Malware Analysis Report

2025-03-15 08:22

Sample ID 241020-2243hsxcnr
Target 64866d78e76a8f8011819c82feba730f_JaffaCakes118
SHA256 b35d13c902151869430199a330b0a6aa44e26cc436138eccb6a36f6ce74767ca
Tags
aspackv2 discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b35d13c902151869430199a330b0a6aa44e26cc436138eccb6a36f6ce74767ca

Threat Level: Known bad

The file 64866d78e76a8f8011819c82feba730f_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

aspackv2 discovery persistence ransomware

Modifies WinLogon for persistence

Renames multiple (91) files with added filename extension

Drops startup file

Loads dropped DLL

ASPack v2.12-2.42

Executes dropped EXE

Enumerates connected drives

Drops autorun.inf file

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 23:05

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 23:05

Reported

2024-10-20 23:08

Platform

win7-20241010-en

Max time kernel

145s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Renames multiple (91) files with added filename extension

ransomware

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

N/A

Files

memory/1712-0-0x0000000000320000-0x0000000000321000-memory.dmp

\Windows\SysWOW64\HelpMe.exe

MD5 c3e731d02b7a354d41f29d7b33176d2b
SHA1 f806bf4866b43e376d75a121194ba3650a856502
SHA256 709444a4f27181daa2113fb3adadaf01355aa68249fb08e32b81c09e06e52720
SHA512 5026f205ed0c845303d34bb9aa847647995f531b18ee3522cd8798694643bea5a38e16a902dd4e29c6a2c2d8ab583631da6431ccb5b1e5d279a8c32f59bdb0c6

memory/2064-10-0x0000000000220000-0x0000000000221000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-2039016743-699959520-214465309-1000\desktop.ini.exe

MD5 8fbdf8fb5bb23e1b1725e76740d7d265
SHA1 7a773e08a95676c7db249c39843f599f42f85698
SHA256 dd9ebaacf52e112a7ae9c304e4b6ee3d2e9b5053166fba4459479eba169e7b2a
SHA512 2a3ed393c8c95c7a4ea31267abea055a28a4c0149cfd1e3ed7b9a31159d3bc1b0c6b79f322317fe05efcac1c107b56fd540ae5b5ecef89e15d36a25ff74edaf9

F:\AutoRun.exe

MD5 64866d78e76a8f8011819c82feba730f
SHA1 31459152d39b4b5d2997f1eb30c702ddf8e374c4
SHA256 b35d13c902151869430199a330b0a6aa44e26cc436138eccb6a36f6ce74767ca
SHA512 219cbb3008ba12f67aadebc25308cdb7aa32a75a467a8fc3c294e36dbb849f57b62d26f8620023565a614c065356e2006dee92b1f8ec480848a1dd5a2cae8422

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fa4cbbe36a4ad9f88ef1d30c8f5ba8cc
SHA1 10f6a7f72d03a3d95b3fde437fe2cda810ea8ac4
SHA256 ae78f3afd3a2df2b266fd8148860c351d6a1ad23022c0129350d09c34baed4db
SHA512 026e6b1d42f3342836b5f31c0396debcefa4b0a7b6d34129915606efa560f4c628905bd2c745523ca5757b3b5d4d8c2f904c4d231798d591e0d239deea1d348d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 12f8aa50ee0ca8bd5d23890debacf535
SHA1 54116eb38f8b014f8afd41be63334d34a3540198
SHA256 3fbb71976bd32a1861bf08dedbc96fa10ac87a119b49442667ceed72f0ab0ff2
SHA512 8204ff53527bcb393cd63fd0224cdb296898739712335b41b0833007d8edf930b0dacbf822052fca23864f83de58334ddf532f80251f0fe997ad338d82dde4d2

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-20 23:05

Reported

2024-10-20 23:08

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\64866d78e76a8f8011819c82feba730f_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 92.16.208.104.in-addr.arpa udp

