041665
SHA256 f0bdf8912d34c2027ad9b9c87c92663e0da5195761314ec57bf13eca570f8ec3
SHA512 fdc34f6423bb8e7b2881db3f03a52ef240f2bd457404e0f65ae56cc696b8b06691ba62126c65b030c3b26531a1a1d2bee446cf342e449399e099683460a0e9a0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bce802f8e8d65014f82e865617dfd2b0
SHA1 0408c96371286a65833b0d9b1f930e4ceda2c0e5
SHA256 788d2f6a2175723e98c72b09db4c4bda91ba500adc6be134a59c7eca35b034e8
SHA512 2b7e9375a904b587ef8208ba5781b6a62fbce8a2bc0546a80c9e805abc3170b06b9d0398d0b65bb8766f8292f5995bb4fbf2f4b4f2b9153a8dc014c36fd9b72b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d4d054495800327838cc7927177364ed
SHA1 75f319982eab3434371e41f1c4c3d375ef7bdebd
SHA256 a2701d5b7cd4ee2e4df3a042e4cfa108fb688fb0191d4b0fee10d4ea10e2a792
SHA512 3554026824f1c881ecf1f1295d508835ec5d4d3f6b2ef67ce958f109e4ed59f580091ec1c6fe4eab06fd887577fdcb7be1db86d771a283cb73b9c8d7fa1a4f8d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d7d6a1ab6dc6035d1ec7b22dddd36279
SHA1 31e57fb2cc3283bb3fdcb1fdc712670f38d50ba8
SHA256 835a86640a4d7bd0c8ebb2fe4999e0a4084da3b96bf46ba2584b962a068571ac
SHA512 a9467676d5fa46d4548fa1b076d87f2e08b3685ebe64b6b4f277e83b5314d9da67db29b77668a972a23436927462dd969f5de1231f5345d4f467bfa4613c3b8c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 080278dd704cf287a46fcf00a4531778
SHA1 cf49328cfcf239b752fe477fc2aa53412fd82bee
SHA256 68898414a508518a800c211938afde79075816ff6c03ddc085dc9da0e49166fb
SHA512 d8705f0f5503ce6f2374c521727477af3129ad81df85fa74cd594a84d2c4ae7b3b2b17c474bf4ba11d8019f011303c96eee26bc80a9ab678d038ec428ecbbb1a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 cde42c71db9f3c2679b5caa3bf848a8c
SHA1 f1e4b183c73e3de93f5d9979c60b6248d4a89984
SHA256 6acf3db7669d58e485e34ee85b1f630a20e4ac1f13900b7a43194b0f2920ae10
SHA512 605faf79e4207319aaa20d00b9dee08ec936984057bbb0a55510bf1463b18a8c6875edaa4073b5d425ac431dc183b8de08b4fb703252674b4fb5a521eb3100af

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f2fff36ac296d20b544f64940c7f2cf3
SHA1 35f6b88d2f98e9dd402a0bc27e1a6a10eee374d7
SHA256 a468ce2c27263240bf098fdca99c0bb760f2ec47a16e521c0450ff2b119b2667
SHA512 57d28429c1049e0216339a83bfde45fcdbb11b9295113831a101f091f66dacad24a6f53a1b9a24256d631e403e5ebdaacbeae0fbdeaea224dca0acbabf4d9834

