Malware Analysis Report

2025-01-22 20:15

Sample ID 241019-ya9l5sthrf
Target 5e4e270e125f9df914328423bdd71b47_JaffaCakes118
SHA256 147993a1f53b512dc1b45ab0ca5d3174fe9e3316dfc5b869d30b341272f1f886
Tags
aspackv2 discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

147993a1f53b512dc1b45ab0ca5d3174fe9e3316dfc5b869d30b341272f1f886

Threat Level: Known bad

The file 5e4e270e125f9df914328423bdd71b47_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

aspackv2 discovery persistence ransomware

Modifies WinLogon for persistence

Renames multiple (91) files with added filename extension

Loads dropped DLL

ASPack v2.12-2.42

Drops startup file

Executes dropped EXE

Enumerates connected drives

Drops file in System32 directory

Drops autorun.inf file

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-19 19:36

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-19 19:36

Reported

2024-10-19 19:38

Platform

win7-20240708-en

Max time kernel

145s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe N/A

Renames multiple (91) files with added filename extension

ransomware

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

N/A

Files

memory/2372-0-0x0000000000220000-0x0000000000221000-memory.dmp

\Windows\SysWOW64\HelpMe.exe

MD5 54f298eed940664708c69975a640720f
SHA1 3ebb3be32ae66bcf0d992f8938204414a9d55375
SHA256 940ff4e8e94810d957b114469684525b48d8846071d9abb8ac625dc2e5646cdf
SHA512 0d679ae0ac5384c4577d0804eb3cf65e946cbe2b87e99b8c2094852cec0ebad30b67ee5e819b8ae5d746b9eccfe2688e7de78418226d28789e1063e77afbd87b

memory/1916-9-0x0000000000220000-0x0000000000221000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini.exe

MD5 4aa273be32de9e8d8809c45790d6cced
SHA1 39a9767ae086d9341089458f2adfc99a83249752
SHA256 ba168f91a24f0a34fb1c5b5eca0011e14634bc9f6faf25c46ff4467ffbdc6f93
SHA512 342e706bfb4af35f231474be9b7393ba0380ed14d5d7227e79e5aaef56aa10b39873644dd53d8932acdb92239c13350d7424ba5d175ff9199de7d22ae2cb7cc3

F:\AutoRun.exe

MD5 5e4e270e125f9df914328423bdd71b47
SHA1 98b3e7ea7a871b82413582030418ec21bf51ebdd
SHA256 147993a1f53b512dc1b45ab0ca5d3174fe9e3316dfc5b869d30b341272f1f886
SHA512 85b9edb0c4e19765e4229f076c575c08aedd7abe88bc7a2a2855ed31acc0d3861a6ccfba9f7562c49ce1d70f2d7a8c65483fb87f42a6746e418a91694465a886

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0fdd9ba97380fa5a0b5b89880103fd8a
SHA1 2180edc71b7d86eada537d97e6c029a5ae0efc98
SHA256 977a4e6fc65059dd3d818eca847f40d472d8e69e753ad1f1a6dd194b535d145d
SHA512 92332251596447e0c631c5c9631f0aa4002e0536573e46c5e27ca04a84b07bbdf31ccb77b8867e3a644f78e08ee4ccb6d2118092c28ea2aebdf6cfb26efade9f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5920fa8d35abf07f0c2cc39b96174805
SHA1 65dde8853c74b2f445192f1938ab71be64c35106
SHA256 c68c6810316814a96718087e07501521123ae9a7765237cbccd29f5791884bb2
SHA512 e6fe52950c833a0188785164221ba3997fd8bc2533fc1579a22d1e9b915408b0f6b7bcf6a1ce79660b911d4f3ee118512974e94e3256c67121d3d2786d0f492f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-19 19:36

Reported

2024-10-19 19:38

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\5e4e270e125f9df914328423bdd71b47_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 139.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp

Files

memory/2148-0-0x0000000002210000-0x0000000002211000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 54f298eed940664708c69975a640720f
SHA1 3ebb3be32ae66bcf0d992f8938204414a9d55375
SHA256 940ff4e8e94810d957b114469684525b48d8846071d9abb8ac625dc2e5646cdf
SHA512 0d679ae0ac5384c4577d0804eb3cf65e946cbe2b87e99b8c2094852cec0ebad30b67ee5e819b8ae5d746b9eccfe2688e7de78418226d28789e1063e77afbd87b

memory/2804-5-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-3756129449-3121373848-4276368241-1000\desktop.ini.exe

