Malware Analysis Report

2024-10-24 18:21

Sample ID 241018-ch3mxazgmh
Target 54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118
SHA256 f7abf97c66dde0d10eb7d8a90c2286ca4e03f78204fba4a3d7fa405ad21e434d
Tags
aspackv2 discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f7abf97c66dde0d10eb7d8a90c2286ca4e03f78204fba4a3d7fa405ad21e434d

Threat Level: Known bad

The file 54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

aspackv2 discovery persistence ransomware

Modifies WinLogon for persistence

Renames multiple (91) files with added filename extension

ASPack v2.12-2.42

Loads dropped DLL

Executes dropped EXE

Drops startup file

Enumerates connected drives

Drops autorun.inf file

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-18 02:05

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-18 02:05

Reported

2024-10-18 02:08

Platform

win7-20240903-en

Max time kernel

145s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Renames multiple (91) files with added filename extension

ransomware

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

N/A

Files

memory/2056-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

\Windows\SysWOW64\HelpMe.exe

MD5 9bfcd5028a56d25466b9e4afe728f817
SHA1 a0c9cbc15ec132f85dc7a8eec9315392ed8f5ab5
SHA256 0bda3d8488c209fc0b2dc88fb462017e19d553ccf11d6af9919b90f205d63104
SHA512 a092ab85fb38b8930f37ad15192fa1c7887935df60e9865432f867c3f0ba0cfefc04fd9cca5a8d01c4c57c877566e28dbdf2f4e54e31917a378ac2a7a722bec5

memory/2176-9-0x0000000000220000-0x0000000000221000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3290804112-2823094203-3137964600-1000\desktop.ini.exe

MD5 ca0237b608fd20d950f1a7da77d60470
SHA1 1415c2852bdefcdd484523328b575b2cd0b79950
SHA256 cb96b106aca66e79955840d451b594a2cc18552f133456a6e99b22be84523712
SHA512 138891772af124bf300c9256a5f4e6a71280e175fd9534963cf7c986abb65346e504881b6f59d6c107b7ac985af2f5bf84300149fa10e4b2be8c997c61ef1552

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

F:\AutoRun.exe

MD5 54e2398991a9cddc07f7f06a872f1d63
SHA1 9986f150239e30469866d4509a6dcae397371e18
SHA256 f7abf97c66dde0d10eb7d8a90c2286ca4e03f78204fba4a3d7fa405ad21e434d
SHA512 e6dc4190747a0686a43113caa83ade2c6e651fc97981eabba961a0ec189b5daa22827bafb7dcf8ee11437267a8b141393f18355fd401e67e062bf004f18f505d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3d87fe6554d7f5af3d4d15a2dbdae341
SHA1 c92de882331f9c7b9ce2720b883910833e3eeafe
SHA256 0975591af579114ab610a8f8f79246bb88032aa60b765b545755fd91864c9edc
SHA512 01c7e990173e867adfc8ee0c2e1f7ae3c443a81b206d140ef609205735589b70a77da4388977422e3ffe00e2fb22a45591eae08e7e1c89055b1aecbd772b77be

memory/2176-230-0x0000000000220000-0x0000000000221000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 80739873de5aaadf236a69618f86d0d9
SHA1 8f737b39143e7cc3a93302ba3315c5d9a4cc9503
SHA256 cc7264853a9bf876c872747e8b70bce56dc2456ffdbcbb6a531c2ab02f72f922
SHA512 c8f8c5e32bd4c533b414224db6963fa54ea588076c17249a5a1f63608bf3c621b2a433193268b7087425b94e4eff4d5d336923e8e4ffcc3e6c5833899c81deb3

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-18 02:05

Reported

2024-10-18 02:08

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\54e2398991a9cddc07f7f06a872f1d63_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/4940-0-0x0000000002210000-0x0000000002211000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 9bfcd5028a56d25466b9e4afe728f817
SHA1 a0c9cbc15ec132f85dc7a8eec9315392ed8f5ab5
SHA256 0bda3d8488c209fc0b2dc88fb462017e19d553ccf11d6af9919b90f205d63104
SHA512 a092ab85fb38b8930f37ad15192fa1c7887935df60e9865432f867c3f0ba0cfefc04fd9cca5a8d01c4c57c877566e28dbdf2f4e54e31917a378ac2a7a722bec5

memory/3580-5-0x0000000000630000-0x0000000000631000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-1045960512-3948844814-3059691613-1000\desktop.ini.exe