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 03b32740453a3da2ef653ac1cdfd1b82
SHA1 0d370d3544224545a63d782d8246a22948e70f3b
SHA256 1b84344b8705004502f862a87d20164f723c4de2802a40b5973c2ba18658816e
SHA512 2193028d86e428a4e4d8103e47011d2f236a57869dbc6cd1f2fd277d92d9a4025f1d1a9bb963eac9277a419fc56a5aaed113faa0aead83a4919015322cd97b1e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 95d52e94923134cefcc4fa20b40b8189
SHA1 59898b4155812107d04d6535584023cec20a8d70
SHA256 84ad9f2d9cd2e31dbdee26c19ba804a33ba7834b5929ea455f8fe9164c4e2f0e
SHA512 866a18ceb69ca40da98dd09b0f79c5b6e9b24ce653ed861715fc526b5f1c237ae299607614cf68a1b7d13cb2c7b6af8f297e933ee281c1eec3881adfc3543ca7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f0a0b3c39ae9cec3b690ed698b7bb0de
SHA1 d9220afe6206f4933e018d7c697fbc4c87cf0d2e
SHA256 21934f636ed7697aec632f874b844c8f875e9f37c66d16f0282311782baea85e
SHA512 578a5c0dc807aacdd47b90b956b0e8ae541f21a3ab3d3899b684081dfdfda2db37a9e4eab88ff8db3fc497c32bc329d8938df9dea3525a541e1bf172b2b4644e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c146d6e20013091a7c1733d9bbedc0a1
SHA1 4878b905157346e8adc1630656cfb2f6316f4f3d
SHA256 1914c35738ba779336bb0e662ea2ec2c31a255068ff16293255016c2d455c490
SHA512 6e5bfdf6422ab14ddf0949d9be6de709a9ff0bc0be852e3073a58f237e7f241021a48711dd5333c5156f597887d238256054ef0df863bf07c287f5735af463a6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 afcc9e9612998c8faf17b4b09c15adc9
SHA1 d8ec1fb55fd5b35189350a61b526b5dccb1060e9
SHA256 ade94263608a90ac438987eef857c734969fb29afbaea3f04f755830c5338a04
SHA512 d8925092d0a11b99d8df951c83a8470b1b0006db4c61a7b1de8410fb5f9bf2586b1012f198112d4940ee8438ba3ee0d1226198dd74592e93c363784f38d642bd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 62333ae78f2a9603771a9559e2e5bb9d
SHA1 b59258e2a63a2d7d16a2bbc2dbe45db8ae0b5878
SHA256 62d8dc369b3b8fbb6d65ecec8c12104a8a440deab7a781badc0b84b4ea41f163
SHA512 57fbc302fd9054fb0a9b1297f9a85159c70b7de7e685a1885ea4189b060d963d6ddc7edd576cee6592659ce02a87084511684ecd291a92ffdfa3326b86c58dcd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9c9eae963de42aa586529c16e1c7f4e3
SHA1 57afbe75c5d07a5e4c46f523c84d001ca74d43d5
SHA256 0806fb9dca0eb083cee9fc0c5e1d07a34444db580ca1db2db608cd323c6d2daf
SHA512 3b8f21bda5a2db60329cdf1bcb6e3b45b483dd88316a9916834482295e6c8fbd1b1c3107a583f34ef014a19c1576cef2dc7b81654c4c0ed3247239afe307dc9c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e4196dee3ceff2a7dca7f40a7a8f17a2
SHA1 64b319e6b8cb0bc9264490fd14e34d3c060c96df
SHA256 0bc642d0c818f4f5bd31d09b2e63d71788f8a0c3115a11983011494f6c6ef4c8
SHA512 86f553ded3c1ff5391c47ffda5d33f89436160cc8669fc2cb20bc6c9825a8fa49f5dc6a35c250f542ff768cd38ad6968e9a06c4df3dc51c338c3a71ba074e175

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d99c077a328850e37c98b729e36395f7
SHA1 d7ffd50668b88696d38f78ec9c701dee4618adef
SHA256 1a9b47df91d85368979bfd44e6bb25d07f79342f488a845a0f8f50a31081d548
SHA512 1ce5463963eb5a0846c0a51c61aa9d8a7ea309b12bd2f58c95e38614773c028d1bd594c5fdcb67fb1a51cc1bd65140b90f17fc7f950816232b48e5568672c9ec

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 eec743bbb8995aadf6412c12dda8a698
SHA1 985ffcb3f7d88d240dfbeaa99ca596588f169697
SHA256 1e8e7ccd33c584d5c87812556fb488c1e9f0422cf9ebdc5e1ba9044a1ccb1b95
SHA512 2c9ef78b858fc61772506c9426fdb490ee2108db011bcf275d32e46794ab54392e0d0f3cfa29547179524ab4995846e5d5778c4d77c1e56dcd11cc1382027bce

