Malware Analysis Report

2025-03-15 08:17

Sample ID 241016-db9y3sygkc
Target 4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118
SHA256 c93330b32987c7050b4755fd051910c9394e1d26e7be43554b2628823753e630
Tags
aspackv2 discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c93330b32987c7050b4755fd051910c9394e1d26e7be43554b2628823753e630

Threat Level: Known bad

The file 4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

aspackv2 discovery persistence ransomware

Modifies WinLogon for persistence

Renames multiple (91) files with added filename extension

Drops startup file

ASPack v2.12-2.42

Loads dropped DLL

Executes dropped EXE

Enumerates connected drives

Drops file in System32 directory

Drops autorun.inf file

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 02:51

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 02:51

Reported

2024-10-16 02:53

Platform

win7-20240903-en

Max time kernel

145s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Renames multiple (91) files with added filename extension

ransomware

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

N/A

Files

memory/2860-1-0x00000000001B0000-0x00000000001B1000-memory.dmp

\Windows\SysWOW64\HelpMe.exe

MD5 82ec1e43b7783d81104525e75301c7e6
SHA1 5aaa246a9ad618bfc9fd0ff157d446693a551707
SHA256 4537a0ac45f0e102bd56c3b3613c2061a03a46ab8bbdb42aba37e82d90c22f4b
SHA512 a849937a1e43aa6acc06c04c264b75da3cb0a33679ef4909d75a1610969aa7a5c481425dd9433c88b8dd9d6c01b1e3a2728d04629b86cc6835cff6ae3b1f1d44

memory/2992-9-0x0000000000220000-0x0000000000221000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini.exe

MD5 e9065685d242920569e6771ed5318c46
SHA1 08d47226a421a2b6ed3eae5913d10b51583f94da
SHA256 f31cbc561dea701c262cbb0fc6348686e268fcf268f1d0b3492d7ffb45d8e357
SHA512 bd66c3ffbb8f9666abb0247ea5bcccc2fbff9fc75e81b641b6d51bb5ec3c3fe961a30c3c8da0b47f04e3e3a9f674108b757984b2bb1ff77d624731ecd87226e0

F:\AutoRun.exe

MD5 4b1b48638ef3cbc9331c46e3b4e401f9
SHA1 006162b01055eec1a290b17e15da5849373ffea0
SHA256 c93330b32987c7050b4755fd051910c9394e1d26e7be43554b2628823753e630
SHA512 2c5cc5c3ef26486bfff200fffbbe5d67bba7ad819c823c1d922ee18ea3d733cabb7248565b4c3cc76e806e67cb421e5cb03b90c1b79d11a67dc1ab910bc3eace

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 89929f753e9cf7b90b06dfc9801db8e3
SHA1 05f9d7b6a360c4203f2973d28091896beee4964f
SHA256 b5d8b9f3dd9364f6e156de74c1e6b2f4f1d8ae24a51a9f0a34972c02cc8e3dd5
SHA512 1782debde0bd0cc4bc851ac77826c93d53dff0dca065957e6ab2e1b6bc96bf4aa332e3a5af0f2ace4275eda548615d439ffde51d854146a91440501942a4acd2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 03237095b4fca817a9d2983035bf26fd
SHA1 314c9fc33fc49ffca73b18cdb5a44e5dc04c6ffe
SHA256 f45a177dd03d4569db9ea692025a7e6d5bd7c04cdd3b07c7c8c153c4927b06d7
SHA512 4f929accd434eb4271bd7d1e837ae6b354c531251a5df3d5688d571e0235bed1b81200c37cbeb6b67c18eef5411b037dbcc88ff9b8fdb9afe2cf9f733c367581

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2992-230-0x0000000000220000-0x0000000000221000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 02:51