MD5 5e3295fc863723f28bdf695baf1b2179
SHA1 b0cb3330004775ad98efb417b3f4333117bb462f
SHA256 6d29ff3c3be680e13fc487f9eb991aa74350f52efd0883db0d5e1f5ba59dfbcb
SHA512 9db51ac7585f65788e11bb46dd1f48ed533cdad49f0c727ad5588b69b9cdc84720d0efaf7b51936d855d4a759e339e9d0d9c133692818987a962c429b80df919

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-1045960512-3948844814-3059691613-1000\desktop.ini.exe

MD5 fdc20914c265f91987d68da32632104f
SHA1 7b12dad0d6bc34c188545fdcba9b4d6356ebf49d
SHA256 6fd1442382e3e91982ccb5bc0708b9b3b698e05bce9a5821dbb127be855791f3
SHA512 4506776f986f61340c2339e14ad99b92b1429c38fa872dc569ae362d3c67b7c6640ed0ca8b79cb1b5e38892b8281e4e312a774312816f05fc3cada856c754bdc

F:\AutoRun.exe

MD5 54e2398991a9cddc07f7f06a872f1d63
SHA1 9986f150239e30469866d4509a6dcae397371e18
SHA256 f7abf97c66dde0d10eb7d8a90c2286ca4e03f78204fba4a3d7fa405ad21e434d
SHA512 e6dc4190747a0686a43113caa83ade2c6e651fc97981eabba961a0ec189b5daa22827bafb7dcf8ee11437267a8b141393f18355fd401e67e062bf004f18f505d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0a9724480926afc99598720e6ab31b55
SHA1 4c9baa872b3e7bbecaa23b7224b54339d6daeedf
SHA256 2cbbb4cd55f0cc5a34e44288d2633201ef50ce1b8846746cfdbb4aa351dc5edd
SHA512 7b3b937cfaa6197a43ce70c8aeacb24d393088a8450a10d9a2cecacc7c467f5036f6f6ed0c5c8423897d1d006fa135bed61d35ac60ec4ba74f17cbad346a6181

memory/4940-45-0x0000000002210000-0x0000000002211000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5fa44c40b3cb8169c56d0a42de1e15b5
SHA1 d5524e6095ab9cbe6ba494c29a29a2a9fc10fef1
SHA256 4d108e85879c138cbe813ee236a2e4add9c40cd02340ce81016b1e8d007546ce
SHA512 f687729ba202fdbc01855750b246363e7f49e527d4b33da9c4bcc7f86f09bc7b908aec842107d3a53d995a4a482777c0811f766a097be25f2fef10906e14d94c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 004fc26bc17a4ee7f7ace789cf0eaabb
SHA1 1979e493a3bd3b839c7caf2700fa128fdad92f02
SHA256 40f741000a7bfbe9b2d5878e683dbb5df049269e3c167beaa07fd115f15cefb0
SHA512 a8a6a316c4722159f3c1a2d7af70f61b725e1706c8455a537c78d47e953ca9cc75111b65a6e5df5211a1854739350c09c55ab84fc3010acd5f806b38ba8c0545

memory/3580-52-0x0000000000630000-0x0000000000631000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9bd68132e788a9c8055957e27ea59b21
SHA1 c4399f2e9f0f522a6c381679bf8b35cab10accaf
SHA256 5596b3cee7f15786d958212b4fc1243af4b1914a11815b741d91cd7874599df7
SHA512 bfc47c4c2841638e6e4c8530c00d2885e2e2c14702ddd12eb59d24a76ce30471a1ec818b529b83cdc4e7c8f36888eb30f60bee69145390286e64694fe60e6ad9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 25c0016e43753c8a4851be7e4ba121db
SHA1 52b2683780b3b643ce9bae04b365cae486ff1259
SHA256 a8a46dd56e8652881dc2b34a3c3ca82c42793d0c345bc86733ea4b736d57f3b3
SHA512 8a7f990003ae92bcec0948d14ac0a028eea842387b4f04ad0772557388a370e29309ac9cf8bfaf02684cdb10650f36536d77ef0399536376a9270bc831a8b039