Files

memory/2760-0-0x0000000002330000-0x0000000002331000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 c3e731d02b7a354d41f29d7b33176d2b
SHA1 f806bf4866b43e376d75a121194ba3650a856502
SHA256 709444a4f27181daa2113fb3adadaf01355aa68249fb08e32b81c09e06e52720
SHA512 5026f205ed0c845303d34bb9aa847647995f531b18ee3522cd8798694643bea5a38e16a902dd4e29c6a2c2d8ab583631da6431ccb5b1e5d279a8c32f59bdb0c6

memory/3800-5-0x00000000020D0000-0x00000000020D1000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

F:\$RECYCLE.BIN\S-1-5-21-3442511616-637977696-3186306149-1000\desktop.ini.exe

MD5 f3f4de63a5114d8fb46496a1327600bd
SHA1 b37f0c4944ef2698370f1c18fcda7c4e8a44a098
SHA256 e1e0844ffb9e5e6704340058f6eebc9e213ee7acad3bd8c0c9e41b6075321efe
SHA512 fd61981dbb7756c7fa6755015cd51d448ed75404b07113618f3bcdb63457cebbb936dc9a1a9daaa7742b273177bc0f464600bf09537502c92bccf22ac6f06b2d

C:\$Recycle.Bin\S-1-5-21-3442511616-637977696-3186306149-1000\desktop.ini.exe

MD5 e12d365cab4d15463c7a2cdec3e258e4
SHA1 18951ded5ae601f49de9a2a9aa9b3088e552d354
SHA256 21c3b698da534aea3f6e7d7a6602b8644e6c90402b30e0884d181dd92224379b
SHA512 3056a0f33fb1bb45f28863343e28ec614faab2666e0a66e3af8d229e9088f4c3f04ec9e4ace883d25e52fb25cfcf5dbef1c418f26a3b15a9b3ae186d0aaca529

F:\AutoRun.exe

MD5 64866d78e76a8f8011819c82feba730f
SHA1 31459152d39b4b5d2997f1eb30c702ddf8e374c4
SHA256 b35d13c902151869430199a330b0a6aa44e26cc436138eccb6a36f6ce74767ca
SHA512 219cbb3008ba12f67aadebc25308cdb7aa32a75a467a8fc3c294e36dbb849f57b62d26f8620023565a614c065356e2006dee92b1f8ec480848a1dd5a2cae8422

memory/2760-44-0x0000000002330000-0x0000000002331000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 dc2ea5fb6ba470f47a19aaf53bb23e1f
SHA1 8bbf932285d671f7c7f1e32dc98078d62b71dc56
SHA256 6e212bc18eb2068e156d14da73b786db9c08a24cd9252b35cec5b18132adaf99
SHA512 17389d6498d88220592a8af09f03dc8b9dae8da6f1889ff424b3f7ba638ad6d610614ada6c4a0338240f12edd08b02b5445390597b6fe397f85d4ddb8ea2142d

memory/3800-51-0x00000000020D0000-0x00000000020D1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e7fca44a34740ae142c93f7f0483e66e
SHA1 c5993d2ec4b2b0cab714dc845c7a10fddfc8151a
SHA256 fae34cb33e2867456fd8276455a1658bad37b6a88eb43771e1327d28d81edaa9
SHA512 b6867f1f3e285d99c70f84968a423c1234a0b3378b8194546e037f47b54057482fee6da05af82ac3da13cc81dea80c7285063083663622a701cf4c802380d6dd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d6bee50d6662fd5c91c52a09f8d8e334
SHA1 1e9426c07e9003120ba78e6522a1f1a43c324ab1
SHA256 a326baf94da4bb5260ae119481d55868ebfc49d39dae845725f18e71d81d4de2
SHA512 e8716f3f2c26394b22b45ea190fd44bb44923374e28599a4ea6953de3187279535665ae6c771b852fc25652f397e8d7086c4a456e2fbbce3a5814dd08b43f6a8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d5251ed8f6efcfe281f3d60b5671bbda
SHA1 b782b6cfd36d98ac7c04f6aaa10eaa2e8f34852c
SHA256 d360a94b2cee721497baab36ba4c802abb594d90e8c69cdb1448131d77eb368c
SHA512 d050a1b5ce45ef66c0e57e31cc59d5ec01ee8929dd3f24571b4893cc385d1f892375d1f44355e9d8a78fef14b9a3180703df531bf2ab772b652ee54798458da4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 efdbb1607cb6eda5d8efeda7a1505825
SHA1 e505f4bc75d0a797b57f79fa2590a2eda0017120
SHA256 98d6ba8dab7834c90c4339e11e08253b3a8173cbe87ff69ec7aac11ce26fbfc5
SHA512 1d10d0aadbfaa4b0cfe75cba8ecc97f82a01b0251ac0c0cd1d35fe61ad3fd8f2f7e2d3c85b5a512c6578068f5b9bbe64d29e0f2c471d23ee368a6b44fe7559af

