Malware Analysis Report

2025-03-15 08:19

Sample ID 241020-wjkm9stejq
Target 63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118
SHA256 c261d6ebc32282620e3c87ea728898a3a3fb12c63e7f6bbd6a405da8290b1440
Tags
aspackv2 discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c261d6ebc32282620e3c87ea728898a3a3fb12c63e7f6bbd6a405da8290b1440

Threat Level: Known bad

The file 63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

aspackv2 discovery persistence ransomware

Modifies WinLogon for persistence

Renames multiple (91) files with added filename extension

Drops startup file

Executes dropped EXE

Loads dropped DLL

ASPack v2.12-2.42

Enumerates connected drives

Drops file in System32 directory

Drops autorun.inf file

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 17:57

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 17:57

Reported

2024-10-20 17:59

Platform

win7-20240903-en

Max time kernel

145s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe N/A

Renames multiple (91) files with added filename extension

ransomware

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

N/A

Files

memory/2812-1-0x0000000000330000-0x0000000000331000-memory.dmp

\Windows\SysWOW64\HelpMe.exe

MD5 d457ae59164a176dcaa5977297ea98e4
SHA1 55a3c6b247eba0e41267d201e47c2e181bb2e588
SHA256 2dd5ca2cbe64e70b59dc1fc7a7bba815efc5dcc0e25e392a173fa9fce68c822b
SHA512 3cf5f3fc052b86ef35a8f85dd5082003541ed9bce1548eb5155df96e004f64bfe840629b2d36761d277e8f84f8bb4afcd65ba002e1b80483e66754d874420d68

memory/2680-9-0x00000000001B0000-0x00000000001B1000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-2872745919-2748461613-2989606286-1000\desktop.ini.exe

MD5 2c6f07682febd18d1ae83debfe506351
SHA1 9b56ab82b20f972634b948cbaf10612ae530ff37
SHA256 b11f8cbed75c2087a3e3030485d928e7ef5824825ac58c9c0d5eeaad9901e0e9
SHA512 46856fd2aac00e3dcc1c4f7700483b42ae475946a6f5b047152940d0800f286ea04cf241a045924918a14668e35585ab734da3de0817966eed7d5fb435e38c25

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

F:\AutoRun.exe

MD5 63923aec2e32d6b8c464ad423dfedf77
SHA1 60cc352fd24ed386855f73414ebd9de267d20eea
SHA256 c261d6ebc32282620e3c87ea728898a3a3fb12c63e7f6bbd6a405da8290b1440
SHA512 ffd01d1956e504fd3babcebcbb936b92c66ed6d269630b0d23b23d6d6b8ccb5ca415400abdf4dfe7f6677d848cdf560270bc537cf4b186929613749c6b9cb472

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 05f1a9362a7c13b7c705a8658d785c34
SHA1 bae1afb9871657943c538b0de9ef20f1f2ebf5f6
SHA256 cb6f8e9274151548b7fee9ccad3ea36e3b834e989f233af1086c308ef877a08f
SHA512 64c371f25500711f511c72c81ee7774a08fab51dca4b46b9a683fd0ce6f75f605f5b6202ce2d2a760428c80c4e18013119932f8f612616399b11e6cc43829f99

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 91fbe38f1a5e5268ef6fddcb9d49f631
SHA1 2f54a79a6511e0a59b544e21e8e376ef82b1d2e7
SHA256 a32d2d5b0790850470ccc5c78501c7bffa7b34fd9ad844dccac9df50e30d2cdd
SHA512 5e2a4c8b35be2035d4bc3b03eaff2e95282b78f41a5b7a7580e2803a8ba4eca48c77efc8735f7c59d710e65c4d9871c2b35f2bbcfecb8835338fbabb283d226a

memory/2680-230-0x00000000001B0000-0x00000000001B1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-20 17:57

Reported

2024-10-20 17:59

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\63923aec2e32d6b8c464ad423dfedf77_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp

Files

memory/1632-0-0x00000000021F0000-0x00000000021F1000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 d457ae59164a176dcaa5977297ea98e4
SHA1 55a3c6b247eba0e41267d201e47c2e181bb2e588
SHA256 2dd5ca2cbe64e70b59dc1fc7a7bba815efc5dcc0e25e392a173fa9fce68c822b
SHA512 3cf5f3fc052b86ef35a8f85dd5082003541ed9bce1548eb5155df96e004f64bfe840629b2d36761d277e8f84f8bb4afcd65ba002e1b80483e66754d874420d68

memory/3120-5-0x0000000000630000-0x0000000000631000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-940901362-3608833189-1915618603-1000\desktop.ini.exe

MD5 9f073e41f8841ff712359abc366708b7
SHA1 aacdc1f7023b08ceb8c61a0db2edf9aa95e5a42f
SHA256 84e8f01411cd28c7a30755e95dc461e8b373a9f6d004cc354723c10f188947cf
SHA512 bce43202f0302a8ed47a0577d26325485665d5b0ec541b6d292e7c88a0b5e1c5f72b02c0a6abffb60afbba1f7190cbd3b13db1c0b0f914a730fe5d6ca69452a9

F:\$RECYCLE.BIN\S-1-5-21-940901362-3608833189-1915618603-1000\desktop.ini.exe

MD5 70b9806358c705a0b0a624232e4b9c72
SHA1 85d65a01705845aba4eaa418dfee065adc522ede
SHA256 9a50b50603f553d257565634e4e79f8b2a19c2bce5ea693651226e1ebe6e0417
SHA512 752fa74d6b50c0389641a0b04ddd217d01715500eb57453d689629350b5aeeca58986c79fb8aa0dbb8b5d7d8422f78d122e3caa51f6359bcd7a795299dc36ade

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

F:\AutoRun.exe

MD5 63923aec2e32d6b8c464ad423dfedf77
SHA1 60cc352fd24ed386855f73414ebd9de267d20eea
SHA256 c261d6ebc32282620e3c87ea728898a3a3fb12c63e7f6bbd6a405da8290b1440
SHA512 ffd01d1956e504fd3babcebcbb936b92c66ed6d269630b0d23b23d6d6b8ccb5ca415400abdf4dfe7f6677d848cdf560270bc537cf4b186929613749c6b9cb472

memory/1632-45-0x00000000021F0000-0x00000000021F1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8ca45183afa57a150d395adf03947321
SHA1 ce14abc36bdc2a1ace492fe7eade54bdcf568b4f
SHA256 6223e3beb10f372597f1fbdb029d51245a2c3ffc11f78bc9da24d25607c0a9e2
SHA512 cc9b93b1ac27aa6e4c828113b9cc0839902afae5dedd680d1d60025fa7cfc2b58edd0eec17688c010a079c0273913083c27524f4a8dc6537b8cb4e08710612d6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1f92a395b0e1da9afc3f6818d4273b94
SHA1 a3ea70222fa2fe84e142450418d09a68cdd60314
SHA256 9ca873d3490054f0063602b8df59425eb84f7eefd4df8bcd493d6ff6eaff1e6a
SHA512 7f7bcf299f4f11f728d1a06a2e1ef38626667bfdb0b188f8f76169082b280a91992628ac7158db221d3bc10f107968e86dce7d777af032fb3b99129e1d5ef5b7

memory/3120-52-0x0000000000630000-0x0000000000631000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d06b2317dbb30b7fcf3e7cffab57cd6d
SHA1 b8ca91f7d4b43b71bfd5accef6ac8219751a558d
SHA256 ce340ddb6c43d8fe2c77bbf0ca89fff6378a4b034b90f795886b6ad555e67208
SHA512 e08a61f9312db475a49815ac08b697b3fd79905ab466a4d49499f3b547b4355b96577ccd4b81d06420b0cfe6e99157257d79b306d1d2097f22d9be1fc908aa35