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fb0a638ee72dd439739ef4ec1d20e057
SHA1 630fb3a93dfa80457b2280da689924ccf4445cba
SHA256 dfcdd826d980b8b4be0c96c0399a29b3d2178c7b2b4e141ec8acd17af802a65c
SHA512 4c9df1847728210df589eb9c3655742113ad5c7e00f8234a5772b6f221c6d990ee3bddbc55e63347cebb4dfc44fb724b34f4ef01ff1d393968aa0b6fbc6ef14a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7723829188b15ed0f6e77407d698d520
SHA1 fbcb164b5e64fbc047b75ea5eeee46d4ba32c002
SHA256 d90bbfc8f87df3094a99a18e00630eeddd71ddebc717533c8c308164749896c8
SHA512 3829f4f2cac3e4d05cb0eafe02705d36db512490056281c7931fe66615192bb2897bf2c7b1d3c462b794c800a13d5e81360bfbc968071a2e0a851eeba280b925

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3db060821aaf9b82582fea45869eb003
SHA1 df64782f1e555eed2b8c80f75b5b5619a2321556
SHA256 fb4ab1027f321db052a976904de528c30192e47cc8106475c3a371eafa091298
SHA512 82a0657bd7177c74e0352d9ed2e8fd2744cdd9e58e3a071a98e10281d9dea6e0f287118537bfe5b78a5b3aee9eb267c87e38fb3da53865996168416a6b66a4a0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 cbb5bc7da49b3d4e59ace7ae0ed06cc7
SHA1 2cf099fcfd90270a7acc18f5fc3c5cd3335d4511
SHA256 cd91dcfcc409cb264fcefd806e43297dd31d89a0045f8eda3f934c1012fe8ec5
SHA512 9c358d9a314a974c8d155d82ba20c0c9e65b7e0e30d1b91b975e1c13b59a4248772f093badee62d69a5623e64578b59c82d3c2ce989f450cd99323e2c4ecf6d4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 604854e276fa41da8bac3b183937c6e8
SHA1 abf4ba0be5e1d040027ed3ef7e7214472690dc71
SHA256 9b9a4918663609e5809145566eff16c7e9f6190c84c00cd63f0c2743c75c8b6d
SHA512 7304ddbb7c729802d193ad8ec351faad2291d2858c41539477d8a42e60e8e8d34a374a5bd0df96d010ca5e44c45fd83a29044d0f61785ca378342e028c969d8a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f171b8d2f01f20a35c67a7127aa49a21
SHA1 8701b66c56ba7b84e59f864ad99b0877b12ce6ed
SHA256 4b21ce68da09e8fff5ec8876be2e5143bd9bf659a53c6238ee070b0be837dbc2
SHA512 83acbbc3a93831247380700abdfa128707e442b660304b428cf80f7d06c5a921aa591f056cd05a48e15849fcfbe4242017184d3c8656cc59aa708ac309f8e783

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 43e0d59e2a78106390f0d189e2ffd523
SHA1 4b4c1e4e418abb8527fdedc24131a795bfd7ba2d
SHA256 9a83902a0eb8ff32abe6efef9971e6a26346ad995d335b845ce629f7add8db4f
SHA512 bcdba5fdb1075a9f6623644dbee764e4760c55396662d93fa85d33ece6db2aeb6aabaf1029922d364cadec7d2c127d13bc0efa2c4777e25bc9d5c675e92838a5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2966d808a30fc759588b3ca1014c032e
SHA1 36d422e5aa16f5fedce308c502119afd4ea9ecdb
SHA256 749ad96b1f31936acc8a7f16a8ac60b9a60748d53c08485abd31b5ec14bc057a
SHA512 2ebca99f713b18901945d03c30704bd48ddc87dce93805aa15a192dae98bb405e3c5888463fa4cb6b5ee1bdaf5dfd37637fb9e40918f398779895d3ff9de6392

