Malware Analysis Report

2025-03-15 08:23

Sample ID 241021-asmnbs1bnk
Target 64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118
SHA256 d5bd5e131104a950d83a076005a7ce9e1685ad9c00ced88f3eb43da8b6c26dab
Tags
aspackv2 discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d5bd5e131104a950d83a076005a7ce9e1685ad9c00ced88f3eb43da8b6c26dab

Threat Level: Known bad

The file 64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

aspackv2 discovery persistence ransomware

Modifies WinLogon for persistence

Renames multiple (91) files with added filename extension

ASPack v2.12-2.42

Loads dropped DLL

Executes dropped EXE

Drops startup file

Enumerates connected drives

Drops autorun.inf file

Drops file in System32 directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-21 00:28

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-21 00:28

Reported

2024-10-21 00:31

Platform

win7-20241010-en

Max time kernel

146s

Max time network

18s

Command Line

"C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Renames multiple (91) files with added filename extension

ransomware

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

N/A

Files

memory/108-0-0x0000000000230000-0x0000000000231000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 6b10d2a8a979675036ddef0f3760159b
SHA1 4ad4ec3a4eb41d719153c691ae8fc0d3af0f5038
SHA256 f0a3a4e43a9f46e62eeeb2f718343aeadc6dc9672f6094ed7a130c923429b030
SHA512 eb9142a037a93f5d873496051bc74ab2bd8c2cb58a2b9d5e2664325661d31a98378860d492dd9532c72c20b28feca3bf0ba412cc7b88a2b98b514c67b19f64c8

memory/2348-10-0x0000000000320000-0x0000000000321000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-3692679935-4019334568-335155002-1000\desktop.ini.exe

MD5 efbb8c39021a191804e40ac880f5e1bd
SHA1 757e418900ea6e4b985f469aba8e4c91bfe39129
SHA256 e19730ca30e77dc85a4e90fb5254fb9e3f06f75599bbc24acacd40ab21c0a0e7
SHA512 5cf41a059797d2c73d5fa48c834f6c9e18f2a51cad48e4d57969a30a9e80cd27b5f3cf3215f35c4f5e26190ffc52e5edbc6425ca9327178a3b97634dfd07a8e1

F:\AutoRun.exe

MD5 64dc58bd24a3c99ba0cf6a9e968cf955
SHA1 644587fec32034690c3c644ac3c1c1e0c76fd6d7
SHA256 d5bd5e131104a950d83a076005a7ce9e1685ad9c00ced88f3eb43da8b6c26dab
SHA512 b841edc19995ce99d483737ed48f5c6a0f3491804f7905f213564d5879d02abda8c8461d134a784098d1985e6a3cf3be341d6936bb7b1171b89373da102958e0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ae50550166339f8be5e5e080c2f59a83
SHA1 94dbb5b6e73640b349a51fc5074e6614ffe227e7
SHA256 e89d5480428237090780ca04fb539fd5c5631847893f8e8ed915911b9a70686d
SHA512 18a673626ea9c25bbbc685d7a8027dbdb0bf2220bb1319ccea161d42077fc262b3091b9058d2d35191959c526ca6223af81c533b1dab07baa65bac3db97232d6

memory/108-70-0x0000000000230000-0x0000000000231000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e1f2702f1cd94a21e8d37e643ac99180
SHA1 d8f9b4f81a2117d6690ef74a6a39e3cc087a12a8
SHA256 632ed1412f345f9e6b34844b27109317a6b337981ae36b66c0d0b6efbe867fd1
SHA512 537ec7367acf5544cd022751b3d9a9c35d3a440b7fc9ea5231b123ed7882fded1636e2d0d441b5a3129da5ffc330baa5ceecffaf64484f7b11894b3b3db00334