Reported

2024-10-16 02:53

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4b1b48638ef3cbc9331c46e3b4e401f9_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/3968-0-0x0000000002310000-0x0000000002311000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 82ec1e43b7783d81104525e75301c7e6
SHA1 5aaa246a9ad618bfc9fd0ff157d446693a551707
SHA256 4537a0ac45f0e102bd56c3b3613c2061a03a46ab8bbdb42aba37e82d90c22f4b
SHA512 a849937a1e43aa6acc06c04c264b75da3cb0a33679ef4909d75a1610969aa7a5c481425dd9433c88b8dd9d6c01b1e3a2728d04629b86cc6835cff6ae3b1f1d44

memory/784-5-0x00000000021F0000-0x00000000021F1000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-3442511616-637977696-3186306149-1000\desktop.ini.exe

MD5 19809386f39716f57a597d9cb0da96bb
SHA1 3364d4279183b1c750fe198b7970eb4fe500927c
SHA256 0d9fb9363e38d31d0608f409fa179afec92f7b72d2032544de823dd5bed6451b
SHA512 1b47742bf0940392e6cfda496ed6f81f725ee2a41212c1849b992776e65d644b3690a5dee009d6ca61986c29ab7e3cb3697f65f19ae807356079190067b621c4

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-3442511616-637977696-3186306149-1000\desktop.ini.exe

MD5 f4944f836d070b804cf24a4e4cee2784
SHA1 43995780e27ed3581b62120bee582263c982144f
SHA256 353b01909cbc3ead6910d619036140cc8406c97ebfaa75634a3a5664912206ed
SHA512 96a8b2dd0e03279747afe07f81955f747b90bbcd1e1a5584e858efb8e84fcf6e3251fb161f16df9bda44e49be747472f6074d61f9b288575a2335ea7749c69cd

F:\AutoRun.exe

MD5 4b1b48638ef3cbc9331c46e3b4e401f9
SHA1 006162b01055eec1a290b17e15da5849373ffea0
SHA256 c93330b32987c7050b4755fd051910c9394e1d26e7be43554b2628823753e630
SHA512 2c5cc5c3ef26486bfff200fffbbe5d67bba7ad819c823c1d922ee18ea3d733cabb7248565b4c3cc76e806e67cb421e5cb03b90c1b79d11a67dc1ab910bc3eace

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3e3be90dbca66f98c427cd3f6d4f013b
SHA1 bc8ef6f33bc5f33518af876352ebce136e76b9ed
SHA256 f702cdb483b35d21a5a2e631ac628984d064509986f103593f09b4ea6fa90e86
SHA512 9658407699603713800c51f0ec3b3d7b6e3ad0c2285c30e6badda3dc1a9550518fb6c2529b4efaa8c55b968243c3c14fbb4bb21e4db614364400365c3fd31f06

memory/3968-45-0x0000000002310000-0x0000000002311000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4c55251bb1acca9c775a8596a5fdcb43
SHA1 3f8ed6c0bde879782a220b6951e27187e96f3719
SHA256 67f357450703c6805a2448d4da40d57898d9e13d214caac532326abd918d12a3
SHA512 5a1263e9c0e24fa6ebd60a2464c99c99304f9bb0b0af912d0d8123efde90214e04f9e59bde4ce43a1d63f583b6b155157b164dee9d97fdb3feb3c6be6569926a

memory/784-51-0x00000000021F0000-0x00000000021F1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0df7112ea0be068d36122ef9af61e03e
SHA1 1c11cb09fb8df0d51b0e0b36b99f07ec0ff8c17b
SHA256 3588d30f32f79d887ab63aad2e7dcc4c385383f7d8df25505e2c336fe6c34733
SHA512 4b094ca521728bff36940830f6928e01a85f71b8651d2cdfd602ad2ba20d5bf68dcb014a1e7c46f8117ce67c4d7e015ea8165d06363544ea97a3d7180432d7ea