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4bf7cdf4b857ddcb2931ee9bee856474
SHA1 567ffb1cb0dadce28f4f4a36f7f3ebf7726f29e6
SHA256 f3d42ee098a42a6ccc49f89d572a6286f315f5f7a539bd1ef89de9834754f112
SHA512 d3bea2a7b42970b63bdbba17ac1d2dca7c10299224f099315da64f5ebc0a474514c2b9e5a72b359c41cc371ecd81933e0984be8412beef599ad8df526ea0217c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d7bc3264576b3e916b95989c1226ba07
SHA1 b38d7034355e00da5579be54bcae076a8c9623cd
SHA256 28430e3c489cc70bf65df3ef0cbc1d109b829c8ae3dc985c4f24f8d058697e7c
SHA512 4921555b0ec75424d2b6af6a81e78ff71fc40d8eafa5293e0e7e13b18cf0a4567c698a7ad0c62f3047afec683fcc8d1551aaa72abbb12d5c91487f5875d7aa0d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 edd99ab0fa12dd4b53b592cc120569df
SHA1 045b0bf7de24a1af43e7ae7cba276e3ab6aa7c41
SHA256 2fbfa06e0dc059508a96c89f9f89c10ced1b206808eff8096082144f2e0b94c1
SHA512 302c36d4f4ea7e84399b8403a0d3bd2cfa4b16fd9bef732710afefa7b1e3bf782a89b721b1b08b64e35ebab90996dc39705499ce213702f740bed10cff600e89

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2a40971b96965b631521d1393a90eacb
SHA1 92e2f2c86d6fd3db88db37ab34212a25b3bf23ad
SHA256 d6c2e5ef9e32340102acbd4b204061f43e22b32f64e1718f925b23a563b655f4
SHA512 8c9552b9165ba79d9a2b72605ffe443e28752be8470a2971380332b9190fab474404d66c1639a0718b294c968b903a709b1229f24e9b8f2661942144f32077a9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5fa6cd66eb1965a4fe01897305c4dced
SHA1 d2e4aff60b1fdf2c8795d2399d7851d4f58a7397
SHA256 0fbaacbfe108a68082e093941952ad04843ab6199f6a8fbacaafa6b5d8c62c6d
SHA512 5abd810f474728194514411ef6334fd874a88181d49ed4c536e4dcdb6ad30ac2673bd769c0d0fed48e4cea18590b2ad85b55564e4c3c352fcc178077d7e1c962

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 af82d416a5211779e8cf7759b7a296e5
SHA1 621d2ef83ad717f9fe6c79760335593a77dca18c
SHA256 39bd71d4e78c7097446122bf2fc6b9846e37db0bf944fd279b5378b00d4d98ac
SHA512 90ba4144394972fb8c683a9461747a0e8120c3b855592088402e84f0f66963e7cd92fecbab929bc38c67747a5d7b0c53029d4935ec69c92958ee760995d31a8c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 33d6215bdc7b259d152b44e54d46e614
SHA1 2bfeb05009ad2b9ebe1a35fc8e363cffa5e1ad4e
SHA256 2ea803b0cf379e3bf2f95e55b6f07b668c7f2c8d5452652c84b4670917154691
SHA512 fdb962f96a10b0013edbcc9cab70c39a8101efb2e7d3e7f87c7255056cf4a371cc102638d31620b805f516b734d0b6c2fe1b1339155b9263e35a5b0d6635e2c3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ccfc98a97ff8ef564a5b2169bfb062b6
SHA1 b47b55aebd193b056aac22e18624f93fad302828
SHA256 38f5d1d62d9827214ba931d3313813fc66314d447197f6dc654b3c516474d1fa
SHA512 1ffe558ae8c8f7c4ca0dbd60c99875595fff3bd9c4a7c887851b8202c23243cdd2c7b84093ee98e11a43e1b6d9d7bf24c5397deb03818ab019feae5065c888b7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 86d59cd30d6025314ce90b77cb672ada
SHA1 bb610584a131fde9a423c235b6965c03d83b25a1
SHA256 f4bbc9be21dd905b5b813ce33c0f4761c69d178f3f6742b785cd2ed14f5cc0d3
SHA512 f22026918b034f67e220d332d8b0e9b80b5e95773afcd33bc3897b3415ce353be39919aad20f686747674d5d739c690ca0956484021abdf7e721b053d9911fca