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-21 00:28

Reported

2024-10-21 00:31

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\64dc58bd24a3c99ba0cf6a9e968cf955_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/2588-0-0x0000000000750000-0x0000000000751000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 6b10d2a8a979675036ddef0f3760159b
SHA1 4ad4ec3a4eb41d719153c691ae8fc0d3af0f5038
SHA256 f0a3a4e43a9f46e62eeeb2f718343aeadc6dc9672f6094ed7a130c923429b030
SHA512 eb9142a037a93f5d873496051bc74ab2bd8c2cb58a2b9d5e2664325661d31a98378860d492dd9532c72c20b28feca3bf0ba412cc7b88a2b98b514c67b19f64c8

memory/4800-5-0x0000000000640000-0x0000000000641000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

F:\$RECYCLE.BIN\S-1-5-21-2437139445-1151884604-3026847218-1000\desktop.ini.exe

MD5 af01ad2b0b086f8aff6afc0170fd7d98
SHA1 ecee5230e4af1c6b850d445460325157e871f261
SHA256 765a0f669cf12cdf96ddc1f91e0defd8435d34c5c95e447104e40e5e6cc4075b
SHA512 0e50df5f309152575351b728c58f1bf4eada307cf25f0a4bf74559ff45b5b6b0edbc3c4c08f48fbc70655fbc5493eae2cef316df4bba2ed94d64520cfb29f7a9

C:\$Recycle.Bin\S-1-5-21-2437139445-1151884604-3026847218-1000\desktop.ini.exe

MD5 111daaacef5a617b5119757614141335
SHA1 2dec815251fa36236f52f38bba2433fca3e40a21
SHA256 77cb68cebad3b5ccde5e20503f034d20de51fe18874625693316ddae259650c1
SHA512 6c939f260e2d31787e16c4f98bddf950d672eb26bef8c0b7a0f2c8d0e9a2105b23c15d96be19e3d9baf9aae19a56477cdd2bedd131c545b129e026938d6af906

F:\AutoRun.exe

MD5 64dc58bd24a3c99ba0cf6a9e968cf955
SHA1 644587fec32034690c3c644ac3c1c1e0c76fd6d7
SHA256 d5bd5e131104a950d83a076005a7ce9e1685ad9c00ced88f3eb43da8b6c26dab
SHA512 b841edc19995ce99d483737ed48f5c6a0f3491804f7905f213564d5879d02abda8c8461d134a784098d1985e6a3cf3be341d6936bb7b1171b89373da102958e0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2588-45-0x0000000000750000-0x0000000000751000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3729807978155ef1b5a24fff4c0d218f
SHA1 20a5bbc758cb8d86ffaa7785434207808acf8f92
SHA256 d450474485bd8e3092e40242f093c48e0e34973fe77e7438c881899d03ce580c
SHA512 283c5ff0985a55de0b55266886dd5072ab5308ece75a400fdbb05082ffc9a267cdcd4d76af7e53b104e9d58e1e27b91c33e3892213058a2876bf2ab6f2f122fc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 efb7759889435a15bfabccfbb35de88e
SHA1 6cb3d90e5f142d930de0a62ac3996bdeea477a0a
SHA256 6fe4c399c3312144434d28ff36eea6e6f9480182f0e6989d8d61bc2c7f319076
SHA512 8018424a5f2ade612837cdd4bef268bdcf3a79f965ed165127bb25f051d5ecceb88c896e3f8238df769e521769d178a7b2a08464c6bfd406a0018b24d13f755e