MD5 8b7a53e0cbd281ece4c608b507f15fc4
SHA1 0f8ffc6753edb9f704f047031596313c28f5044f
SHA256 079c9cb62cf80d70dea28f3601ef7972a97ad85fffb5aaf71d028dd13f65a5b2
SHA512 2bec01b11a24d499848b0539fb8d3122569485d7e0114c59ddf266e5ae0f09999b7d06b7883e453a03c17aed0984befffd60daafbcc706aad5b5cd355f2b30f1

C:\$Recycle.Bin\S-1-5-21-3756129449-3121373848-4276368241-1000\desktop.ini.exe

MD5 316bf884b29320c540c77becff076b6e
SHA1 1982adee32b9812b579400ad7ff3cdb76ca1aa27
SHA256 097869afb7384af6e750ba687998db8c1cc0c01f5a7f22ff4a2f7fbf559071a4
SHA512 c2871a98e82bcf387d3465024923ab9a8b65f5608bba6d4a8524357905d550f226c25486338e5e0d8921eac4d31af5425e025c75b1c2fa1a3dda95cd7544ac53

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

F:\AutoRun.exe

MD5 5e4e270e125f9df914328423bdd71b47
SHA1 98b3e7ea7a871b82413582030418ec21bf51ebdd
SHA256 147993a1f53b512dc1b45ab0ca5d3174fe9e3316dfc5b869d30b341272f1f886
SHA512 85b9edb0c4e19765e4229f076c575c08aedd7abe88bc7a2a2855ed31acc0d3861a6ccfba9f7562c49ce1d70f2d7a8c65483fb87f42a6746e418a91694465a886

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bdf19f26182825f10cf5d2b3803aebb2
SHA1 5fa6eb5fd366aa04dbb3f818b5c817fa23dd3abc
SHA256 9083fa140bdbfdba112ad835ffadc7d012fff56db4f72fcf28be58c52a96d11c
SHA512 d38235adc7b9db9acb864bf916f45d16b0454af48240c183059aee85de393dc7c314e7913c5e170c25e5effa81c9fca7dcac0db070acf9bd46ea27bfc4f93570

memory/2148-45-0x0000000002210000-0x0000000002211000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2d3b76da538842a4edb198f2638d6e2c
SHA1 a56864f117faeed79a9d5704228b42dce482224e
SHA256 8153940e054de9ae90d38c795bb67d984c3b924fab04f51344f0ded5a0ed4a1e
SHA512 6b1f71738d12edb53034bec1d44a391af2866f09d9d330dd43c6f629bd41a11f0b6983b3c03667055e0fd344b7cb71c70f6a229bba4a430b25aae800d45120a9

memory/2804-50-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 519cb294084f6042ee4f49a92e9bb58a
SHA1 34521240b0e395690383bbec6267f38cc3aa066b
SHA256 6ce16885f7f9391429ecf2e550112ee4da4584485080a1b330af384c63736356
SHA512 3453d1c34b14d79d719d6ed9c58dde78106e6302a6d02bbb80f7354aebcfe74b2302be92ba922c523a77f8a46c90348a103412908d3b8ff449ecad7089728fc6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8fc34166e45f07d2da3bd928fe2acc3e
SHA1 6d721d8302bca0086a2d2d7584f78858471b88e1
SHA256 d5a97c4d59689ebf322d6079149f664198d49784d9af65c582e8df19ae9409da
SHA512 f780834d5fe366b76e72c9ab78ef4426aeddfd55683c7a51cc996c42f31fae8ed99b51c3a90c6000a932f7e33a525035c168977f60db87b2fbcd51761a65d05a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 651498c52e6a04eab522f9f31d0ae918
SHA1 4224247319aa53a69f405f9901bb0e1cff3cf71e
SHA256 ef530f8d0cfff2dafc3546c6d65a3b7fb3d23a28bdd83d7b15df4091e0a6ced7
SHA512 a51cdacacd7a62c664cdbf98aa1f4bbf6e1e6dd2824cac81b1fa33a116576fd45e3271128a5f362cec25863d70b566de5299e7f9e90e27737b7bef674fa0bef7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b27a948782610b01bf099f10ee35448e
SHA1 a12041833f878d435ef8601af68dd92446313c74
SHA256 2e971bccc5154b570274ccd0c5470c56216726549b25be6be7a9a06f8df29787
SHA512 fa8f3dc396ae0cb5e0fad63bb533ea52655bb04429691fe1993544b2f1fa5ce20a5e34351195d0d88404bcbc54763795770f9a4561f3d9735428d491aefe5e94