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 96162b6d83f01d804bfece5f762a0c4f
SHA1 62173fd860b93a3670df8ad56e12fccb3943783f
SHA256 c2f0037d7e9367f2e68bed8f79f9613f2fb259b49c438be1b1cf819a20d2ff64
SHA512 5289bea1eee90d7bb3e57531178a691ec6adbc01180dcfb0eb5c76aa99324d7d20b3b5d680d7ec8565c2f7eed4a31dd8677b8bb3cf542d58cef6b0809acb63fd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 77cf94ab94317cb0d767b2d3a7407228
SHA1 183581bdc632a67f5ebae11f5a6b9771f3135ef9
SHA256 f08c7530e45dabab6e1604839dae097835c222bdfd578ee6a19585ccedc9e4d3
SHA512 d2c73eec1ad2c5f2276e35df7cdb1d7b5c8129754b947236e5e168e8ecd75b155a0097b55f100a5fcbbed48d4b50022b6b1b83094fc31ccbf9153c5118be4732

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 967ebfca2c9c4272afac9f6677979c7b
SHA1 69db474de06bf7b677e3f84778de4a56c9a6d446
SHA256 d72022b6c403531b0efa4fcc310eaad79f6edf822e735ad4793c17d8b945c979
SHA512 e6747edc5758fd7330f72c3ebaee5079bb32f428f8cdffc616a16fd4a7dc8cb54ad444043c7aafb2f6d2dc13dc0b0b2004e6b5602ca21e8ec9f3e0c0be06f0f6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0661dbf535502cb0fd426d1ce0c05051
SHA1 9e9c3a5fdaf9f1c52ad56b6fd0bc6f38eddc892f
SHA256 a732bcc4846fdb5eab65be2f93fd765e678602665114412b589b199a4bbe64d4
SHA512 571cdf74943ca8f26cc8a44d2453b10d23f85d4dcbbd04e76d89f7c515a0c790a9ab033c97b3a2d3afab2dd091e6891fc520665b32a5c6e65d339a460f770bb8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1abf36e2de23b2e249d2936e79015f55
SHA1 5d83835359af4b82198872f0b76ae6ed9b1cc6a7
SHA256 58c0f42e9c490b7ad1b1c90336b4ec34fbe835ba7f4ba7ccbe7ff6121b1bb66a
SHA512 936fc382323a2dc284b5f5632394cf49dd5f837afd7ca60fd6f256fe9a3e16002c41e0f4c561c226a632a2024b3d41096035eb3aa181f743f09f84ccfe9444a6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0ea85a1490be47d79e0bf8218164500e
SHA1 be225d164fe478eeca2899b6d7258a2a2f5d8f17
SHA256 819862405f123b5cf3d30cf9be012b0ad2ad189d7a59a9b12f760fb95de753be
SHA512 fac38edd0e6948920014ba94648aab6d02a33468f805597bdaf86a8f02c11c578a42305f8b37c54ce24c4bb407bf3728a706498b5cc4c766a160aa7b7ddb74f1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f7b592d25328a9a6be7cd1f97641afcc
SHA1 212418d3f4e68d73e8b150d3e5290bad9bb33071
SHA256 b515c4cbb0643873e09075344dc1503ac76c07290d0e14b6a17a25c30df3aaf1
SHA512 e05ab87219fd5cdd76a628c46611e125ea29f19da639347361bcda5e0c2f82a70592bcec5bb30986d568a2cbd21970faf410f25354fc7e189f419401c5dbb485