memory/4800-52-0x0000000000640000-0x0000000000641000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 20e34aae2bc0f654e06169087a9128c3
SHA1 8bee6ae4f504cd6299f7011d6fb29ceae0e9d52f
SHA256 41320e192e2aebbe8be7377ede5b51986571ff4c0c35661465511368a9b41762
SHA512 199d47a7ac3a2779b135f08f72219117c1383906e0228b0edd49b67051420f434ba90928d9e5f054d922024dfde11c11384d80499875e8af6a7d6e6a977f9dd2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3e644fe5dc2caad3c4974e29ad7e0563
SHA1 5802bdc4386afebfd94b8649e8a0143c2d7b8501
SHA256 f1477c86227a52ae0182270f73ec096a7af2f77c9760f17dc95cf0fe91d676d1
SHA512 99339299f61667d96230cbed864979e09cd8879c28aee0fab2e142b4af12554860bdf22f91feff39ef0afaf1389d524bfac4610384b28d09ed92bf100412012d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f517ac9a3fae6a9e74427f78d6e6bec5
SHA1 c4c349cef07a575cc3765d1206212e1ca70b9600
SHA256 ecc3ad78394216a53a8a049fc21052daf985567370888cf2aa37765f16e5bc70
SHA512 9a60f048d6fa7c1af91eb4281b6ded556cd1d05eb0236849c922f4f621ec9e31bc8a07fe1be691120ce392176587cacb9aff22ed7fd93a017390a59c52bc692c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9140e07b500b025e1fdd99e127b82d58
SHA1 81b07e3f908eb1176942a439bba5788f888e4a8e
SHA256 5b6c4be36c61039d0000e467bde96bc55b244efb57dcb01e83676e5c477b8c60
SHA512 35136d13de58ead7c54652653d778b2b9abe1d5af0ed09a582317c4eeb1e40c8caaa46508fdfd2bda9bf67dcca03c7bd53fc02925c84b770211d451e9d9ae8b3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 abd0894cf1ecd026905e5504190bfa0d
SHA1 a29e077368b9c87a99edbc2443047cebc2967375
SHA256 28852a6c7b861e6053728ae84305c3cee6747ff5363c3404cb6164b8d7dab323
SHA512 d0396c90106ca49eab8845209dd164df07c22cdd9696bf2ab0641562858a2f368ec73eb736d36c2c6ba8544c537380b40921ad742d67d73d12a36b194167b4c0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c9b42f932d9274963333d9ae25ffc230
SHA1 0129d1107e297e9eb4d24cb0e73c3b78f4f544b6
SHA256 4b0170b73acee5522283640c01b343f55f8e86d52cb3ef5a6537517b6fa98a43
SHA512 e6e8b0aa24e1434d5c42df380944d32abc6421c4dfb44f9b03cf594c77d7b218b7400c2a67ecad5fd380f32d7241f6219ede6c7ca7ee39d4a24d51f711c7e9ff

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 78ad34f645fc1f770b798d8df49e0237
SHA1 5f8776fd255c22189608484aaa4beb757e08c449
SHA256 d2fe5be3d6d71b0e905525578abe31d8b64e2ee30f424af66c1dd8f5aa5e4a45
SHA512 e72210a5ab55ea199fee6eaf3278eedb22dd6380ef275d8048cc39a2d3db5b74b38a63b717cfd1582fab3bbd8a2e803868c58f21a3bbb875f9abd740da206947

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 adaee6722d63c4f4047e1c329a06dd50
SHA1 3af87bbc6ef3761a6fe85b0b082f9ca98634be77
SHA256 003afaee24a5ffd580ac6925f35a0ec736bbd534cb5f9085251d2ae30435b27a
SHA512 e4417e8aee212694c664335de361b95ac8107bbeebf00363547db512cec30f3eba2398c7f1eb0b595f8d5d68ea1f7157e0a3eeb732675132bfaaeb7381acaca9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f736cbb034de34cbd254da400851e657
SHA1 2843d067539d747c5ba655416448d9017fd8c7e2
SHA256 048dd580cc7ed03db642f7120f5cf58f04f6d869e5ffdac763e5c4b18c0bb115
SHA512 07ffd61ed94f471003e1baa3c3afcb4f99c635590732fd833fe991417cd15030bee94ef521745ac1e076ff8d8d04d3b96b32bcaf1c191424ccb3b724d62d2e36

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bac3ac64a8bf2d01118e1e5b15bf5ef9
SHA1 c3a0abe6e404b2dc4b5792419d4e487c71bba03c
SHA256 7e9f66f73b7691cdcf0c5bb291ec98cb19be284730d93dd0c3540f68338b77d9
SHA512 f29111874df216dabefd59b2bb485341c3792ce759045d37596426d92392d3dc9f9f5cede80ba501fe198b8a33d64fdf2f155644edbfb02ed2aa9a64cddb591b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a3a10580bc9bbae80d0010b5782b30d1
SHA1 d63ac4232d859b7683abd4295ec1343da5d74efb
SHA256 10e8cf6573c01914f164d22b3cbf0e81ff797b4465eaa3a68fbe8a153828ff0f
SHA512 6e84c17020b6a6789660a50e494b04dd69e5f5622a4bc7585c4392ad56dc63716d1dc76e8111c647a84e326ab2e4fe5a0fe13839ee41537483316d77a9105cee