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5945522626dd40e17861b2ac2bc35b0e
SHA1 d385fc1c5df364e3e7ee2be2579af4fe1f09f3cf
SHA256 86a4d3e887f8eb3270282d49562825e0ee09a4251e4e93b700a8639cdea52dc6
SHA512 547aa0ed1e658f83eee1e665401a842313bfaf4d0362fa685b95780a70f66036c081114c66dff7aef619ae3d995615145ab818376116f973632887c55325737f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3b4d25b21312b95965b32b83bc132557
SHA1 799a0cee559f518c9e46705f560d7f9f5edcefed
SHA256 8872afb7dc33317b67604932536e430b98cbf17b5c292d32285d052271c69bc1
SHA512 6916b15b39da47797e2766820388f95b8939064386bf6d5066ab8d167a57f75b50b198f4cc8db55553b05c91cdc337756a58c3d95c015e937ba4f797ea35689d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a862005828329c0689dbc7ce10f1044a
SHA1 9cf21670c933e019afae0445bb7410ec3455ff15
SHA256 eeaf78636a7216526630f9907cdde0ebf23002515b2d90aec05dd6ecd56452eb
SHA512 d4dad0948fdf9a6badfff31495b468ed5a39744a59c12358b1a8391092d2eec89ae2990b396c12b16e8ffc96a916475ef31e8b3cb84fe488a585ec2ae98ea6af

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8e4496c5e14fa372f5e73010af03aed0
SHA1 e7dfbe4f7038a35a6b094062ac2ed0430423a1c5
SHA256 b835e78ef4fd9db3ed0a988563bdfa4f883f5e9a1e6e5557056b2482aaca9c47
SHA512 cfa2cc2cce612e651455e6bf15ed3f5b33459794a58904cf7ffef69a5c775e6e895fe9a6e2b9600b0ddbf6cfb3ea160f0ac334c591c732789f85cf669cf09e9e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 51a9171f4fe292cfed01a69e26cda188
SHA1 70b8fb6ca0c22d36bbc29cf835e45ece6cbe85a8
SHA256 ee0a215ada10f37543ce5e232ba6eb5022db57ead29adf31beb3f2b058cdaa12
SHA512 068419f85d8e6464eae78f896294f22c65e7634569423a852b82f8bc129547848fcec78cf877b78169f54253e9ae10820d6dc7aaf0723dfaa73cc53c9869d4a2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 301d7cc228882ff725d8983226fa6748
SHA1 954a0f7a0c0820400c66b6564d93f934fdcf50d3
SHA256 9a757c1b727d74d1d6c9bf0fa3936bb12a646f0066e9893e88f39b7542ff03df
SHA512 f340f0465fe450de47f861e3bdc4d45641c40114326a751cd5455ac9835416390870f0a4c2c048590741e5c3bc99119d84bc2785a9cc271f7a868b0af410eed1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d4ab37a0d75403d691c3a6f39fcc19e8
SHA1 d86b62364786e8877bf46d6a75095bdca62596e9
SHA256 378d7c3be5847dfc5291f4538d4f941c86a96c56359e4b9fb080c215e6c29ea4
SHA512 8094e6fab3991e565366e98464aa3452cd71666c866c625a80bb4b9fadd9f3e7b3b3536578bd37c4d52bf26426c0553f7066a05a2412067efcd7092088ecd705

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5cec712165116ee8a2cef0bf17ed8bc7
SHA1 0e861e924ae38dfc782c4827d7d3dccfe785fcf3
SHA256 331b01e308a72a9d66cf04726b42c5f978f7fad356af6b68520b8a5d36fca70b
SHA512 7ac367d952b5d3b143463e3d49e5876b42938cf57f68eb0bb3418b2f252ef3c2948eec8efad81dad9091c108d64ada87ffff2676b9752e18790cd492bed36d45

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ac6f414ed8be6b62e7686589fa96bf81
SHA1 5565de6a891cb5c484bae476335a3e60a6392e4c
SHA256 60e18d4936dc049dedfde1a11c24a09bd238e6884d97b9d24461e6bf6548fb4e
SHA512 ffd8808dd178dd7dc53cbf20286b2d04199c7df986dbbbd602e1c70b0631adb940444280e1bdf1c6072d7801d9c564a174a9dee7b3176147c30c6fe40866de4c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 393ec2de128606f089c5f0f55c36d165
SHA1 51f9b6fb2adb1b287d1934a8e8688dcda887e86d
SHA256 5991f00935d0bc17428876e99896170a9df69498232fc2cd557f7d1e6a3fc019
SHA512 e88864eff3e2eb8a08320115cd65e040e343be375e629095dc8d6ecff9c94e21082c5c2aff0f48fb4cbfd95d8e9ebc519a496669adb072532ce783b9aec65e16