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d0bd7c8dca601528f003e5cf800965b5
SHA1 8fece7fd4cf1244e47a044f5dc28404d9ebc7178
SHA256 7e13d10ad4d6513cda0cb111915df5e28d61d906aec521974424cf6dfd6e8940
SHA512 174bfbe963619c2de42d54096c9366bf8fadd83809a330c90e094e36e4312ec3c0c9ae5cd72c7a6588ead1332ec2099ed27d7d1781415274b16a4f7a2229f481

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 49b2c1e6e4d3fad8c873c52ce37918bb
SHA1 6f3eeca590de847c270d18c4ecde3f7c32993521
SHA256 7c98fc439afb6c196b0c8bf09fb77f3cc8bfb7489b91bf85de600d417fa9cd1c
SHA512 adf026e486b6bafe2abd7a8a1a7a1f20ba8f3f68f865acb907808057b777b2538261df620843c009bc5bd3dbf32c10e1ba088c013667cc16e1c90663aa9cfaab

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ffb3560dbf02a10b06bb5ec14a98d96d
SHA1 483dfb5f7bac453046e59b50e6eff957db3284bb
SHA256 40c1412d8c400cac3f2936af3a4ff812fae6c1f185d0657d955510c001904923
SHA512 44beb0c77f5931708f81b5ce8de9542f9fe054502d7bee6d2408d119dfb375a484f85dcbff0c74a69866486aae3d8c4451b782606f92e7e401b26823b091f2bf

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e8a033d6f7c2a662695c06cd1bb3615c
SHA1 670c07906e1a13198cb14f50a05858c6e8a260cf
SHA256 0b1813e0b94f99a74e62d5a5e8d2855ac4f0896fa13f3668792d60d5f4a8fcad
SHA512 1b11e0b7357323207386058a3c0fe8b71c37cbc85bb176e18e39743cd5d430c063c1ed18c7698f4b85d3fffe72089ac31910e291f128181fa6d253e267b062c3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b7d5338c3f0585b922b5106497b210cc
SHA1 13fe7e13cc5b2986c2fdf4873d2eabc8bb0d5f42
SHA256 71536279a98b8f4a6e52ba8ff5c0b951916c323cfff473fa172092c7c9d15037
SHA512 c34a4f024dae2bf3fa632e024f6faa55b15a2cfff3afd52e3c84cdae461c504eccefca4b07a4fb66fae7d53350966172e2d1d2e23b198a6649f159f537d65197

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 13e5c7365699d0a688ace65bec27165c
SHA1 ca3eb3f80fd2f3bccc237c86ab045cdd377e3524
SHA256 69cd7b197f4eefd45584912f40f03b01d036684953a5931bca437d9dd0296c18
SHA512 3b316aaa427a40635dee7ea3da52b3e9f9130e3dfc34035c8de5cb6b52d3f075af23215393f35d48a98c04a2cdeddce9ef2ea0c9135a430e4685a20759ed9d36

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bb9465969d76d18e41e4dab7984eb971
SHA1 3c990f110701674ea735ad5a1db4dab32ebc821f
SHA256 afbed19ec1e1d31eec0d0f798be01bc6d5aabba0247f53d64d7c29f60b5a0b4a
SHA512 3c1a701b1af0867b2f2d74482809117f417fad4dc5e82a01880cde5506da77ffeb228abc3cb6735f1da887d92652810720e8607f33cc2b8255c0d3da75a0bfb6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f10ffda951f862f52a3cdb10e8148084
SHA1 fe759dcf13cac91eb453552eacf591de0d720e68
SHA256 cc690929f9f33b494768003a5c0da94eec9697db79b364902f1310f067e95e9d
SHA512 7a63513bab06b3b30084dc3dc5ce2e7051f6d81dbb2a9c64b64c4810f856b9753838286998e9a3e799bb758bb805436247a1d4c7cdc22b5f9d7f4516770c3c48