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e507b5b727ceec69c5cb9b2175ed960d
SHA1 f870158cd4717df5fdcd97132229437d6592fe36
SHA256 0d170319df2c05673834916223aa20c4132714c8745aac283ca58be23e15356e
SHA512 e0d2b8bfa8d69326c792932abbea31db19469dfb233f283c08b48c3215a76a1801a4ef65a7ebf9a10de471362d28d9d881025fa266f1a67dee443eff99bcd423

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5178485540b52d77185372fefe796d0b
SHA1 9301cf8fea800c53f5d48fcadbbfdee65ca5cfc9
SHA256 e21c917bf2e0988cfdf47585ed4398c28a9382d1520713ce4aa895635e71053e
SHA512 f1f97172e26c790c0383bea41df25e4ebf31c5897803c335144345fd12791d6c4fb8d0ae5f9036cd6d0bf1e76dfe6b4e05cf6b75e1538daf6383ddd411c4c11d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3d5d1f2c76ac0353e17056417d11920d
SHA1 aba4643e3f96d49fbb5826315eb2304b73285442
SHA256 c7091a8e3e804d11dbe19e76de135ad42f41b88590f76ca7c1738b36b0042b66
SHA512 ff3760c6d22407155a90c42fa67cb6b3040272c0efb5593bc7ad3f8db29dbf2c3efec0ac27931e3b9bb806bc58118ab84bf6cf69e47e53953c3cf9b6b6c27f4f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 62d613d23219f32f3215bd3edd5759eb
SHA1 5eff3c22c5aab64720cbced005d6a09ad25d3239
SHA256 e33340773c81dafd4a2835a0bc32cffcecbf68e0cc73278fd35776478d75657c
SHA512 181b0b03459f7bbf49d2af95a60bafc8d4fc2102f34fc097cf97cb5277139aa5777269839f0be11c2f29382d4981119001d6e25f6fba5c2ad8d7ca93a3c9f240

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4597cb67ca5e9d8282fd6e56f11a3653
SHA1 40ab8e901bba1ff177df98620ec9c86dc36b90c3
SHA256 57b4006b1442bd990db4bfbf444a7cf978ff761dbdf04ad22820619d31715aa6
SHA512 d263cadc35215d03ff610182f8761ce92f878c5aaa43f954bc5f23a0c0effa8b2430a4031d13870a6a0a590db77612acce8e73de248505b78268a0ddf342158c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 349400f01240e0ed32f695c64fb326a8
SHA1 a3ad395caae1cae728be5361a0f108e263005fc7
SHA256 e39792188538f7fd8794201fe6d7d21190c614ed26712a4807107084917e6c1d
SHA512 d321a207693f21ba0c8b1c3bf79acac7afc8d328a4075afe8c98bb339425f87e8c4030e27fbbc33bca22f579a3e9ec6efbe18fbc8e8972ea6a105ad72cf262b9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e08ad1946e775422cb0e9b5bb20b15ec
SHA1 47441d7ed49f637bad3beaef63cb040d7dce8c58
SHA256 3199beb1968401c9746eacb3a197f8d9b36753562a968d0664bef814c907e2b8
SHA512 e715d59e7bb9aaa6ecb5eac55118913b6186e1a946fd5d0192ce9716eb2f15e6a9c63d2d79fb91c3899c0370790d3758d4ff5728d3afcbcefcfbe4fb5baeba33