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fbf92d2ae86f8ede898f8dc5edbcfb66
SHA1 fcddbfa64f6507d74a3e1af519b3adcd5d7f05ae
SHA256 c8b850d7f7e6512b29be8049bf5c30c4584636434c9ab7c14a4fb93b8d750aee
SHA512 591762e78e92a9df0c5b9cd08153f1f28be821366d6209458fc39dbffc79b5f263f0e5e00927f169d588bc57ac9b9b9a385d61a2c4ce1e48fa9fe9ac331db924

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 49881b748eb233c3c474793261d4e608
SHA1 1c49604d129882b61d558d7f0d77d0227b123bdb
SHA256 723ad3435f0f92cee76b8d5918828eac2afaef1b40b7b90eb258db8c7b5b6ab0
SHA512 27c9d8d6e4e6b59fad9c5ee9a262be345cdda0a00e050c89f6662e0c0f4e8fbc922e9c50ad395ca0c1d71144706b1df00a7a9e1b1b0710a9e869e9c008cc2808

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2bc7110f81e4b11dfb95df204c6d8704
SHA1 fe927b1570aed0ef405ac46750b015d14b775fce
SHA256 720f8e0c8c5bb4a207ac76dfb0bc6525f639d647ec9c466ab9a6318e1da0e9ee
SHA512 d5ff949be58831978fb1d890d1254620b8f96c9523b32594c8967a91b17ae13852a8e625f9cb1c60271b5430b615616084f62c8337a6e23c06dbdfe78192bfe1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 261b4eaa0b6d7a66e020e603efa7edbc
SHA1 75f21f63eb5d3702478a4079469231fe6b365941
SHA256 e21b3cc28c238d18f4c9a0388a9f8739291e9d957a546f0448a15f3cbd7a88bb
SHA512 40944e96b9e34b50a60c718f2fe1e28beb33d00b3b4d08d09a4aefbe21dde1bd7d114dad2395117760791323c4b44a121cd75add98ec3f0476a12f056fabec1f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6c8d61527f121ebf8c5a5bfb0d9f5373
SHA1 b808c38a6754ab6a15a0f41520658b799f95d028
SHA256 a3884e9f09d4621f14387ad1596fe52e03a8875e15ebe7fb4995bc025004b378
SHA512 b2811c40c3e1bc793be0fae3f7002c687c8ac79ced79c693cd70ce594fc45642785bf08f5e9084700fff0ed85a5cb75e0da16bf27f374781b30f45990452c6bd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 05a8be6ccc068e83b2f68d4872d70b43
SHA1 948a4ac26beb528b4bacf072ad47c10b81dcf05d
SHA256 6a05b27868689a8778564a48d9d95dea8d4029f10aebd466d8cd96db86ad16ea
SHA512 c2b0f1cdab3c055077df484b3f02aeeb14f143df48d815acc7e84b4c0b26217bc26332e65688b6e777007a67f79c29e4d0806da2f3b3979efc9ebea7ce305e2a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7b7243070594878ed8c2bb1ff25d0e9c
SHA1 c6a72d1b717b6bffd9715e89d070e1bd1b3c0fed
SHA256 4a7216da7809d505037933f117b4380cedf5f7e460788cc1843831ddc4c8e332
SHA512 4f6274ba300768fdb492632996cafac5942e33e68f7e6f7aed26b0c48e4f955e64ef2bfce2560616bf03dcbe6a3f79e4e5674b1a826698ce480670aba0f8c307

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 60e153c17c70dc827810d11410bf5e35
SHA1 e176ec2e2b670625019f7423a992a5e8b472dea4
SHA256 6941368197820b99e5fd3b99f0568df43c56625041234d34066bcc27a206e8eb
SHA512 2d1349e6d9c98d8b7e98145166fadd527418b9346365fda9ec1d8ab1f409e39bd95c87a0fdf421ff766d59de579fb64c164d03e8bc67925c93ef52a01005e98b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 acc2999807241f81351e6ba4c8db3134
SHA1 b2e098c05eca226326b0f53f5423e52c78e223e3
SHA256 ff7dc8ed09f4ec58edc22f374dfc72dbdf4c63d216bc4830e7c04122a62fe75f
SHA512 7d14d162b4698d090730a3136d0515fb948c51ca32af0ca9980b6a8d09a0e8b0dc7dfa8f9b49f40d31b76f3a560f5e84df03df3037b74fea4e27a3c2b45395ac