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 57a3d9ffca1bba5d0a05afd263f6fdc2
SHA1 ffd2cff6bdc7a23feb5736dd36b133e3c9acfee9
SHA256 0d7a9d4accdaee537d2c000be1f9b4ceb1daa7cee598e20fe8e4e428159bb860
SHA512 1dc290256c69f48c6c8ebf31ecdb536a170eeefe3beccccc779deb447b264816a0ebb3a9633bafd01033d05e418803a44de4cde73d82c2a92f4ab396d1b69c6e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bb92cd8f5ade757a969a2c98cac8b0b0
SHA1 cd7dd5164ebe2a706fb190472ff3be03724de7a6
SHA256 1c6e03394e85fe527aeed54572ed9c937a3001632aa3c55142f40e7b10f5d734
SHA512 854f8326304f6672a27f8fdefbf6d66ee0e3b557bbf24c497a799567920571f6c45282e6b328ca613033b1fedb8faea5aa7f3de2898f1515d09b308ff1e8ef1b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5c72d57207ebf1fb0d6faf1a7d40c8cf
SHA1 25a16782aa20824994c027436f9a5b914e0f777b
SHA256 1d95f3a94a9c14b87afdc4719d0c85c8b48fa43a362f38878f2e893494863519
SHA512 1b1ee4b0af0eccbffc8e043eced512d5b5d8a45324b118bfbcbc30cd785f5d31444d61520dc39a8d4c27bf846aef808f6ebf96da633dfe5d5c6e936802b2cc23

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3528c566576a10167cf45574eddeb062
SHA1 08ff25b8f38e9bb230822a34b34f2ce7fa125f99
SHA256 3db062412fa9aaa3d05d0c0d4e1c627aa141cac766cab7f2204420d6017c9750
SHA512 16dddec4cdecc98f9db07e4c9ea58be4b43c69f15b879c67fd3981bd0958f2d6ee897bb0f8e56c77d05e63de95276106bce1626127671f294a0b172740e7a553

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 332b02ae6654c6244272740ac4823d9e
SHA1 d1dbd468c63789505af20d2fcc3f0e9746ad5d0d
SHA256 ed601817763a7b0a9f40dcc4d2737b992bdb8f62e56318ae3f0d3c27d13e9f2c
SHA512 8d887915059e35bf1cfd8d1be0e9f3da473cc6f8ee43fc1984e1b2bcff801b59d8da19d3a5baf26386b2633d5ea9e61ec8a703f180fe750124ee63c0824f601e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b1927ece35a119e78052f588d4b9ca82
SHA1 fd9617706f987122af13670d9a9e6657f49696cf
SHA256 dd3773610ba953580c850bac8447f9e013983cb07c779e06e9372d585489140b
SHA512 832b5561747880cb9709f60be7dc01bc4519c8a6cb2b04f1069d5bdfbaae444d97d8c925040576ef5cdb22096e3a7b15d0a6215987ba5230735a667e38d4e6d2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 14a8da648202571ebf7918cd7abc3403
SHA1 c34589aed767ea80dcc24742fc24aadd1334c8e8
SHA256 58382bbba3bebc0cceae5b64611f15ac321611967dbe788b4414fb83e22e05ca
SHA512 2139adf3c31c3c0f561c915b82175d8d6a4a681eda35f749f37486cf7ac23d4a6c21b9da1d03c809e67e7759844cc9321988f353a800a29ff41507c06db8b733