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f58f40bf2df5b0dfae2b558e31c14480
SHA1 a8abac00db3d444be05e9cec98071d7d13be4581
SHA256 87158c45c3e375759d073bfe9978f7e53b6389089006c63084fd3daf7a6bd9a7
SHA512 b6b6d1a4f8715abae5813147e8d5cb8bdaabe4369c3fe74b7b326ad0eccf77866b0ba4493a0753f4896d5665f7e9ce2f61ecdaa371e557dd03728667a0ccb12f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4b15423821fd4742069230b722a86127
SHA1 f2c106748bf6d47b520057fccc1a4f1427f7bf42
SHA256 b70caa89c4bdf14b7968bfea1e316b43469f7c3936965f2dd177960a3a387e13
SHA512 d31338e060816a448d6f4507b34f7fcfbde830d8566b1252c155cb2c21b13a53ae4684adb7d4d8dc536dcac2ce207feceb089159d1e9cc9679cde304abc15518

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 02d551281f11cd8578640e9e26013bd7
SHA1 6b78578ed86ccda6bdd9070e464cd6663d810bbe
SHA256 276186cd6675d11b0098d29c27c9856ed43a3cf1a8e3814f3aced670cfea5d30
SHA512 13da5ff7c71229178d2b97c9391a26b8c3cebe8ab9440137fd56212a3b6c7b4992add9bedfa3c803c65959bd3ec92959d0db941a74a83020c53e37373302facb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0cef983fd0788537038c3e61f9887ef5
SHA1 3fbe446cd3b597d9f3248db7fcf5d66a4243046c
SHA256 889669071f0b17390ea1b209cbece8f369352b0b5aeeec92b16432436c4c78e9
SHA512 3ab93843c9ae42134c37b72a133da75ede81af7083983be50d796f926c8afcb09ef970d49d9405bc59501e90018b579c541a5244fc87980af4f045785909413f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 16c83bd0fdcf569b5c432fe057efbbc4
SHA1 06412c0b8e5bbe2deec062f5f95f0a2590fd9424
SHA256 1d7854b20822ce3b424f440d4a2765172e4a822fa46edd5aac14914c424493ea
SHA512 70df3296247fc95b28d68fcc18f89d6850c9fcc6faeedee3837ac602cc3094eadd06c82ec03d9c2923109a122df5326e6f272f007ad333e74d34397988f1567f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b64b722a72409e4d1d273c8fcdce9962
SHA1 2b3eccc52dea59800bcee6c7600993cef83b5b9c
SHA256 d5d98c6e6ca02b79aa4f99a07209ba6ade32b69ffa31655fd9adc4e502edf7ef
SHA512 0c7c48812b06090d3f5de5568f800232383bcfe99edbabe6e3491da6e3c25df124c3fa0a78f3d864c425733fb5cd0947107494f38786142c66a678aa9f1910e5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 47ec31dfd2f1e45435701399e7bcab66
SHA1 07b6611991f86d4a3efebc8d4051e610224bb750
SHA256 399f14377a29ade5f1bdc0e8169f87f1a5bcfba2cd366a903ae6c799d28bda9a
SHA512 298d6db705ba7d8066390a87988779c70d51b87287ecac1f1a954250741defff8221f6361333af48794234b74ce635da94f847107e30271310ae577ffa8d9896

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0200c2a33eacde7349fb37f1bd731fb2
SHA1 6f6d40e9a2efa345c0f44cdc2616139d86d8651f
SHA256 5d73a351f4756735d45c3358a975108641277835b37b142fe1747bb057c64821
SHA512 b611689b829bdcfa8dd8b5cda960a23d6dcfbd6add47bbc279093aa8628f4561a9d3c206ad519d3d9d3e9f7de12b1f61312943a288416d0851e1efabdfaf202a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b9820c3c9753f853f2ea9cb124ca4638
SHA1 a6c25d66fd38c9e3ad07fffff8d13f83370aa701
SHA256 4bec8c6803e7e6495f388dfa2579e24e4de603ee0efaffb2e6066b320a1bb15e
SHA512 a08ef073cd8182aeef1900ae9db7c0341f68be32d623f4a398a0e1dc94be475840980f4dbd1d9d9474fc2db5ac71b5d566016fcb39507dc8897954b4ae3d0cde

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4a4b93b8e960c04cff87dd37e763a336
SHA1 3c57d09c296902a3f502e7c3731cdd6852b2ec66
SHA256 65a32abe39b3f707bd3c5fc02b384bbdeefcfe77d50838cdd104d872731539c2
SHA512 4f8c21a74b95d64c6480f8423ef667dbeb953bbb5ee44b7b409c74651a4f63bdacb2ad0a2080dc6d51c24aabf8ae16341abd8f34aee3d1e4b478e725e6604b90