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 097dd46934bb7692083723e988548831
SHA1 fc09ba0d4a4e480550149d0b417d72671b231d37
SHA256 26b567591e33996be590a28243437961294b5cc205898ff04fbf996f38a5e080
SHA512 ca1606a78bc1db86512d4ab3e1e86907d8784f798763e3285646f60d0c2e73acb11b0107f96cccf329495c983550882456b2eaf51f48980429edd7c457a6c237

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 11ab2ca0a2e72e9d5f4b14dbad296bab
SHA1 7bbdd9bd32431b46e4f07300409463ba89b12513
SHA256 a6eec903cedfebe7893623104a3fc6f6bfa128a60e334dc4856fd5955c184838
SHA512 e6cbd22f1192ebcab9fae6faf5e06ca82a6ee088e4ab81c3f2e55817680e7a4f09036a1febfe0f403e11d9901de05238b23d2d51e54dd0e56d4acbe00c7a5e79

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 daf3bf1388af05f51913198de3be80ff
SHA1 db533a6715c83fada6e08a8593197216ddef857d
SHA256 d2438dfa811722d63e621ecbc4acbcaa21985ddb47986d8d83602b1d9e540f29
SHA512 cd495a96553d8ef0ff78a8aec15d5d93878d4d99feadeda7418e573599f649540039cf5a4dcfda4f294df8ea8f001d2671c612947884252ed67c8e262d6aa297

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 18fef446e216b143fdf91306a338ff2f
SHA1 88e21b087faa1e3dc0284b30a200928217f5e0fd
SHA256 b685287898723b93c2777d4389d4b0c92e3c1ee9f366ed388e42c7b1467b6170
SHA512 1d9c76eb90da63bd410c0a7a387bbb6b652b9bc6cf27deed8db601d0cbd5558bfa944da5bcd4afc24a997c41173d8122f3e65b2f98b77a7d543cf2c9bda7f4ac

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 848ede81dafdf63fa6e90aa782125cb2
SHA1 5262bfc810ce3d41131f31896f8dbadf493f637c
SHA256 f56d95164a9856c6704766a63156d37e608b15f986be5ba5be14f6a0ef11ccf1
SHA512 555a15aaaee33c93c586d1dbc8c9db5fba1f71cb98cf9983c377d290775281d2366bcb3a4f8ee7e61e2ce41e8a6097e59cc136ddac1bc85c837f641a8a8eea0e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c4b287410267f75790589b8a8bff3987
SHA1 52d413c09f48b9b34fa8c87a10bd2a0ddaa3bff5
SHA256 51aa0ea08603e11605d08b1f1672a41f4ecbe1150021a1f0c9cbf721137574e9
SHA512 f762b73b38db717ea33cd304efa50d4f90928f0d1be0b5a2e849202a2f229e0f7f077dcd0e6473d4bc44ce61064d7ea2bd81d7849683b01a40c54bb0668b640f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bf2f744107bf5ecd3866500ce7ff64f0
SHA1 12f2b6e0bedd2cb94b01bf9b6819c9299bc52b27
SHA256 ab024d3f2f3338955cd1a1f0e98b1444904e8a084b7f37e414603bfc6a1b494a
SHA512 fdf630128023bf1dd9ec08957af162d039019ab765443a1fb3c4015929832ba146b518368f312ce83086ba7f71db7ae8fb11f26f8962f4938e13be88e56be9f1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ec59ec640ae96b8fcac6dbac952920aa
SHA1 32c30e3e75c3d1f86acb67bcaee59750502ced5d
SHA256 54eec296ad53e266b519406ba497bdda68925c234cc17a691b48a9db5aeacf78
SHA512 91871aedfc48121239a4282b852061e7e03b1eb45005483344e9d5ad05e7fef2850d84476f32e1af9e39ec1b48a3c282ea853379bccb62d3f8860ec3889c284a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4cdaea182f3e45e4f3929d364082c056
SHA1 0208790cf27447b08755a11e27482034801a1fbe
SHA256 e62ee7aaa40fda07f518d7123c595cbcfd2fa09e8ea461401671aa81457fa9eb
SHA512 041b7e579f837d03b3c6ae23e84a727df6c15a83cad26fafb5aaab3f6c3ffe0fbe9e663c8b3d7873522032cab6e6ef1e83c5c5fd2eab545f040d80cb625e2fd2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3385ea82b7ccb3b44c018376ae06695b
SHA1 3c4d1c492849c53fac9b810c2bf1ac5a751403df
SHA256 6dd8fb707f3b030b4c73d92ea649d77131204e510bc9c87e6cdb66c12b8ec190
SHA512 cd25833202483735496f4f529db6725e752df97139f344400b1e2891e685233d3c26761708f0052fe7a96212e6b620b79f463b7f8fcdf215eece64dc57ac186f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3599aac90d0c4e25636ebe848ac10897
SHA1 d36960df70d67d1f5447303eed3b968ea2f86eb1
SHA256 a6574cc4c7e5dcb2c943842813dabed49b80cba551d6bc6c396d93d66bf3d572
SHA512 1647b85aedc7591075f93fe93c8e13eb4562d3f513867286f773c709e20ea5f258d3adab79ddcedd737c838f9a11f2a19c6d7893584a89f1f1c49ad603bb34df