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 68717111a1bf264ce699c23495b6f4e7
SHA1 e2cc955823ca8cad33f6b516f2f91ad8d67f4189
SHA256 a186e2f545fd8e2e6a1c251fd3014de313a11545952a85d024da1515bf4d65c0
SHA512 e79d5155229aeff93b1f0ad860f9a434d7a28088bf29cc7e100f345fdf7db2382dd95833d01b0b914e324675764cbac059f948e5823dec9433f4a55ca1d405e5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 965fa516b4950b8fb53b58fbf655a54f
SHA1 bf8cf5b4f3bfef8bfba4272798150351d98120f3
SHA256 aa16082e84ccef398c7368a88c349e7efcfab1de6051d989f6e56323a48bcf97
SHA512 26cbcbe21ddc268ccd8143fdfdd9074e14bb9014b0816bea558474c620e48cd0c70a2919ae12de9112114a91d95ef913459cd6734063a7aacf8ba5c1b9a4ea5e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d954a98f51fb5b6bd478d051e213656c
SHA1 b2247315e2b3588ed46d8b6cc1f1ac8d300c8cdc
SHA256 d0c76020c059238dc290bc9b5b43ae3d804b11d8586bb61d0409063c0f58b3ce
SHA512 3582a8d331a207ef012fba1ccc5a20c7714e66762a3108b74670e078a60942bb18e45f292fa7bf649d3e91f37417e5d46ef6bac00e6958975821f15222349938

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a041b39574eb84abf76349a6d45d8092
SHA1 e19a879c3225ce21a9f4f93a10ff71f6e4d826ce
SHA256 d65c0bab0561db82a4d822cad540261c4603b1ee32c46f1b5abd248bf9a6bd55
SHA512 557bc639a1c10a1093de91ad9d74c751c8c61ed25f4ef381542dd3759090c28c907d7e94d76faa34b1f57f9a4b6d625d877cbdc9ffedb2a5a54c8b0b4b691dca

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b136190d9305ef704a5f054e4b5d53f3
SHA1 d8ccab18c3325117561c47142fbe3bc927da4d04
SHA256 b7dc7ed736746c5d8ec16b71d226389cbfddf7ca768514214e8e7f2de5811acd
SHA512 77fba66e316868cdc578ec4afd9cf04cdb31ffee9dffd182ff727a99491f31e0025d3f86069729353b4e5e7308c108c428b452f7879b0b3d0edbc5118487e4d7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1680a72cfe2899ec54d621f4ba5da298
SHA1 585a1ab7da7cf28b19c8aa485d4ad1ad7da69416
SHA256 edf35aceb8574f7faceebc6ffbb4daffd18a7955da34ca2075cfba0458a31139
SHA512 16a218fad4c766a44401d7cd9712dc878de7ee2f914671e9f765ccf2abb3c90e1f4ac9f6ebcd47436a62365fbdd0ec7a5b6ff0147e3ae8fb83459272e7371123

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6924dd3d825511e8deba31ec9f62e72b
SHA1 fae425a87fca4cce00ff800244431364c50a2ae8
SHA256 d7e4b18698471f44c1d14df6564068b30fc41df2693091c4ba5e777ddc009731
SHA512 2b5e39995f79e04191dc26fe8c71a1c24b40f1d3b4509214c7182be3703bfc58cbdeb61fa99dd40fd2fcc96c96c508e0fd512e13a55ecea08c2ec07825e1279b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e9a419331ffc7d4641ec970afe29db43
SHA1 473e0b05c7c2d06f83b2fdbdbfb098fc80d9d6e7
SHA256 dbd6c9aff5680956e9f1e8e66529e42f89afe8138c354aba83e7998d0066064f
SHA512 96b11c8b2dc59088826ee2653471421c11fe90a46429f6220f71edf292b74dd38582317610cac681e711e1134ff98e36141a39b59a42c9ed3df526a6ba855c0b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 885230eae70e443c4392ee20a3053a1e
SHA1 0d9191c206cd15447df3052bbb5d2afb7dfd260a
SHA256 c3389c0c3d7c2a1ed0469ab1fc2d38e212823bacbf83cc798463349a7737bae3
SHA512 92b13f7dc13460ab8405340b95561298f0b9ab8363efa01c018cfacffce186fd221bcbadd142836eabd51fcd65ee610899af2325ecf8e3f07337659c931827cb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5c3a7109dd6ecb6737271f91511650b9
SHA1 8d71b0a36a71ecb45a121f3f4f460c1567ac7ffb
SHA256 aae85f1f6acc9be521281be410a165d950443dc62c71d4da6094ac06f35763d4
SHA512 444123753e73e1a2a8839fb2afb0701859b77ee67640da8fec2b65e9cece3e6666e97fa2a62093c1ea24b954a5bba0ad222343ea2a6f95b289b38dfa7a083e13