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d7459923792f6e76bd7c55699c6fa65b
SHA1 ab0c22239608b5cd04182691fafa3f93dc74fd6e
SHA256 2cb17f7e4669049fb0a639a2200f87496a7ce518d149196a8556ffef308ffa9d
SHA512 5d20342ba46df4ee1988d92987ae7e4a464253b7059fe4dc558b874337d38f23af82bbc55117f2c7ddfb2d3bd0b29f90df4c786a5c0b2e26b3c47b70f659cf14

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 81bbc59ee2c477fe7513608d2112bfb4
SHA1 9bddf82c321fe4448020bdc46fe29d5acdec065c
SHA256 e50bf712164d1082d75e572e253542c93a500c0fd02d55daf39406379823403e
SHA512 0b44ca4a38d8e53ad8d0254288ce15c7e637ef9855fc108ca66754d118befe029e53ebb579e067f3b5defb7d611d6447790e5c2e6a95a344b159a55290f2b153

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9c7ddbd14045c07b7117f08a8f56dd0c
SHA1 644b327897b3b346ae511d660a049132adbedbf0
SHA256 588951679137800929070dd8bc51a163ee5c57b743a7a48e29a1d4a1a2aaaf14
SHA512 e0b4ac3218354062fa3cad7b3cbde91e3ff9a0aec13fda609144de198e5710c099018857ab643c1eec1eee78a7248ae7adc5f1aa20c2382702064d326b3dca3d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3205cbed493d5e5ff29096d362e2dc10
SHA1 dcdcd11b5ecafa65507e2a0aca19fe6c66dd25e7
SHA256 bc782c6609a80498fa0f712d9e778b8b0c7a6049897b87272a4196f910018910
SHA512 d39bbf2db5d9dec5273347597eadc0603c3990a49b472799421d7958e262a6d781809090594830b32f8da4fa061c6c5cab8bfe14cf24203ac8f8cd892365a590

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4328978cc4cc854b9297563436791aad
SHA1 81096096f43bf985a1562af557123ea8d802d09c
SHA256 5dc7e2bea8883bea51c2917d90694f1a45532812c5848bd515bc8b1cd01489e0
SHA512 68496f316f8b63d416118551fbda994129ca74728b02dd7f301fdd78e3b97ba8569d7f6a910e14c4aeb36a5a7a7ffe15207ca13a3a9c8f5e02193dfb9aa52e5a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 29e880f43db58ae41af6e7bf300ac1ff
SHA1 a8a0ca0c4a07c5ef74b9900bab86d112764c04ec
SHA256 c468ea23b3d33c4ba68da59c4a99dfead702cf66c133c01edf05448f197a45ce
SHA512 78ce7841ab145c159efce1813e2b5890ed6001385daa188eb0a53272b9cea661835abff4f1beb394843b86d28b48dc67feee5f524b0e512d0002d32fd945df1a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 025a3fa94d26c3a8fe6b27626b5ce89b
SHA1 f3849baf6d813ed0d3fbdfa2305020b48e6cb067
SHA256 3044668c830bee06be9413baf79c6679a912b739fa3a264cfccd26f7bd328f6a
SHA512 0fa5eb068f5f054fe2f2260dbffc1e94a0ee6637269f1a2f23027ad7318187e740ea067ed2e0e82af9c8873eecae106416c663d42b57168be623fbfae486d721

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 74e2568b8a92a8fa030cd1e6145b6c29
SHA1 ad0f04c5c85ca683dc32b55f6449fcc0fa642f1b
SHA256 e1cca9534246cfb024aec8951c9b960073d1696d251ffa5150f2e292e195c396
SHA512 12a012da92a6e7cca8b8bd7d8e77c92bf511def38475e83a30624496dd2571c485e9f580b626e75c8d7cf2de56f44006dfdcf6860df55331b961b108de64d700