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 23a16f0dd43ecfcf36298e6d43e38d5b
SHA1 3225761a167aaf7912f1ce780842141a154eb218
SHA256 31f1a994a1c90e5c964cb57ff4bfd670641b38ca3ed336a16679b5cae9b17ced
SHA512 478ebb8dd248ef76dda47f0e8a4285826803407b170c879d7f84d5afedda8d1ca717109378fa2866776d327dc6de2b0d85a66fc861d791dc978c38f0645e3e11

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ce974b8d80598c57293074c47e13132b
SHA1 70d8daf8043c0b3ae99fa59419ff924cf5e27488
SHA256 2a94a5991baa48f6c4b236ee851945193dc04a56e17af8dc5efaa8d7ef4200e9
SHA512 b8bd305cf565f40a3d09385761b250b7ca0af40611894bea2e74f08039ee37572c15b12114fcf515fbafc5c13b6d718935fa8023d0a97be998cd7c664453cc30

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a415d5704113e50f9ce43997502c6b74
SHA1 260f4cb38fb1560330d67d5a24c75ee4660cad6f
SHA256 b15c81dfcfabf615aad3bcb4df32a2e333f38c90594365c8b21fa250935e0c85
SHA512 67c7c47544bc01b919c3263da54b4a275b31dede8f8cf6c0015bcd042ce2711ee6f1b733493b7435c2624d6a98d6c51673797d8b54fbd8aa5f1cd492905adcbc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ee3779269d8992ae5970b455db4c72b1
SHA1 40f0d48042affb47b48bc37579220474f06c951a
SHA256 450d4853e8f1479a57995a214ec0d2be0f2f5403d4904c5ed6908bd2b4778c1a
SHA512 9c0c5c063aae66190cb1b933c313eff423dd53a014233cc7489a07680ab8915c9d46c99e8376ba05555d2eaf5ace418477457198421ad69c26fb90dafb1d81a3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 70d3c21440a263814dbc4432737f58f0
SHA1 ce6a259d2af76c3dcda0e28ba56c80fcc74cee34
SHA256 2e510ce210ecc2b91d61ca0d421659140ad002ad106010aab7504f142ebe3db1
SHA512 3ee65064c53e97e078d22c7e60365262c4ef305acfce5d68154f787d661d16fda087b126229bdc4beb12f88dd6f5230da6ee73809b889e89e3931fb56ae46114

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f688ef4943a9d1348bbd942a14862ea8
SHA1 5ae8c2fc5881449d43edec3c9d2f35b86c42a07a
SHA256 2fa50d50719fc740a44dd7b75940e8e2539be6e8890cb2cd87244297b9dc56f4
SHA512 e7ff3889b2057b9b9e8b7b4ee2c57beeb77e76f7b18e95297045865837c122c1687004e52d8d303395d94c0be679226b0c4155795d35d577e554495e7d1c2f7b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 63e6cf2c267c76b8431332d673349499
SHA1 b89b214f81dccc7bcdfb032aeef31f55c7438c36
SHA256 edb36a5b277b38edfbf2de6741c815d6bb5b8ca56c27244e31602bb1a67768e3
SHA512 a4acecea24043b764c6e5fc21a78ee82659517cc022956526e9156a5a087a6a61007d00abd96f7c4cbc75435c194026bc3e99f2c7e5c50790a118b85d96ac227

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 887845b6d10ab0392a272a978108bc04
SHA1 d35fd18a8e2b9b4d7192cab322b7ae45cb8115dd
SHA256 148507d333cf2841036a8277422fcae388027ddbdbe5a12b98c1c52840e3bd1a
SHA512 f57a03c8a236cab4b86e2a754a2875e984409ebd9f2b5432597c60383ffa424e76889ecb1a18b7fa482ffcd14675ee82a34bf8f7f174a0bab0a638104f2ac464