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 333866c12e6c2b87cbd2bee4c2686724
SHA1 fc65abc68681885fb4ff0f7086ff5b7e378fd26f
SHA256 e91f9e365c943aef836d2496f9ebc2229365de62677efe15fc18938c53226d00
SHA512 b2e70ed2260e5273e7d66b7efc8426ae5ecf0543fd682a898e62e2116ce1a882cd3019a56b9b4ea41102e27163c94d8266d4bc3d42cd77f6d2bd0578cb0dd2b2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 778553d03f29612e4af5e8bb0d46d14e
SHA1 491e43ec7362a899518fe24e24a88c4fd0083df6
SHA256 ad7b6a32ed27a3642794d8100ffbc85fc84dcd11594377ee1b3cb617d2b2eb6b
SHA512 4c432b482b39574addf33f8005464441edd704f5093aa75b608ccc4f1a610af8b8fc94ccd040d4e718676b0950842d57c4c2aa9fe4f572338e71dc640ff1ddf1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 07132c2a0b5b14a09cfc3c372e17905f
SHA1 7f111ca9ab35994f36dbebf1ee54bb1c2fd8d16e
SHA256 76659cb561624d5b2cb518521b973cfcb451105a6dcfbf5ee898b633d5421856
SHA512 67e37176ff53a54aa3bbfb38a55bc82104c5535aa519edeb4a14b534a5f990049cad634fd2df7484285654874aa5e3fa556c03320a62aff10a8951142869765c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e516118152e7d291ac5314841cf2958c
SHA1 84106fed90725aa442d36aee1b5ba6f47f6f8819
SHA256 58229aadc018c52c99df818523f22a22d59831b6d0dd3f4255ef869210a5c750
SHA512 8187a60ec7400e6ecb26e3c478332ce0cae189935f9282003fb61a02bc7ba6b773029451e2fd1a664097c74274dc3b00876fcce864f891cadd54c1ad8557ff68

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 201bc3e76bf8957878fbc8dbbd307ea6
SHA1 4f9835e4d60ff1f118c7b80c8a32f38cb0661125
SHA256 c4644c178343407a7a7df79a87731f600b2f6fc215899b6413e691a6e12fa4f1
SHA512 51b279f00fe2d41f520ea9c631546b0c8d61354078fe596b26778d655dbcbdcbea89b773f8eb7e01d54601481f2b678358f41c24d43056178ea7feb5e61a7bef

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c514e84f64f84a3312c7ec400d0f93c2
SHA1 16fe30a2df681bb56f0eb7a7fcc7167f04348fae
SHA256 c721574e3b41edbc51d8c45c6dbe5429e6afa0274d23ff4a3709ba0131d43365
SHA512 2366092b00b5f8b0c381c347427e9e5bf47c53ccbb1c3c771cfe571a0426367d2a10aa62a60bf173fb34aadb1831c19a3e3eb20319f377badf0630694f28c26e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f6def4a1c4f6c290b6e68e7ed5e54690
SHA1 6fbc54054631911409a5372bc7b467527ae966d9
SHA256 e31beb39d89af08d540f4ec949b22ac7bd881f0f25f9e54836a830d54f252079
SHA512 6957e147a108070455a32f7fd8fe0c440b2caed783cad49a1b831222569de7a6375abec14f26e7712aafe5c6c5ae0152b49c804caf0095a2c5ba771d28120fd0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1071e5d9a557e513d89f3f6f5dfb3a73
SHA1 43c1d9d66df07cc9f9645a8d079d9385cc4914e9
SHA256 0e14b5522e9282c114a2deaead21d360328bc722b2193d308c40acbe2d0c2223
SHA512 4e26fee97908d14a19b1453897fa51be98ef6bf8b454c290c01c52401b026a029d22d61cf5fabc24ab22b72a1da7db7d9b7be787febc10541398d6e214aeb094