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 454c69fce306ed53fd08d113c2ad2554
SHA1 bd5d37688c67d51d85f3cb91ab6a3e9321640f24
SHA256 376f2506cfb7faca3079ba59040e204dfecfaf2973eb95dd9060a4f6a178f8ba
SHA512 4e8910d9a25cdf67954d36da0a45d39d193f01c9147e389856e3a7dc1a59171c2f54d28a88635da54cbe66b6e1a57f460397c82de7da5155b61b3ef7362959b0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6572eab1eae35fecc706d7777cbb8100
SHA1 7761600bd0976f80e0e8474316a32265b55ac06e
SHA256 65395a65d2e0e6d31dedcc94653fcc2e190c2175d6490e3f660482f9b82dc75e
SHA512 35509ac456e4985b02cd3f254ca0e96c19ea338aa629796f482df76cfca7704f01b525609b04b161beb5933a696ef7bcbffefe6a7290ffb58432357bb9abfd31

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 99e49a19c931392c7775bde89fa086fa
SHA1 73b10a3748b406b228b6ad9835bbaa0e33b18614
SHA256 dc913f4dc526f4ffd855e7d7b49b6f947e2c03f35b2808596726d3a8d5563f2b
SHA512 541f46f04e8bdf11ffca7262dde3d69134fb3f1d4121634c5dce33aea23540701cae6696d8074e0a1e7c314c532be5b2890beedf3b3698f66f6cd209936de2dd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2f43c99c84b28e65862e942979bcfb5d
SHA1 020e8f219aded4844dcff21942ad64fbfb8318b6
SHA256 2ac10acec575f5c7e9de5fa8736b06b36ec191d147e269f0b54e8fdaab14fd29
SHA512 37d8570537220dd08b85fafb927ed5645589d08a912f2112c8431f0081b43905a39570e389bebb5ca9315708b402e90400abfaa5d5bd1c400c260c79fa2bf327

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 affd2ecae7a9b3698d79e788d5e48d52
SHA1 2551637e130cbdc4f6cfd0d6d77feeea6dbfdbe2
SHA256 c4b52deabcf0492e99e8f289de793e6703e7a9d2f1f37c2753fb5117f52f50c5
SHA512 e423eb053b75ee173d35b2e37bb09e423bc7ae633ae50643bcfcfd031c2812b37ebc9af90efe9d1428635ffdbf7dfdd6411b05354332fed1ce21f56e208de7fd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 24688694a3242280b82a4dec4e6581b2
SHA1 0ec58e3bc73eeda7ece498f324a2ab1df3ab3b66
SHA256 ea140300a1536bf90ece41a9d26b5e374af2bebb2b822cab38f10cfa636b0591
SHA512 8563093fa7ac0165b2515f6efaa673294ce55b87f3b539ccc0914cfd51c7937d99c1280ed5fda5c4838908c825e12f284ed9c5c37dab01569215c50195eaa33d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b1c18966c3320ba0cebe9d76c95a92b2
SHA1 47d98d86f28a8bd024086e4480665cc2c283086f
SHA256 7a5fab30fe12693587241738fa62f0e25f517bbc44f0efc91225359ea43693be
SHA512 b0a5f9b188f508ff68a4bbbf8b4053e47e2c36ae27e9778191d5e0cce6dc3dbe12df7b0b81e9032363a7f31a1109ff88b5bc2caf4a249841cbf0f640193d5cd4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4c4b7761cd8ecdf5d6d8cc0547d7c455
SHA1 0b5888af0c88572e49bc017d378a5314fb5c26ba
SHA256 7106ab6d4d25f7ed37ea68abcb9e14bbbcf808652076b90737c7b92fb833f3cd
SHA512 b09b270141770f0627e252f10440d419885f268dba9ae5e738adc5c8855ac54f1e1d7a83e03e48f3bb5c4eb81d199afc12e2624dbaef9c38a0ad10547ce5ab06