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 81961cf9ff8548c7103bab0dad706810
SHA1 30776e33ef470628780e7f884b91f77c57e5016d
SHA256 e9a86532a2da9f4948012324a47170d78a954e6f393751e2241b3ae06b743991
SHA512 3b312aa892826011802aa36f1c28b25b7c6a096ac9d8ac9651c4f22a1ecfd6f0b757a6f4674129bd45ab7338c1d6ff61c6a51f34ecda5fb1dcd9dcc3057a96d1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d8e2a080f388753cb3b95c7260aaf61e
SHA1 3c7c48c5a86dd1b964f11f790d5eaa185ccabd70
SHA256 3c6e391391d2dad8b80a75b0858fa309f7c5b5f3a4d02c480383584dc69307c6
SHA512 ed6c0509237cf04b4af8b25b988911e2c1faa0107a30a5118bbd25980cc45c77729908978b5e75ac44f29244ad256a2552cac46c84171618eeec6017fe88b5ac

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 df53e4143faccabf1e5743ecfc6d1052
SHA1 84a964c62520c0ab5a6358179c60a8bd91812e95
SHA256 0a70b2115fd650fb74179c5dca79d4f540e6c18e2a62eebbee6a54415b6ce92a
SHA512 63425c05e5c26fe21020f4c877bb0d682d78ea49d1ce9368d3510c683bafab0b64f65f9381471a860af2456d2c72f6ef942be82932da4485c5dc680c792e0ee2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 db56a94ab2fd6b6aa23ea149e779bae4
SHA1 6af814bed278fd0ff3294be73ad1f5109d765578
SHA256 f8890322287a7194a54bbb35a5858a18281dc501c82cba479da6affb7281dc25
SHA512 dcfa9a463ab39e15ac1e76d6794d226b2a27acaad310b136429dcf59fba032a935046985cc05cb6a842573710657f2485ef662f5785447ae99940bf2b124662f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a1e8b503d82e8de07e2d97f8bfce3833
SHA1 684c08f9e8eb08307cb658dbc95e834788e711b5
SHA256 0e3971d4aae8a5cff1b11d45f947cee232c99f094c2b9f153a605d7419a04bbd
SHA512 b8ec3050c15752101ea52b9ecbba7c1ad0280aff5057d0de1ff771e4121c34ce6482e3eb49702890a5109411dbb173fae2804fa139570818a775507c153857d2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b1a42a7f1288609eb3a2f711e9d88f21
SHA1 b0c50fab2698af781f739ce4165f3930a8009266
SHA256 c9dbeb623fe6aaf7af8276833154fca28c6a948bc65db413391ff498d9308ff7
SHA512 3b2fdd510c08bb0d4bd789fefb4281f2b5ab94b049fe5f2124d05fbc112b7fb6fa5eff2e3c19be1fa795d857e69ab3d302cda8043580e8a6ab41b81ee7fc6f37

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 889afb6f0ed6e32f011a4bf9fbf9e3eb
SHA1 206930706f1723bc63aedf48a95011ffe7447d74
SHA256 a3890602fb3e12b4b6953f2ccde2ec5c5719f9d5eceede33341e7d30a096800e
SHA512 6c101e4cd705b996d1a0796951cff81c253aec29b513b1efc76122b7a8524a621228ff27cd7a87d200ef8fab2a4546f9323b7185f64ab6eceeeb1252b94bb62f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0d2e572bb75a158147caf0312135de9e
SHA1 9e06cb94e01e889e025e041b86d915a85b86a4da
SHA256 ed7fcee1883d453db241e6039ee7c7b85cd3b68de81f70f9a7bfbfb00c7b4343
SHA512 0ecfdac5b0e117c45f380fdfbdf544822bb1316125aa569926d1965af5b279f0d2f333431425ad5f6e4d398dbe8ccb33fbcb221a6bac131abd7db431f37df4e8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 dd1c7809f2f9d8d95805bf6bb597b1cc
SHA1 97e6155479f3dc6e3a5ad68c93752fdaa20b79d9
SHA256 c1cde7fe54154d5fd977524ca4320589c891e75311a8e1fd86e2d661b48e3af8
SHA512 e7562d11d7266cdcb8d671eab79e05f119821ff2e39fc27c920d70474db8da3b80ccdcdcb6cb71fc65d11484a3672ae31896441a9de82e89ee419fa4c0f46f36