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4295afcf6e1d0f61bd6481462dcc2495
SHA1 8134452885d37fdda3506f3d333e75cf1582804e
SHA256 9f72ec0f1b2bd25930377fc8db3a1d3372efaaccabab1395d96f1e3b9099fab1
SHA512 52900fe5e0dcf0004f65ea7d4f171b38fba68a859a09f3816006518231b50f9da0ae162c9483d687b76df8c7506065b6bd49cac6a5a0b78b35fed8020f6980fc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c48ad4873862a91287a34721686f4e25
SHA1 79a371bc671cf847e773a061d64c260b774b395a
SHA256 ea2c06710314ea718f5ca027c8c62c54781dbe4374821ff5f1e471fdbbdaee50
SHA512 a91f4fc33cad0aa2f983781ebd1007756f06ef821402b05fa1eb7471b63b1bafe315ac6aca6e9d424a4a3367d39c8234f368e121f188eb40c5a35ede396eb413

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 aa3437b1ffe1bcd8b7fe695e1b02a933
SHA1 4b3ccfe166ab1edba1f9db0554a1a06727d9ec85
SHA256 8c77e28825f14e4bde434f6e3bebcf099dfcc1867d8108a454245eba2f12e267
SHA512 fc3067e0d8cdd4e34cb3a540859da2ad0dd634f7b07dd91eb37d0c2b7a9ec0b8da367b94f4136e332003826d69c1371ac1726785ed33716281f7728ee3415061

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9c30de43d14d26c7bff7a6f02cde96f1
SHA1 f7d92850493548721d6a15172f6cda9f41a1a22a
SHA256 f8fb33584d8bce3db5a99670528da6dfbc52d7f54cef7c61c51f09256a6bc49c
SHA512 4e5dd243a4a2e0b0212b7b5b1653f483d77fe16cc328067b27585a44d0b5dedb824ae0cb42223f020ce4331c93d577a98961e7a6c43faccf7f9ce464a7b17f43

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fd18b7d2dd79ef15190adfb91d68146e
SHA1 351055b6ece12dc22e886bfa6da4d3b4111c48d4
SHA256 0a2eb4fed2a5867db1c39242643e428d45103313b1c216d986e910cf54134d06
SHA512 af4c40d66c455e513c80ced7765712f66bd4f46ff0b7f1c3e9cddfbcc3dbfdfacce4a0f77379f5730ebbc79b664a92b14fb48c5f8169f8b34cb60492e3aeaed2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d20cd0aaa564fc38f2c8d4750efce69d
SHA1 8022f8696808df59bd367f3bb9fdf72374dd7fdb
SHA256 c22dddb104a9db1b02e0ab3739349d52eeb7a56df62963095374cb980b2bca2b
SHA512 750cb8ee6371ba4fa97aa21a8a9726aedea2cb2667fee531fc3a97c5b54b50ca72933ea7c678d554004d090d7e0c35c28defc85be6762a6c241435363107f2d0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 988a64974b459d552e0e4f6a7952c816
SHA1 a5296ac54e004ef93487d90f368873503067603e
SHA256 8a982f3aefe979d56fd0ad2b7b8d2adaf15fe00712ca69fd1831bc5561f32b9f
SHA512 5654a4953c209a4a926add9c0b0373b9d5afc85218ddd8d4014cf636c7b2778623320790b25d8d1ac7484e4f2bb070800e22ce39ae4566307a870283249bfc4c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 91f5d8ae84d8b2996945d8246115b001
SHA1 2d8989d4e86db9b3d6db32350ad00cb2538ac03b
SHA256 4f83d3a49517b81067c2064d875c09e404695aa235f27dac5a4c6ace1dcaf3fa
SHA512 51405db637c3266cb605efeedeef68b7a659e2895baa73a29636931d2bd9b7c5f492a67f01606d85ce2a250e22995be4fa0b12682e473973869c9bd9bbdf045e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 913bc7c58188c2afd37a2324c069678e
SHA1 ac1e554f4c19a6aadd3c2e8e0ce038f71c58a12d
SHA256 d1c820546342ec5b0672c0b2c296677ae1939789109c1d61c388a9cb73735239
SHA512 ae06bb1e87d36ed070c6851ad2a935bdc0536064e23eaada9ab654268f39cb26f48603814973168e05bccdb1b9c3136dec6ba7f352b974ef9c6c56dafe62edeb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b34717fde6917f9bece1e3bd443f9071
SHA1 36a734a0812214fc9d53371e084c7770d8a9d6d6
SHA256 b375d6247813d2a26fc72b1cf9c82a26ba87952bea2674daa5c2de62836380af
SHA512 a507246cc3c499e05d688b38fc9d2191cb1e34074c660d2423df8c5c42898a2a6b547bfe25b8e57f9ee6e1d61ca98bf6ce750ebb640ac9b32ccc8816bafc6de1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d0c80d65956258536d4b4c34e6a1e257
SHA1 5eef3baf018a30bd8cb87313ebed2a8ab9ee263d
SHA256 b9f0982416c21db56f2e4643b1a6edcf66ee2439c3c51268cab29c5990ce9071
SHA512 9efe4fd7cfed1246885b776cd2e1813e511bef9149829b7369a2fc6fcff50e8bc46e6cad25d22d17de938b45417514fba2621d4c0e39ae8686e3069d906f543e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0a47b82d2b1917647691518bca37cd88
SHA1 c766ef7a53d75c40d2a91791f6e49300cf209717
SHA256 df954c51485bd6f2ac90809fd8370399c2f738de183aec51072046eb111e5031
SHA512 9170180ddc7e8c439fa5f0871fe61da093a5916bda236b93f052cba7634c6d364fb414d0b8137effd5380d80d0be0d02f458f619bc72ab71b2899f369bc1a9fb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ff9d40117af70809988de520c1d3cf60
SHA1 379aafd42ec9bd27afb3c563c8e82c37c740fcfe
SHA256 9ec77b53dfcd8ec3e9192a2028f34d1ff0c09e51afb04be8919bc185cf1f1243
SHA512 93be3b01b875ea227376740bbcd743b71bd4e60db6abbc3625c6b284956a35312394dcd546a90903dea1c1992ce5edb0e02943a4f6b95eabbf2cf11c21458c89