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b32953fcb2940a4adbe63378f25c5c10
SHA1 c336e3407167ae9e8c23fd9ba08abe135224db14
SHA256 a69e9852eaa39cada1131de50fa0d8e0543d1126d97bb912f90d89a53e955bde
SHA512 dc4046ecff9696714a66b010a6b2614d5a5f2b0a7bde78eef24cae5b71f51e53cbeed3d80afa2c628af7b5684b0e75be229b37056f217076a6b04189e47582e7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 16248bb7f4deaf278a17f50bebbfe078
SHA1 1ea5d890bb659e06c9bdc2799e2db301fcc6db2c
SHA256 9355361f0703f31486ffdb4cc1d7b9a2dfee22811d7f231aa702c015ee30cb7e
SHA512 627cbd47e01b105496a547fdb038d2c68cc1bdba250faf8e30250998674d956bf64f47ca0d63f2aafdde3525923531859401cad47f04f7dea3b05468ee52e796

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3d188f85da5206df4af3208f9af206cd
SHA1 95a716fcbee0d4688ebf34fc60895b83a5516da5
SHA256 0ce01dbee7873150d754c73625a3715a83316aafb161d51eac47a58a17bb0103
SHA512 6cb56e9f654864177e9f7bab69203faa5428c9aca11d0819e16f922f1fa1046605c565466ec7b7768fed9c42a067830ab2826153400e9413940723c4f8befee8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 23a19a7a87d3637e0de121de38c4616e
SHA1 6e6dcf7c3b2c9f779d8cf5968928fb002a137460
SHA256 3a10d3a180dc0d7b3215d2adfd160efdf20d38e795e86bb56c931f4e84594260
SHA512 fc0dd3a3018337b4041de7e1746bdb0be3e30deeb14e7b2c1bdcb89d9ebce2870934910a199999dfcb5cfbedd8c4c6097be9378c7839a584d50fdc0362a6bece

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5b729e02283849e46108b317e0b03f38
SHA1 f5a76df063fbb5983f4b9b693f2bec139987f997
SHA256 ed8049e616f22f357cc534e5cef792d8d62f19ab2e7f1838a6d45d5e7c88211b
SHA512 87e0c43a052f4a4afb7d828138c9d2a5772ba16f229e3ebfb13f035a7956df4f29d2067ad5562da3fea8d18703f411097c99401bcb59c4945e681763b6edd214

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c0d1c73e5fa122aa9e5b10ab9c40bc58
SHA1 0256404f04c4dafe0a8db569e05a0f4876a915f1
SHA256 5c32b9a50596d273eea647e1c7c92e956427d3464210b71697f42a18deea8935
SHA512 6dfd451a627c99ef46a2ab1a2e900342d1ef0619628f7b8ce0211a39c6a25f87f143ed923e017c640e9fd6a3f39a052ceddddf056c87299eadc219a6a13e1992

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6e3f3833bd5c7f25bafb594e860e46e9
SHA1 3f279e3cb3eff60695789165b1a885d08052d05a
SHA256 24495002d97f113c4097f8a8a394e91a4b6cb8d417b0854ddcf9bfee141cbe62
SHA512 fa6dacc6a093a938917be5c779e7634fde8d2fb32aad9cb39c1a487a2d18987d80af2c3630848dc3d7e05f12e3e08f6037eac15c6209756b8718ceacd094dd18

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3bdf4fb16e90103168b722181742ffa1
SHA1 fc60ddb6f7cdc76762809e879fd0ea77c1ba90ea
SHA256 ae2ddb7a66f97b4635c37a5196aa2d5acab8c094aa669868b1bd043f25e2189c
SHA512 4de27eb4f113e06df1a16043bbd73c1236dfcf8190a4eb626a05dac80a87e918653db04ae4a3cff350534ba388e2e305a09def08e1c7b66144814d5ce16fa829

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d8740052bd6b95eee38801dcfa5dc337
SHA1 e4481fdddacf23dc780f76978f23a731386376aa
SHA256 597c8e2af045acd53d7870a5c165a9ad73e1cf54f21671842db4f736051dd870
SHA512 2f698aa727399692facef1e0ad59ae0a572a5484afaccdba3b5d145109119c6221939f7ebde0bbbbc209325b5ff791c584b0e94b22a0466f2e86caca99f77ce6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 77fb21a5d73f3b975bc97767281bf19f
SHA1 70aa6abc0aa03e8eb100af3b4c35f23037705901
SHA256 43ce9e69d6127ccd935ef60f0514d921988310c55d99ada6533c289ed42421e8
SHA512 7da2a325d9a27cd98e00c742a1da9f2d599d9c952190ce9099ba4a4d82efa9c9db35d8e05110469ad0c374a6a46072e975cc6982a4c71be081dde4ea256c4194