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 df32db257822fabd7f736715ce8400ed
SHA1 49b540041e83b2f513f5310569020246af2afd24
SHA256 83d8faa8fbc6c653ca8d3dd02d20c637231d68d48d08b82bc78f147a668ca817
SHA512 2807f462706a36e70aacae76129bb399c9453092e7cf5afdf9cb73b1d077f9a3faf1af72c51b3b81be93415109c4fa02fb57acd93ea616c388f6a02dd0f24cb4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 229f8128aecabbc8ada011f2d1adbe4a
SHA1 387ea6f149dd0f58b1a3687f3afcaf82317f4a15
SHA256 ebfb5cbd8aae8b94c52732e413745cc522239484c301544ad2afc48c18a24078
SHA512 b45dd96ed9c63eede2cedb624d71d30b0a86c3828109f9a1f1bcdbd371733e15b202c6f3dbcde58d7c49c4b8cd0a26057dbacb52dfc6950de59b9752d79971ba

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 561f43b7d33064c83cd458a21a1fdd62
SHA1 7a2e052cac8cad4712844749005282f22ecf1b61
SHA256 98e6b09f81fec4f728d362701c05a0c4a1119741a5d035dd065975021217654d
SHA512 657cadf7734964d2c24b8ef0e7b1b26d9a03b32d4c6a0e7e49194cb00d6f9cb72d251226105879c261ce3db8183c461025139d18ce2dcfb587284bbc89b7f609

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5a7d1042f4b50622432f9136e65cf874
SHA1 1a1a7511bef51eaa8e37d0b4f3e438395ae63f22
SHA256 d04125b457de4ba5546252fc6e75b2154b1aa4040bee729e3b7ced8289272c48
SHA512 fb1f6499d9db6ce9d3d1931ab0b376225c3060b705b2211fa74b6c5d947c5fc23a67bb03a00e73b146a8f0064a6f7f3853ff317d0d59cb1525c77365601cc1e8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 08854a3d872c68b201f2d400a5e355f8
SHA1 2d41632981db3156f7defa4e17495027765e075a
SHA256 da7165a6e99a1f60d38af8d2dbc4f6be53d94aec6808f7366b52d6f61db4bd7f
SHA512 2d4b79752a422a69fa516f6debbee4ec32ceb983469000897914415b046cbcb6d52037db8bba33470e21c289f5577843c59cfff664f0ef24c62ba2a630160606

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 85528101da05ec746209201417388763
SHA1 80ae02bcaa58c4c78630b65c478ddc4f68e772c0
SHA256 4b09f815cee4fcbff0380d8a948211ef1c1813287a3702b4f986396590e168cb
SHA512 9d69f429806d055699689e5a5dbf56770b48bb553f15b1f8c671c111a23a7e42d7fedfb36b3bb34d397e2beab30a03c06bb8941cbfc0778dde8074fd8d9c2c30