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 cdf18a5c4ef755482cd8d31268eedb6f
SHA1 bb93996c0c933a8e7038fe4b1cef5b743c2cefed
SHA256 9519e1f7a51dd4325dc57d37d18b6fcb010f45187323fbd3877905ce4c9d7bb1
SHA512 cf8ce8aeead69608f73b2804400cc607c11d608ece2005366f8b74bfa128a33da986a97e5fa0931ac7e75e5e9b130509900d50efefe6c7cc4e12e6a2ffca4f62

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5205e29bd719ad462ae086667cc1f1d6
SHA1 3cb3c18fda9f46ffeb52e906a9c22c674927df02
SHA256 f7cb557f8b6693c3b990279b3737faff03eb5fb080c3b52072e089ca87f30289
SHA512 1b1e619ffaf7d2369e1d4230a2d222c272ca44b092b0d57a24b10e0059922b4d2d792c23a64b625a42926fc055c686bb8c43c0038e750d182578cafd2dbe6963

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 79ab8c61d1f45f5d0b61e8fa240df7d2
SHA1 a0e6cb48ba39ba2fc38f61a1bb9ee9a9b3dfb6a2
SHA256 8e7791fd8af8b36735aaca7d31a503b2b2101dfab30f3554ac4aa21b627a027e
SHA512 5f09e19993ee11966272fedb1a33adb276adb8c5638b8ef032ba0a51de00505e04bf52c7b47f632477fb24640b647868e25257b7da7d17d99d2b29e2b64efe72

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c85d3d104ca213a2f65d63bf71e72e55
SHA1 d12f6c08fcb1db494af317001b4177940e8a60e5
SHA256 f1109bd3f9b56e06e39357a9046aaf5133a80dede34836ea5b24efbec1b09d13
SHA512 7e77802ec1f8f04f1322ef9b4a1b8b62592cd9e584d0963b3cba5890ba1b1d7e73129754d4b1b16841ba272f50fbbbf2b892fea516bcc5b0dcc5c733bb0d48c2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 60d9caddb060f2bea0f04a40006e66f5
SHA1 675b143933955ee670f28471ddf39860604849bb
SHA256 95bf90c85e3c606086fc3e176b21fe331f5dbb46405e8dfe95fb224d650ae6b3
SHA512 131bed09f818ebe590a1adfbab23f533df56b7af5c02849c72e6faeac7b04c13c96a400f75b666dc8f676134ae88fb7b03810cf8167ff22e31d108c0aeb1fc12

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2213caafabd6e6de29cdd3a707fa9611
SHA1 af065430beee30c186cc740bd6a8e02530873b62
SHA256 5574b670d7ecd18b31085899c6e01017288f449b900f4dd917cce882fc92ace6
SHA512 4d3e6a17231dd60953047c458220b4cb83316b34a232fe71a5ca267207ac99f67ea879386e1da619b939f4f9b25faded06c85712c3a83848f82f45cb2dc3d3cc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 42a93250d9f35a8f3b6b9e967a998df6
SHA1 928d0cad8421bbaff683ff41d16bf8e68745ba08
SHA256 016d253afc26dac72c5f9ed8c6f9d16ad01432c41cee9785131e1b847c7c39a3
SHA512 b8cbf78f9222673c45afa4d3293d39e2bbfa1d09666dabc6fb9fc68b8e46ebd084255fa78739430174c570964a010f4b0f81ef89e766d49a8a95bb4f7e612717

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 682591f27ae16b08cf31640944fc4a6d
SHA1 92f3ca5b4fcb0558a228c314f21dcb545c6aa243
SHA256 c424493cb45ed57a5acd489c07a9e8e377a280246ca7465107d4c2165f5b315d
SHA512 66ea97743ba0eec5ac5c678fc4877c14e302f66585844772ef94f0734e7383874069313c36da521490bd0f8051fea4fac19bc7318d5f558768349be889dbdb87