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 dca05287a257b1c88b063218e72ca47f
SHA1 5665d51738dce92526062faaa3bfa40a1fcb36ca
SHA256 1e7b031d1af32f157653820ec240912005364d1304cdba454e49b6c93fc7810a
SHA512 3356b8de7c6cb9e6855bd25008cedcef90cd8b5c2a8527616a61c38c8ea49b8cad4b0e5e07f383491cd423751cc1d983e94a869f4c03b4f509245740143c0c2c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 dd954796fbd9db4f2d3d22e18cd2dae3
SHA1 b410efed65e7f66200b00bf34ae9858401288a98
SHA256 8255258a019b238d746c3bbce7bc524f9b069f42a671183a34a5e90d77c3e850
SHA512 30a876f2e5cf950310cb7c357019210e53e2efc4a746ed5aeb27a1f2e0459716e3217a0d991e3920cf98f649bf3911c99ff2a20332949e4d95b842961f2d00e6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0d84cf2f85ed876ead5d7e159056297a
SHA1 e6694d3b1784e4b691cafc069feb8879a29c5c20
SHA256 ddd8d49d96eb302f4977bf5a11d112d470432090d2315814d3964299b0f17cce
SHA512 d72ba70ee7f3533c5f98c448517bb56a3a5399a6df9e32814ff8419dd06e38a44118c82e3311b2b462dde0a19292a9a404b6345313ff570c3dd47324b5c8e4ff

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 425ea098db0aecbeda48796c750a68eb
SHA1 2c0e35156abfa5ad45d7d7b2a246a8b4eccc857e
SHA256 c04cea627960996286ac280fb5bb09c4519a3cb6e3c5d23d211ec0706a1aad57
SHA512 6265cd837f3b59d5d672c6184663f22d98de9daed0235f7eea981c1ac5f866efd9bb02ac7e05f8b8f17f51a2fefe36588174789f3293923e7077710734ed874a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 88047816369009922dc62b3a2d29a9e4
SHA1 03b4e939748470c11b16af760d7c15ffcc835ac8
SHA256 e9faafdff93a961fb9a7c4dd0311c8cbff2f846963755d2e38d6236edb1ba512
SHA512 5ab27fc151335e7b3c4bcf7c424aeb4bf45615f6a42feb12c6b06220ac6654957f805aac7e8b7673dc76c3556d7281655db37501d46b95b2ecbcf7943374b9aa

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d65c7869850319a22a9708cf683101e6
SHA1 6efa4ab3a7849e23ba1ef29ee6db64e9f5725b18
SHA256 aae765353a4eb567a11eacfb601011b6d813c68ff988b35520495a236786b683
SHA512 b31a2574b6e1fa67ac1f3f1a936e6119c2633582ae00b2a1a907f013df5c6b72daa43a2f84849faa78afd66d900c002e526deeb7be9ce334d5c96ba65df7f2f8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b89fe16a9a6dc6d23cd01e97dacfe0bf
SHA1 1090d40f6438cd411026ef0d239fd56cf93d673c
SHA256 5ddafcd5da0309281d21d6b3a6cd37ef670df2a5849083225eb4b763b7593760
SHA512 db9ac5142281945ddec8ace88d2094b0c253cac8cc08a36f19ef6db36e4b0070dfd7ab336cbf646877eb9200e2574c5ec0cbd0f681b1b5e54eb938bd8408d247

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bae1c9477b0c9426907938db80c1a01f
SHA1 3df3bb48a2432a06f58dbeba29a6bdc17d50706b
SHA256 b09eb394489fd8d306e5720631f7210d607bb8e78644ff3245f148a3b3436503
SHA512 0548f6a1ae9bc5c774e13f3e957cea9a1b20b28eee1f638e04417e18a1aa24be71ad7f051b262a00f4b0812479d2b19d1e6395a149a6cea4455c05a22d576781