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ec1973e6a39e15c45bffa9a6d0d79034
SHA1 40ac9a078e8ae2ce081c4abeec5cd8525995142d
SHA256 f2e95eb2d2cf07dd84268bb3fadcf652b2f41a1f2f2001c3084370be5f7cfc29
SHA512 5b59e57b018bf9758747821d04514ba34fb50af74c3e7efb97810ec8bb4ee1927db398018c63e95531f9e213fddb394fceaba77bdd44b1ea3a0d390835bfcadb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b6df3b21770f03628ba5376ceb6822c6
SHA1 a047c5b330585176ecec80c1b02967d2227a5f0d
SHA256 4724dc14accc20dbea110a3b0862332e43328aa2269faf0d148a60497942a02f
SHA512 0ee6de2e7e915b689e0d3871da76ccee65a1c19f0b0557c9694cdeca46979a9feb4fd17eea0d357968fe0183f90c8f69b4ec51e281f2b1d5d173378bc75c4a78

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8280856394cbc6fcd660ff839b295780
SHA1 9004cf2e23f3ddc9f4f80e765131154eaa006e34
SHA256 eaf24b10c56aed0c296a70b7291322322aa59f7c198445ad71220d4722226699
SHA512 68ec5ee2ccc6940c1adea1cb17d8f9383d6fdcf45af8d0da9c94e50525a657da94431d95e53701482c6afaa5604d6c4577d4aa40c1365c95add956ee4472cfbf

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0e9bcc6b20d2cb5d1a1b96d7958b0aad
SHA1 d8f0a93db13b0563586d91a1df5b05fe219f46dd
SHA256 e759132db098d109205ecd60b73ab8b825cc1ce505b41af10e7932dac771b4cc
SHA512 70a5550679c840582ba04ccbc457ebb44e9d19a5c07b8877bcb25b5dc4cb687f6361db876c613e3238a2a677255b52f64aa1a304d13682469da7df9ca5488afe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0721c66a5cf1d0aa37cf3d4009607883
SHA1 e472cb11afff458bfdce81c63b886b04512d9b5b
SHA256 447384ae935702eff864f96f4ff81edc4355ea412c9574da1faad1c1d2644c4f
SHA512 527d47e315a52eb3b315f80ea7cd46b2703086946bd2526e241c9998851df71f3ff49e2408f1cb8f4ec9330541a8812e707cd5a0c7a7dea795bc42c4555d5f88

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1efbc7d9e47ed128a512b3f6897a7add
SHA1 d7689445fad74a8bccbcc81eaa4c546ca3202a21
SHA256 377d410aa10279ea4e5a67211e89a4137a7bbc72b4d866d84f4c12330572a7b0
SHA512 3434102d498bf5be19679993e3a9667f96e1a676f42181754be7ef77acf23077f2adbc4223b70c3622a6adf386a7a14b029465cb31a9014e70e53a47b1c2db14

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6420f97e4a3e9148b374bae04cfcb033
SHA1 d9a8ae60dd1b76bcd40989a8c7ade2a7938369dc
SHA256 4c114cb9c78b4a9cc75e0fcbda34d3527484e0df78c2b588d7086ee3e783f981
SHA512 f965f1115ac607d27e397d1ad1b98b83084480f498ec5bcc0ec823d1118801af40d04737d3ee32d371772fd4fa15df6d1f254f732e6800a0a37fcd312c07878b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c6b8106e2064cf56679338a9c02713c0
SHA1 8740e2bf7e69a52dbfe473ff5c74144b4b2b154d
SHA256 8a7721a5eac058926dd5555af8f9afb46786622e97a0e6d5aa3aac9d63c10d0a
SHA512 3a4df0bbb846c1b6000c29ea9f78c4e36f25eeb64048c60eb8cf51c2407dfe846782b9f2bc7fdaea4b3bb1ac4f22b47f434a01a897c125c1af82afb18f934d97