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 80cc527710594d0c6948daf6e2d14990
SHA1 76f6a2d624d739a00f2aa2b28e167b72e9bcad03
SHA256 4ff7d6c83cfd009b5c83ff508b60bdf59e4ce8681ebcb2d52a69ea023ed6f1dc
SHA512 86a7461d63a86bee627bf0558cecd19409873d5fe1a792666915f71ab6ec3b3701a509eaa5d9fcb045519ea2a7a3ff73af9cc4bbf31f3a1982d251309e93dac2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 77591076af326f8b329dcf272582d21f
SHA1 a37840b61b911f4eb4c94b2d26c3e947d330c481
SHA256 a6c5e20f6fb15170aa3a236a0b82b176f93748c2fca9e8e564bcdf8275e605a8
SHA512 e09071f75b62feb4b07bb10d1d39ce6954db3fea7bd00ad2ec1c0df108a991c09c8a5c6e6e1f8e5fd9bdf0fc8f616e2d80ff09c8a4ae7abad0dbd74566730618

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 02cbd1759eece77bccd8db646436b4af
SHA1 fb29a2eca9f454d13f5f2de3b091bb28555b3d81
SHA256 c5052d67db8b61461f0df3753e2795ac777548e33c1b1227e10c0612d2661fa9
SHA512 6511697caf7954f8a589ff4c26d884a9204dde0ba8d788e233a54d848d2dd8f419514f38303b10d9c981339861cb8a84f82d17b21dc3f298c09f917326cd6344

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c276f1ac8c42d5053ef61af17895080f
SHA1 0125db5ca9fc0b76d80cd13f29aa9a2936292393
SHA256 7d2cafc9e93ded5422b56c927f497cd2a2bfc9c68d8adfd2149903dd06d7df5a
SHA512 06cc78509f65f4737f75c6ee64c7cf8beedf8b5ae51536ba620c81633d9e92ace9a16a9765dac49ebae38a64eb751b3d9b1d11f319f0f21417a4e48817d377ee