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9d1d80aef79529dccdfb4ab8acc59cab
SHA1 7b3d510c160b5aa23067d03fc0c6e249eb9cc7c6
SHA256 0dfd4b37f6f4bd68ad68e01287ca0fbdfec5d15393944fcee78e5d8edd313218
SHA512 530e54cb1822cf61eb69698dca82f18cda59528df80661a3fbbe94c708f26045013d78213ea6a272b7a00aba4ea1d7d5d650af4ff797eff1d8b00d51a953aa5b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fe8634fdcd5363b1dac16f8a96bde827
SHA1 bb60b36399d41bc6670d221a5db29bce10c166b5
SHA256 03b1e0a4b7916d392bb7774c719fd710301dd5de0e871e751887855192ffa946
SHA512 ac051c9284632a625db44ecef734968fcccd672db2aadd143b1e665046f6ca612836143556b556bbc45e61ef19519712986af64ddd38b6e40b4a10a820f4fe79

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 630d3891a95efb06483f0fdb4c654dae
SHA1 39689d4376da4496c253ac04228138f81d34dae7
SHA256 36d3525a3877d245a6c4fe7d7eaea0c18d00a7ed04308fae85797c0b8c3b70c1
SHA512 dcbcf2b33d5dea5e2fcf1e129473dab92ef79216cbff478ccbdd9a512a55ed48f6bb3e620f3c48c6689c7ca996eab1a6d9c4a5173536d8872d51f022a3fcc2ca

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9b14c435664ca3ed1ca065df5c624337
SHA1 304caf5585ce3e0e87d64ad01c24e7a4145d759a
SHA256 861732454594d4f47b6d05c6fec2395d962a5eb20b5bbe6949b0912abf514d3a
SHA512 02414ebc7cccc4dc168b756c1243581862aad4ef70520f2b5ff275721bf999f8986a69cd38783826f09b48f0d3f7990b619db4aed8a85dfda9cd341c512c9d79

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fa38e88eddbbbbf4fa277f669dcc28af
SHA1 3c903a9d8dcdd40037cd18d6df977eddbf76046a
SHA256 e016f705657ebfac39a8414ec9c0349b39ca9a3a72b8bb2ea2bd502ef75b57a1
SHA512 b85d4683f1acb8cb28baa09c7db17d43b4662cf05b24edff430000e749051da807fddca19bbd3a663c9bb355caefe5894ef8b4402d94881e28f29ddbf815e6ba

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4125f8258af7ed2365c06aadf07573bb
SHA1 ef512650b82a8dbec4571cfb222cfa9b553447cc
SHA256 c55ee7d45362bdb143099debf4da1f9f3bc2dedec1a196bfa4840b4da73da9e6
SHA512 16e27d4bd76ef6398a49b499599a2e86665821ea774aee4f5a3fe59956a61cae302587678857b2969fdb8391aa0163f56d39dd4bfee485c771fb10f98483888e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b40278c7ceb76323deeddf53e3c6acc7
SHA1 2e9506a2f2e69a30dfddfb4fd0c9a374c2445cfe
SHA256 3a9ed617c2b8631dcd333fd7853bf746f24b02edb219ce949318c31f709f10dd
SHA512 98b8fdb9184c758dbb4a7aae599cf90cbeef950d0feda2d7960843c5e327b68b5302524c89a24624b155f3c9e8ce06281c08c6422902b413d03484f7c1926b9d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f6fb35a7c1ca007e0be7d9c7ea3adc05
SHA1 43ee20e0965fa443ca9b41a2317693d8f13a53de
SHA256 e43f1f83c9a44179ef2d171f24463749f80c80448accac142a8e302745b005f0
SHA512 38ecaef436d21927a1255d6e62f8c340a08f0707e3567facdb7815149c7bf77f41d848926eea215682c30f7aca9fce350e11e4a51b2ca06f601fe11e948aad65

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c0a16dcafa15850dd8d4c53f2f7ff8fa
SHA1 bf8cfc672fdc08b16b1e64290f0481f603088391
SHA256 c2d9d14b7b163890f529e6e7c24d1bf8515ca4e2f9dac5822bcf73ce3135deaa
SHA512 eddabff0955a89fd24352d3a8ad17c876d2c0915138d8c781199b7b5f779705d7f17547062914d1e91c2f851ef991b6923af8aa598148cd556c233f363d4e3c6