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 802f7b351d51592452499c5a7304dd59
SHA1 aa09936f2fb42a0073718e38328c586807716549
SHA256 ae0b80155b47d04acb7d0192b41ac175b93d3f7a66f0e7b9f42bea076619b15f
SHA512 88fb180b9930f3edfcf42bb75fc871cda86676c6fd9c331f53b241a8282f6471418cf420ca48d571d68d8c05b2cbfa27af02c009ea5cb629b5391b046c9194a5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7320a98d3b43eb5da6f390e598505082
SHA1 22fca1ca8c7b530e38649f08b762fe3eb17d55df
SHA256 dc503afc1e043f31948e823d4a1abdc4e3f806ec37ef57e9df1033d8d4061f58
SHA512 12b397283a0932d53b424b776df0c051570e19f172e773cda1c96059a733f2c4215a9ac88ba40a651743b51e0a330fa9d86fc1f2bcab0dea3dcb5081f3bce380

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 11237e72a9963bc0152dee61e3c8f417
SHA1 96cd65d4d72404a5c5f33553e85735af9af86a8b
SHA256 5b203566d0d4372dac9c5cd91437f0c8efe59528d226722d6c2db72ea2380ea0
SHA512 792f0d559ceffa3574b6a7ed51db4f40833ab7565a87c85fb8bf5810811229a3f5aceeee89f9c06950d5c8f0f04a02f023457c8cb6a35cb35dd4f780ab5eebdc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fd5c60a756ccb6048f20211fe028069a
SHA1 864aa47806ca01e8529c442fb52faa0af4735ef2
SHA256 87f9d45598f4eb825ee2f43930d091c1accc45cbfac2b73f7960438c189b02f8
SHA512 756cd38aff1a33e756c0e4a201f41aec0543c5bd267b2813a44699135ba56db7b35044d85499041892875a2039b1c0e898b0d93acad8873e0f3427369089fd77

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5e8a3f13b609727e2330da2cd1157378
SHA1 ed80f00d27681ee5e527004846605e305d23d7c4
SHA256 1ecf09e94cff5fef0d0e5a304821b1c41340beeb459ddef01a4b719aa0a932eb
SHA512 71bf61ef00bd56c79286904e019dfafa8fd6bd78cbc01f39624f96ed50f3e2bc7f40eb648583c8d61e3b0fc7e2ed291011fdcfe60bd795164e387ca7be934007

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7abd4cfa400ca9a5651f605c7d804be2
SHA1 762b7f1f979c086a7a9534dfefad79e4bf92c4fc
SHA256 e0e893c516adb2dc4cd29caef0126652fdf06f49d304d77a3668aea7768eecb6
SHA512 f8c1638a709476337ac5c39b6b7f97cd3eb439a70bccaf3fe248bef9d2525c1c0371079ec6b1d4d7107bfcf21a1237fdb9e7c2a8d4e269fb03553f220ec25b44

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b46031a0ab3a19ec0ec989a595827214
SHA1 3c7b39b862aacff7d384341c874f3f62e733512d
SHA256 cc64185211da48191c454572e4fb3c6f2509bfae98e8866936b10ba413d300d0
SHA512 51bd0b15c342c518784ffcb08a277e7b9c4be924bde7643001879a37dc129a8e6827e2a6b1f5adb00ac4dabc75ad2520b0a6572ff9839daf0fc8de5bf195f1f1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a37f70da4bbedf2f11f6c68a827f4bda
SHA1 ab2cc8c3ca60bd61c8409a6873bb7fdcaefaaeaf
SHA256 867077a803ee5b69d380e4e1723e6fcadcae30aea0f1d6c3ba099132c18737a0
SHA512 2601087c03362363b2c0f111d7430e5e8ec30188acafb538c87b6ce53586d1d2fe5914c0a110f05ab2f7d82dde573d1330d57777e33733d74afb32733baf4129