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 84508482f6d8cc8409cf8f4e0b2bf403
SHA1 1bd625223a9d8cd024530aa5043816a394d3d994
SHA256 ccb125033508b7ee2612bea06b2aacbff6ff431fb0084742255c94adf02fe9a2
SHA512 3a87bf6dfb52d12fcc59c38d196d21f9082aa3956d9974ee6d1d7f9c99d1b0ec68c219dc981c1585d4643eb9e59bd16f1bc659e7b92d1b51c4451cdc50f2d738

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 079ff22b349257897865a6d3da918668
SHA1 c51b84b7396a1ab1b7967629e18853cd0da6867e
SHA256 234398ef7e06d9aab27ea83e1865295821495f2b661623c83bf8acbfb2a52ce9
SHA512 d8d6f4a809ec521589fb2c2a133e76a166d9b3f927b34dee6ffc9ab55a59c1ac1ef9d6756a98d3f550cc92f8823f01066b55d52062ec4ed215634ed623094468

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b33d4342ad31a397583b7eca3d620c7e
SHA1 b54263b2a289a3e5bc9178629b6ecd09ee50f0c6
SHA256 05bc5cbb9bc821ad562bf5d6bd4fbd370435478373032afffab23dbfe525ca7f
SHA512 83a3501fe788d1c8e57440d58f2a0e3c74849921b28f4f6115b11acaa71efabaa44359d992ac8cf0c68a759a1e4fe0778cf2f593f2d05a812b27b5a016ce59ef

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f685b23121e8b1509c8e7d680c691d71
SHA1 ce5be1cfd1c8773b78fd2fc6463a5fee93107454
SHA256 c30c28c94cf9380c222f3588026ab9034ab6ed343614939eff3ce52f0c442e26
SHA512 4b7b586aa426780da71643fdfd6358c75896887f33ca2db3cc0749b311b3f7a8ba339c3da7ecf1e476a1d851309e8eb76f0c5ac26d18c251c1c2927ac8a9590d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 572bc0928475dd34689342f3c5962cf5
SHA1 625d8914b91d6561129806004cbf0fd72307716c
SHA256 2f94d3555a9ed22a5f60be4cce42247f2a3dabba3c6059553d497239994cb4ec
SHA512 afc32f0f9668d8e51c1fe4541adbc14904e77fecd0badbfe4c75a99ec2e73756e4d121e15ee2352acad250a960cfde96126aaff48a141cd007c696be6975d294

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2443044edde3e179a9a2f3e207c0664c
SHA1 bd7edc0eb2706fadbb3eda4b92feff413461a946
SHA256 f9ce3600fded616f6379b3bb14a5a42c5683ec1ed9d8d09e2f83a3fa9e5e687f
SHA512 46cd72af27410f11ad205c0269f43e0036a5f7c935a6314f5b791d509cc982e818745193354affd1c7cb8048c6641421ea221191127f3af0662f4d355ca6e919

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 46327a42f20f78076b118817d2c9641d
SHA1 2e8e17556b6aff4ef434fb4955d04c5e6e06e7b7
SHA256 bc0f5b0c7bd499f2b7b9920193df1574e09012b2a7a8efe2c4b191f2b06f7d84
SHA512 0f51e44cea008361c4df8eec8f91d1af35838d85d54cf19eb99f7bc7e6a73e652c4584ca7e1fd57a8a5e40caae87851d0e2856e0989674aae408a5125d90215f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 391f82336aed51f31b8d638b3cc95622
SHA1 9ea38d2b7017d94077b1662c24d5954b13bd7eac
SHA256 446a8d6fc4b1493f623446f70a16664e696dd9b9761570178e0bdb95d555bb0b
SHA512 fbf2eb0674b6ed39e3af62e6a08f75988471a3283a8012bffc6fd2f35c7b7fdd80867e0fa57844164bc9d0ab80e97637196e58d1c681e5c03bd4bde5f83db1f0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b55645fbbd7e7d0b2bff2d062a19a55b
SHA1 9f57ed44366d53e79dd1b1586c8c62bddb485131
SHA256 0c7fc79a02a3fe9b47c0ace33c7fa098f73f172d841ed37db9fdefb1dbe467dd
SHA512 c626420e4a80aa2a70fc226d530b1ca0724fb647fa0a5553b8ffe87b551dc202078635046a975d9b55a83b8b58eb3d02d683ff818ecae8768ce98006f8b45de7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6dee4e68d4348cef15a6894898ce1109
SHA1 1df5ee5d7cc6d7a8ca1028a997d09bc23b149a91
SHA256 1e7249ec8e73a1b8438824880abaa2626a0c5bfb9c07c80fe80dbfe10f400bf1
SHA512 5d56c0a4dce64a0efcff054f69861cd1ef7612607a4c8a6ad2601e3c522f8fe862004525ad210b5997252cb0f784999e309ec6088013745ea84bb4549a229317