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b00f8763bc2ceb02ef84a5e266f00695
SHA1 f6455680d49f46d48136ea87e7602cc431de3d17
SHA256 efbfbb8c2c499ff3cf98cb164c0ba64ab457cdf411b2571d08eac63d6f8b0d50
SHA512 0e496ef7590de349d9055f0a5fb3445448d8121cb9e4b2cea83d007e0208216d77a2e94028d97128949bff428cc59a523020e127dff4e840e1a2fcd67e021db5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d052e815d99c07c3e97cf8de24f9b8b1
SHA1 aa062cf0120651c19ba5f91f92110d0b4445eb48
SHA256 f6c2b64ad546d5bdad4b8a09058fa26783601c2d72532a5517aad6fd1d5c737f
SHA512 f6e3982fecca1a349df4e1dc2f88281180fb149f11d32a2d6d1e7f7c312c2db427cfae87cd4e2269bc665082b610d480430c729c6d8cf3b9f8ccd52d2e743f3a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4e1a2e114ada47addfa4c111a8b5ff03
SHA1 0354082aeb9d9cf9bcaf33e9dadb66ae45206645
SHA256 3fccc62a7f03c13d57e20aeab8d887bff9d56d7c0dd4c007d552452471022d3a
SHA512 bb427e6211fc9a2c3c016e9251324df9daec37dd40c6a79634e21fd308b1e90092b70051f12676b863d3f4d1f422f295acc4ff155a7b056273af965ea28754ed

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e447f02d7d1a3b75560c250051908f58
SHA1 6526129348aec919f5bc707c15946d47634e44c7
SHA256 e9dfd97cc15138a42e2721576e05c36da6d66478112c30b37cbd4a3953506327
SHA512 3e669f9a9ad6e287fc229766db6c3f97ae6cfcf13a74a78a0212b1a93bca7b6991b42941d4df1d1855fc74b5b1467f1e443370308b9e4c5806d8013736a9a2b2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 708179a7a32663f1f8420c6a0731e7e3
SHA1 ee4bbc5d719925ac7afa24b294679975e0ab87fa
SHA256 d707aa14abc276a997287b02ff3463dfec0f44cb762b0cb65736441cc0b78d33
SHA512 133e452821749419f3d4300848b13e6605c5f7f290f724321d20444cd2f33e6437e1329f3b46f13fdf420bd94273c5bcf628844d890f434dc34fe661f587fda5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 780adc391a889b25863a3bb2ff82ba36
SHA1 789c2c567cdd3fdfa75b1f635f83357e4f53f979
SHA256 272dd84a50bad0629eb59d20f6f5d09d57c800ba1684e22cc526b2af39dc9eb5
SHA512 d101109f4003f2b421d5b03cec7289f343a218d13fc4e94aef5b33e12ae604a6353f10462182e6fb95c994d9b53401f11f6ae162d63526228e26de23ee2d7ecf

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0f795c21ca76a9aca2b4bd278db4c49a
SHA1 5415fd05a556c46879156a75cc0c69329a8aa1ff
SHA256 9d169768915b2f3628f904036ca3c87b85c4f817b2ad52074b8b2511de20d50c
SHA512 2b57e7888f88a058a84def21151d1fc4329f695d7f85bbcbb6342eb2e953853490eef277ceaf750061b89501618b613f3cd6e217decb3c02ce205fa203cc5788