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e0718f94eba5949659aa5477107efe91
SHA1 f07d15dabde2d83c7dc8ff0c69a727828d19599d
SHA256 1f8a1b8e2fd6ababbe14f71dba49eb6db8f196478c10ccaf94cbd6c23c977a46
SHA512 543a27a9654324a40599f6d58cae42580ac8d95ea9d7d7b57fe2f31c2c5947c59cb452c5baf8d8edc045bb862becda2eb7bd6b3d21836e163d52241707fa95b4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ec1477d713d8cc2ed166cc1b89f2ca69
SHA1 24ad0feeb17693f5fe82bf08ff4c3418b75dcc2f
SHA256 4a36ac8c48062658063f98241dd07fe2bd288a1e7a33b1a81802e5eeb0efe8d4
SHA512 2041fe4a6fba535395be8244808c741b09c4e7fa4c83f2a09b30a154bd453faf57145115dd86bcd3bfcfd70ace64b161626e12ae6acd89a6f43c27361afb1347

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 07a4c2675f2bd662bf143e7499ab5a6f
SHA1 2c674419c2baffac156d0965e4be517dbb7b5730
SHA256 c5034ccf8af2995970af0ad89d5ae35ec6bd80e1b6930ba2d398010e70372f8f
SHA512 a9fc1d35a010ff5f22800162f4a9579ddb352e8e409ea370503812ac69490a8ef93f87884e04de5638544eced69274593c06126a9ca343406705de1db2c465bd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 70a2e4eff2c67250734a10671a4d1a08
SHA1 3073eca74fba753f66f67fa81500e16603e4ace6
SHA256 975a7dd4b70be64ff6e0cbfd3617d01a9913a9f01080a8077a920bbce2aa281f
SHA512 19f19fa57538a420540617f84d9d18360b5247823244cef76e575bc19a2bb7886d931cca6979057732e1225837a60206bce16c89f15db88919c3998512aeb307

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 aa76aa389b30210277a24d608533b2e6
SHA1 b29032a4b7a86b2b8858562a4139cb908cb8306a
SHA256 5fbd70f8e477fb351a66739520ae9084cf602632843ad34462b771c14a626b72
SHA512 cb8a8cd3420e7b15a164f9b9eab56b10da642c94e8365011da38d04c14f9fde939f9d656a19c9e0c9d06514c0df5e9b8d8a3ab2ca1d2fbb9177a083a674850d7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f17ffdd31bef9a3c01be262da8f74c4a
SHA1 dd33090830f252cd57a5d72430ba70433c1b4d84
SHA256 47bf91beb61516313b5b8ec21e81e5eed81c352547f972dc51c8398f4464d58b
SHA512 aacb56a5eec867a566a4d8dfbb8dbe03e4eb6b8c5d31850c633448015a518af9d07898928b2da0bf752283bdd821e09ff06de010ce9c5b467cbed6fa71fcef73

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 18dae24ca598405e95644caca7dd5c9c
SHA1 2e400b800af3f2c4dec81f23ba39f97a307695f3
SHA256 a34fb44f09b70ddc005830e2832fe8f9f6290ac799b9f19d3a65d1f2b79b2f09
SHA512 3eced25cbb55d4df12c6bb90abdf60a8331a23874b97a9e334eaa5937a49aceea95df3392cbc7c2bdfd1d0c54afba32b080b20fb923002bd1f3c840b74a0c663

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7136d451a5c38d3d354c61138fd36fc2
SHA1 e0e15ffac8195b9899c8001f2fd63e758ec3f22c
SHA256 dcb1f29f85e8c683829806110fbb11fcb21c4779606a5ca7a08dc3e841ea0dee
SHA512 63f453897ad1de9f29a4036583a3b5c9818b024522a67881bab4cc91b0c502b286fbfc8aa319375906dee1caadc8788b3fe6686ec52354522c30770c22e6c969

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 50c2a4391ac737d1f6e73c6b061c476a
SHA1 be6993fdb569536b717f4d2056afc581b5d7145a
SHA256 e85272a5e103947ac2c7b07cc313748e64ae5d265a8fca810dc8f1494f430366
SHA512 689d83d69cc3bcd8ae151f4e62365877de0f50b21e41f48f2060d938ed2c0174029a6daf45872a286573e8f6790057084ffeea20f5e4215e0f880ba3f5ea5858