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 28183d7dc85031bb32feeb91b2af186e
SHA1 0bd0d2cb156cfd5184eeec3301ae0d2b3648b06c
SHA256 7dbd59daf3f91664eb9e2985c500982bb65e7f8687ea2d9a1396d66cc33688ae
SHA512 106f5382dcf6d04dc83244880486837eb3c7ae67acf855e22a0bb35bed6600745067abc726ff0afcd4a1ee1c9a6fc9c8f90696e9f97dc7dcd8e7405dd6d5fbcc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8b6bc431b68b2538971150269fa378ca
SHA1 d788e8fd38d8d3c03b3360d49e9aa22350cd7b3a
SHA256 7304cc377993083a3a8a2c8149b2cae9676ae6ba92e84dd09fb1cffda40a01bb
SHA512 f13880bc281a95b84ea0e246396c32748f304898a84f6996b29f1ca21e4c84d6a2c6c3d689b2da5d24382b9847804b6811636d9dcf536a71c667e83099cc290c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 27b3e8498f96e84c15b66ad0b7bf95a7
SHA1 6d922f1cc3be0e20f9f0f6093aca2f26d03ed65a
SHA256 5401f30c4604eefa4af1cb6927e9c7f4b1d522116ce216f1134a0bac162c43c0
SHA512 50eeafcd506eebd304083f90db178b3ff66afe04f9add057be9ad0a05473ff5a1345c107d0d74e41caa6180cf78c03c3136abbff63b70de0bf8a852854a6591a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0a7241bb4fda73f5d5313cafd0c6f536
SHA1 d9bf262b88b62581bec5093393ab7dc83b8915dc
SHA256 ef32812664d84d57f60b04b863dd866faacc916141ad185a06c73f27ae58a0fd
SHA512 2445970aaec8196d86ab4435a80b293f54bd111d8e004dc9879017081b20a4b3139b0d795ad33e0214469431e7e0c6a05a27d1ced9ef58b618a6f93a2a0cf946

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ef2536d54d4ab450da3513bd600bcdf7
SHA1 a724bf361a3c61b2455fc3d3bfad45f75160323a
SHA256 5d10d975dbc285d08c959a97eb4a5bb9b889fd54f610a262838ea75a77111af8
SHA512 2a64dde02044bb40e9dba41d1d2fedc23fd16e4879bfb7e4365f735741817b8c64cd6e5ab5d067b7ebf73ad75d0a6de25f2893717f2a4072ee523afd13e9e142

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5ff0b0a8261e963e542e99ca57088c18
SHA1 f96342d3994b43b613f305f3eb62e8b2e0caa6f5
SHA256 87f017ef413f3c88ee29f73183c81992571ffc425f7caf7c8c9ffb4ba1abc004
SHA512 25f7426ef999f1c61fdd15dc010c506b387ad08ee58b88866afc724162e6b72007603f8119827301eaa6cbde512a284264915ad0a16bfa0cf115a953eb4f5a40

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 beb2058ada9b37629820c2351f5da159
SHA1 9a4ef860f2259ddecf42fc608e7b7f3edbe0f153
SHA256 25193344f46ac5fd6b9a8943e85234560b44d32c54af627709e2cb61f347a366
SHA512 c7c065b6dbb166b466594060f97c658591f0b0636f6357197f323580d4946efe09119370aaad1b89c55fcdb33ce73a878cea8dfbe025e1ea8db1e4a21315b402