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 78a1e437b9095c5d982216d22136e268
SHA1 22da3e971e998e22aa9d0ef492ca25c61d15c668
SHA256 c9975a933ee55bedbd1048883fb9948852c20148692a608c832d8b6ebcbe93d0
SHA512 bf8048e52d03a85fb95fada308d6af7612f075bab58a97db8fa775bac9e68a70656d0258fda39c8808716e261a4c49c7a278d0bda773e92dd3b387a6be91cebb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3efb7b7623d0e221d1f1596626addc78
SHA1 726bd5ce7bb245c2402873fa31e34c8fe6c247b0
SHA256 c0255151cb3f4f21bb8e4ba9fac7615c80a3227ac33b06195bf221151ac0cbe5
SHA512 e6b9e9ed1b9f3da5e79b5483dca1d2dd3b5cc802aa248e41a9f184c427fcf9b59f2341522c5688e7ef92878931ed2e026aa38c3ed4df1e7d75d4c299326ebb1b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 db2e1560ab9db4f170dc1aa8dade7a91
SHA1 72096624185664f0c22a31356e08d49b06850cff
SHA256 87b341f781721a2a7bfe0a04d2db7365331ac2905fb37b68bfbb34e9a6c1484d
SHA512 9ef87e6e0ec0c7c2a0b37ef61c3d07a14e16450c4d7399c3fda06fe61a05d21feae5643d014eeae9d18efbda88c76e7fdce09d752cee011e8db68c449a0f1186

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5f22039baff83cdfb9f85787e64e7532
SHA1 c445f8e483389534983eb03253b343ae54586965
SHA256 80e44c6112783d125bca0b16380f7d2c59fdfaca3602b4493b8da657a89bcf3e
SHA512 2efeb6c1c3535a6f7ea2fffa7023e5e5fb413b41f7b4e98fa92c7e1f44c86e68ae42b89ba494944ca41ca1f93fc38dbf9ed1c04785e12fb76b636655c2eab0bc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c129f53e01e6aa01ada2e199e47c0a69
SHA1 e91bcb2f25d168ac886da73bef7c76792ddde220
SHA256 0eb80ebd610640462b375e4bb6be5fc71d602842d1b1678ea275bbc80271310e
SHA512 b416b6c04da6b7276999f96bac55b6a471ed183e4ef2d455c3ec10acd540f1a873ce6672f4aff582a13bb92da1267f3e6836515dd472c12a281563f5e382f8a8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e0400cbc7147c4c708424baae169ecb6
SHA1 d42e2c62f079bc6d5597a8c52f99d1cdbb6041ac
SHA256 cd0818f19cc9b6a4a2e749423da66ae15d85405ec16d3ccb41746c8eb12e2146
SHA512 8ecb5e0a174ab17b3dd13f6a983ccee6252400fa6d12b49a1440f2c650dee11ceef50ef3cc4840b7b724b88554d41c42c33d3b4f5ff5a207964617a8b6f1a63c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ac8b0c2207dd23365c41ca0f12983bf9
SHA1 ff471bc1697f365d4a0572d03738a68394da06fc
SHA256 02ad8c7c889944e9af2d57bb20bceb54f82d1416ec0af45aa5fb2f3b317c6e5d
SHA512 f169e46ce32864ffa0df16651e0503a5e7f74b8496dcf44416223c119c8363ce5080657432ae27c220de13ae057e235a84b01665c6e1d4efc88c37710638a369

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 aca5d82904887d59cce7500d89b6d056
SHA1 6b843ccb63e41cd5676a1160980536164d011038
SHA256 fd6cad61342b3cb73abafe1e39d530b01e24af7394a44777a73e1f23021ba2d2
SHA512 445028d128fa53ee4a20c7970d7b97aaa9d935c3fa30a2847dca54b323cffb8e15c2509adabe1403469244b121a89115c01be9648797c581403794ad5214da97

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7f2e4846cc9793a6bdbaaa8ce6a7bdb7
SHA1 5a0e52fdab5b1a183741001c5aa7ade09cd81a85
SHA256 ee18a81864d7d425e31a4e448964dcba8f29c1d1e4c5974f1b8f879f589bda49
SHA512 53b4e42343283faad0fceb1750bdcc6a013864b2e6d2aabfe316ce5632f3a7e8a5be69856605cda6005ef8332bfff47173d8e188cfea7fa2919fc9338a27239e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 684911411d14c3d07853b4c6ea6b0a34
SHA1 0b3304f8727ebec0fae05d1572e91db34d8fa8d4
SHA256 c70f958d4b27599f38cb5c28c56add4e4639fcb69dd1392b55932278dfc4a412
SHA512 0924eb13a1e9f43926940fb7e6ee15d220f1f65e5b0dc5eb193b57f7de3a5f998da14deeed3f5689e516a32dc9a9c41a1a295b6b77222a041d7d0ab01479293c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e