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 329ff9466998a8338c26260f7e7efcf2
SHA1 84bfc962f52eb727a75836589f69914a51eac3a0
SHA256 dd098ea9a80ccfdb71b8eb1e7311c9e99e1fee1a40e8f7b4f1b2de7ade0c9c66
SHA512 dd990ed0da3e07604a95cc10636cca45a2fe0af4c6a553f6ce6a906c9782f97f713219471b71c2c611863a34cdde4aab383772522aaca0fd687f0afb106cce64

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a3a8de68e84663623f1143cc3c1889be
SHA1 e1aeaac14ea8b6756e6af5007cff7b7e088ca3b1
SHA256 f785b6de502aceacd1d5397cfa8533127409a783abc08cebac5e0ced20bcf96d
SHA512 0facf25af35cdb79f0df0c793c87342ae0841b15ba5887fe249bc007252f72a2f7eab97b6ac25174cd0b2fd6aa52a2f9329ae1624b96be19f290928b724c0f2e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c754ad9e9c9c3fa33fbf6f443b3fc899
SHA1 d6f2d380d5d524c6a224b382a9933ad7010e2c88
SHA256 151eac0d7c65c7520b8c4562f15af6e1f4f373bee9bfa3fd8eb4a78992e6d1bb
SHA512 94dfb54900f15ca3a96a9147519ee125682362dfe29ca0a03a0836a4c1f1348c6d2790935d70b0c1c3f98ea577a2098ee438847ec172c5c237d8fa7285777f6f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 adbd54409945fe843806d0ea269f802f
SHA1 7d9a8f79470e718fae16d07525a120dd8afdcea7
SHA256 800e2c06d24f70f22d04951b08653c128effb7a7d37a36a397337453f904ba2d
SHA512 c991b55c9b012571e6437d9421ddf0f156ee2676f05846618761f9a8a81cb733b0526af34aa958213742848bb0e080b836e9eaa80740704f2ef4350e59cd690f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c7b6b31ace6ceee8a5c277ea54931043
SHA1 5c7bc61df57b8b49402babcc0c3213041286cd8d
SHA256 3647641bd9493e5573973b2f876e73d5ec0514d1a33c0d88d6c1cd65d665b40c
SHA512 c598a0d7355505ef42c805c8769886e95de56da418fa0a1b00a2be4ef281ab077a6140d054519c7bea649e065b6d7e70632be5fb7c20a1d8ef29122be3946707

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1d9eb8241d72e4ebb2960a03fee1c25a
SHA1 ecfdef470cd83a4088cae0704349022341c993bb
SHA256 3e2dc9190147b6e3c981c738e6b11f71d36076da48332de77048ee2c668da13a
SHA512 e1478e23d12b1409e9e57167e04af72512e1891e9a9dcab72e323295d75bd073c0a797d2e1b5d27dc9c7b011e8c83f159c01c83a3baff9a56bb98f856bd3bbb3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2d9db249ed332d087bced6217a3d6208
SHA1 41dcbfc6088d51905706fef104c3ea4fc7bd9a50
SHA256 e782600ca65ca2103d0523ce93ba5e238cabd844044831623d90200faa9dd5b7
SHA512 f5c987e32c254fef397e743bdab0fd95bba11e63c053dbe5559d492b0a239b52f7b71d630ae5e874c4e6bef3a940e41b2287a3462322392e1c82a3960f49bd99

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8d39fb8cb791cd7d577e8c111a6a3f4d
SHA1 2a82beedbdaa9ead9c9009f0ea0c408d51ba0f0e
SHA256 2f57619ef30b96201e9b2fee8aa948cc358fa16d995bbcb429667e37b484692a
SHA512 0d7fcba304d950ae6694fc09c62f17c5c8f92822f48d67ccd0971e4cefd7bbe2001bf48f5aaeed65369c0b3c51b9c8f2c3895226e657e02eb6687d60eb97d99a