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d591f79aeb669d3fcb8414140866d0a4
SHA1 ef96c6e56af0f26b1308f254998ef16920492758
SHA256 cb361dbf276da057c9a8d5ad4a724bc1e52099651764800ca49bf49e39151ae9
SHA512 c2a46dd6407cd2768d1222317b8dac92b9f14141017cfe52d20cd931e5c096b8f2ac056369fc88bbd3df1e6865b22a51455596c2433da837ba74b066cfb15bd9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fa2b2b6609e728b9acb17e4b3ad6de2c
SHA1 95ad9a0422cd9114baf59a199bd29ffa00c0085c
SHA256 29a094af2e0171babcbc26e2f84470914d1a022668e3b069a8b3c18a2d85cc06
SHA512 24a514fbbb3d63b2ec6b102ef6765634afe17a9f35e1548d14b09521d53d45486713624444cd2117cee52819100ff5211f1f198a8164efb357146595b56877eb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8ee877cd1f2297acb9443ed903217636
SHA1 c35ec50cd40e70ca8cbf76789f7f64450b295b96
SHA256 859b2acbacba6ad1681dac80e7558d8df312292839d9bbe457dee04a76f50ed8
SHA512 6162e4012adbe1b87bd909e76717aa83aef84667b7f61b83f6e3462f99cbe765db53627ebf3aa125961a7fc8093d64c9bf2e94b3b71aa9bdb38b3c841dcfe8cd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 441f48966afaee352afd4603a2db5ae9
SHA1 4fe67cecf617381b13a800e33f537ed05ebd56f7
SHA256 91305162d0e1b7e68058c904d521ed364ea3bc6a70cf36bc1bfed51ec4afac79
SHA512 2582dc9be3b2c1e846129ef93d9a6d810ba219ac81a2279a9769567a4cd1f8785ee7510276c996c46485120d47b7fabdf51e04d3820161dd6c225a02eb7c88bd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4488ebe5853f95ab4aa10f91288dcf1a
SHA1 c049354e5288c9b04144d45f9c8aa24c1e7ac773
SHA256 e3174d51aa3145cee17d3d8fadc18dd283841f376dc0fc9f6b1187d29bc7dbe9
SHA512 79f83e59a4a6589be19026e334334da656678a0317a611cb8d90c0c04a83368f9cf67fe84bdfaf426a88c93b7c14a5443198595a90b1abc6451848cbeac49613

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7d8bdc5de108abd65ceed5928922bbf7
SHA1 81daae126d0c2493dc9e21448edbf4ca7e786900
SHA256 dd90876b4f0481e94f8fc2b72eee4170f62fc07fc2e03498aa0707006f2ceb5c
SHA512 0b9c412ecdf0a945eb7bfe6988a2f60fbfb5e6bc2bca4d8e55f0cc2d0ddf1e92721c1e59268374216fc0f797e23661f5d38ed93e4a15f63b3f7e3bc297f70535

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 67cdc30811f89e84fa4c0bcc092924b8
SHA1 7785576f3cf07204cad7720b97ff4fed040af03f
SHA256 13a8c1164e6c439b5a8ca540d1ea7030b2bfca76c1c563980d774ed9c0b2ba89
SHA512 4ef5b1bfc92ad2e7ec1cccd690f174b90b2bdae97249c0d08f0532ba86a6e6fa128fb87072ac8fd992bcb63af4caf68c5abb2e9ec9920fbb2e541d7f9b91db7c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e38daad82098b46652bdcbf9e5a1f740
SHA1 d6055a571410ce544d7e915da376e32cd8a1ad2c
SHA256 d0d2c5973f77ca7f6960948ac589c635d08ee49644f5049abc8f1808176d7e58
SHA512 04230e6a18c2f2c643bff07b47448c721fdef2b040c545100f8c3f4f60a2083645baf2f133b29730d55b466afca328b133b4f9c691ddb6656a958e2b38eb7e96

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 490db1101cac1dead6adf636931dc614
SHA1 797a5db7f0ecde0246ec83c15e5f77296dd6e54c
SHA256 bd5b23631ab0814fab89af76a18d114e1d5fed81dbd172b3090a6881f8bdec26
SHA512 2f143b21edf2536956689e1f96c8f7397f39db64caf38c7b5b6eb2379c04b1ba91fc4b34751e7dcf382965516e7970f0ca9cd9318deded09bc7b50f72b527bb2