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f806b778021ff56ccc37e02e98104ea7
SHA1 d1e644bedc8f8e68a2ac9915a9bdfa6de63957af
SHA256 4c3e192e5844e96136206fc4aeb64c9d0181c4862773ad38627ace6672c61369
SHA512 4945def417c4bfbf76dcd820dfd0079ad7fd46457ffeefa01cddef6cf8263fb9f5326386e8a73f5dc13f22c5384304b69a05d3a36548d447b515b0a113f4bf9f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d96f7b52564319837dc3a7161d1a4a16
SHA1 d890112bd521b058ae109892022d41316c5c798e
SHA256 1ddb8ef03bd374218a3256bb795a854b705e65e62d83e23cca1d7129811c385f
SHA512 da7faeb63ca7eb224db4777f033d6b43414c4428dc80c8a01176edd4604b1cc173c807e4403a1a1cb9d00344fd93a437e1fedde5ca96d101cb5a0489dc015c85

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ddec87dce4e105a1923181de8ecc7ff7
SHA1 b53e88bc8316acb7ad07865e7f70b4a820d9129f
SHA256 79551500738166b07f4271db31daaa7bf4a519b6a744abee36a4bcc4e97a06a4
SHA512 8120d2d59de8c03d1fda288feba59d8d85a2cdaa5cec9ff2fc3e35cf5c3f4936db10d48f169920044dbdebab905ccbe0a87ce1b5957deea6e4c62ccf59da07e5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c559639e0481196a0172295f6d7b567a
SHA1 ca2091f580b4292ee4230fb0cd8ebcfbaa38ae96
SHA256 aa9e38569dbef153065249982d2620731d8ef2abd14ccbfa420948ed2b30f96e
SHA512 b654403efcfb1ef8b07de0f678ea42be7d3eb63464e035e2600ce312d4cde8efb220b3de5274d270fc1fed14aab2057049a737d40343a25790ae46babb8182c3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 443b767cc61387f5f54d7b7762abae4b
SHA1 692b82fe2c1c8a41ab19f28be632751aee6f4f94
SHA256 fc0b27434cc344fd33f9f8f2138b2d0d67ec0783c24a61b118eb9ea92e587eb1
SHA512 e0871d2e476d72e1ddce67ab0e11036975ac8fda36d15a34687a5415e023a1d5fd82ab1b0f41d41a5b6badc25ef6ed971ada2736760eca02990866dd9e5b77a1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 07c39904e195d4da1dd80a97bbcd859a
SHA1 8709d4a9e13179aa48e05aaf34d10cb68a83d8cf
SHA256 c74f46baef25d457ca10a3ebe1c8d6ae5ecfc2c65bc726b4abeec329717b8940
SHA512 427e071f4e60dcd35eb5394e664ca60ddc61e9ed080becc819d658da61b7d6c0485cc90926fd8063ad1e9c373b5bc0fa339f785dfc265b765c7bb0b7007f9308

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f9d470b29a170a8d75377c8fdbda42fa
SHA1 04feaa3a5c62550e85eacddc6b15d82397cad292
SHA256 a0240f84c7807cf12f29859992f4b0f0d859fe0061c417816519de95fe805945
SHA512 7d17c657eaa6242be1a1338145e61859d0ea7e1c62987972a29b940ac2ba99f546da86a867c07e412751f5a53c03556987312b10c486c6fa6df3e67b7e3e7520

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f4ea3c686ce4fe076a251098660dba14
SHA1 cb8a486ac0aeed47eb3f4ade78c8b32b35721ff0
SHA256 071a70c02e3ffd1ff227ca8102376e0063b658d4479828e5aa034c4593946eec
SHA512 3536d93d3a9d5ca8521bd8dbf5364c9af3896d24f287bba9d25311b9262d988a9d2ede4d93a120b53ec971cf3c50370a1d09106c0eff73f72d525244e009fd3c