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e0b6d06376121d1da282d1c3e42b0706
SHA1 9dfe54317b31c945f26830791c5543c8a9b25586
SHA256 86ae368bf8d165561d126a6006eb78b1669b79e3ac9300d7c36df91403411516
SHA512 aa2e65dbc06b64a4c9277e710ceec85b479f260993375960111558eef73e2e836c3aae270d0878005dfb7ca56d6bfee47f7874c3b40e16de522387d09a69cc61

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7d7c969d7d18b62ef79bbe0ed47e2d13
SHA1 11566f80b5e653eaeee9d0b6b7146f4ca7aa9361
SHA256 e7a351798d0ea8ddc5e9c3a364f881bbfa56db087a52f3a64ed5d158e8757a13
SHA512 592bffab8534e3d91f1be7d734568fcc0fc2ec895dd9b1e81e8361608579a382fdf2c26cd164a1fc5c4a426032fabfee3c6be17441ae5d368a79d082b5854545

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7f1bb74ac7c3220ec80fb37e0265cdc4
SHA1 35f3cf94c5fb8bc2171742de494d0547ea9c55f0
SHA256 89da9740f8e0f787ff99bf8e2e5fad86b86470c14d0d0c8e27e62f54051c35f3
SHA512 e506b360c6789dc6ab934e6aef64eea3fb9df38b9993b79806a456b587b45c277c539620038b573e99128672ecc0bded41d9bde435e658a10bc3f667adb4683e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bced15b7a0f774f177241f84659920a5
SHA1 a216834b22652fa67c7f539359d92cee7ccdd188
SHA256 03904d57ddba76b4dbc47633c600cdd082fb032432bd02eb3d4eb155a8012b1a
SHA512 f3efe057a6a1451a3d6c8bb5125fb086a40d2719f518b5e7a668bfab6e289959569406b6c6af47f161f2ed1d122ec874a8e3328e0470ad90ea25dbc0c735d3e1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 abd4bd09db9651a1642c6675e366883e
SHA1 139c4d562d74abe897b4f73a4e614f95de6e4613
SHA256 e2c3eb8cc31f5a9e5a7cad8ce626a52bdcfd5b470902dceb16d27e546c406977
SHA512 9b91726e81ca12bbd154e8f32b7c760f8d6271302f9cb4406deb1ae590897d94330eb69a9b78ba5d4856c734dac649f3522d4a62f7c0293076b59fdce4a3f3ad

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f06d44eb4a4e2614d649e15ec287d6a6
SHA1 5824a57096b436fc195ef639329e6db478ea4ed1
SHA256 78ae1d8209ecba9d35c6c48d02ce9b70ebbe69e95c1c7a004eafd639bb8de0d9
SHA512 d3aa8ecc89883688ab273e6275f2c3fda43e908d545ee45ed20cd83fbb55e068261aa803cd0376691e8a230d0c6b3301a1949cdc823ab21f29b4046a2559618b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b5dc18d6f799ab1ed4f4b971c432a0fa
SHA1 4a61df8179a270c4ce8dc5531aa083e2fc6838af
SHA256 cad1a188b42788c3b6866ae1b24393f296082452ba76a8b85b17a0c8fe151fdb
SHA512 8368f5a663ce0aa95c47361f8fe645ec0a9766160591062983392045e22ef6ad8b88a3958c999ab02ac718c8b4517e645971279271e6a41afc74254d7625d026

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9a7b4be40ee6b6db8445e01f14314404
SHA1 a923dab67707630697d0483d7ffb3f98ddf04808
SHA256 af22700642bddc6fda72ec1e1890311c63bab76b75f643690c624809e3317bc1
SHA512 af8448066151ed27b8bf209eef8e1d44b82b948078d4464f4198a69b69e97c598e81dbc489ffa240d554b7eb80da3bb006a07c53caabf3a860df647cf1ff2f56