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1abbb48e93291a96d5dc70b297479f18
SHA1 37ff4c07fb1665763e89886011eb261c3d373c37
SHA256 d3bf8edc0d4d029f8bd7400abe19aa88535194d784b15410cbf7dfd82bb6ada8
SHA512 d111bcb471bd26f5fb5b296c3474bf136489a26cc84fc82a7c0be7793c86becc3b3775c9d9b2ac2193e5737178c1201f75149217b7e63e6ea1cf158a63424f16

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 71d8923a8e453f2aee888e7a5a09111b
SHA1 6aa2fc7946fc431da9fa4354c1e96ced7bbb29a7
SHA256 8dc94679dbe8cff4ba39ffd75163b591f48ec80726f83471a0a7804959d1b82f
SHA512 0d3db7701bd6570974d269898cbd80ad447f34d87714083f8975520599e191aac770907ccf3f2060494fb1cbfd5847cf215cff2c6251193cff3d6e1716940819

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 478c9e1c9796f5c30599d791d8ef8a9b
SHA1 405fb2d871afbe6f4b077b93e60bbfe4c85e22c6
SHA256 41fa1f912c19c465077ea0a94df274a6e775a819bf17770a8f13d321ab222c4c
SHA512 01bd7b50fb51abaa4c2477733feae4d526b8745e76766fb9bfa303bcbd3d4508fbbf83dd66f638369d2e63ac41e55a73301b3ec3931dd83b50d50868a87d0f3c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9a6788830b719325de12f81b780fa6c1
SHA1 4952434b09b6676af2799aaf9a20a2c9afb8aa32
SHA256 e0d4582bcdf3295ef0734073695bde57f84e877efba8fbc3e7f8766b138ac374
SHA512 f5a61ed7ec09a00e3c974745af201ad709961ce3230f3338438d8b1dfa29d7352436b6b9789a0fdae775615a9496f107a50c176055700fe66cac87f85ab609a6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 be02dcbd6d9c692629611fc414667390
SHA1 49210b3966fd191cc83544dbc2aac1ce197edc65
SHA256 f919018802e315359176acca73775f58f9b2d6a918f37d2c4285ed01fa80dfb3
SHA512 b206bdbed66081c6ce68b320315e5ca05d6a9e0943bea1639a5526a6a132e57a09a5aeffebe8f15365d059dce71ab6934bed69dd031f634609bd94ef7d892970

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a3736cd437fd0fba093b6ea6b32481c4
SHA1 771d091c11225cf23fd89e71dbce7356b6ad14d9
SHA256 50c05efe455b4dd816db3fa36cfb7cc9d94dbe4f80867f44ebba336008b6c1b3
SHA512 8a84c64f12ee20e1565d890a5818a015903bfb5a70866f490371b1e84de9177b0cf63f512eb852c36c58b7a1ad77d914eef5616fbce312e97fb2ac82701cbc87

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b62eed8e4058231530755114de5fcbfd
SHA1 83602c265f4653bd02ee738e5b3a571b621e07b4
SHA256 2259d7e9e34afe84b2c4187133207c1ef942fc105347db15b320c2a591265990
SHA512 1e1bb6c31a20142f0260db4dd163a5ce339dea00fed18955bf1b6870df9906f97cbd669b6f94c5b9eeb4e2de164f8fb937d76f3194eb144866c14c9c1e73424b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0f2c33bb85aace3ef27590c4645c8549
SHA1 daacebfc119f3a111b511d4fcfad14440ec5e5bf
SHA256 f494f3648777a27b41473ccf98966632e22ba03c1db933bdebe2dcc581376ded
SHA512 341b581daa62014fd2a99520beaa6a98ca8a8b18eace541dc4a273a3f765dabbfd53e6ebe0c022294bf60048215758e6dc94bbe1651f654038c6a43792a46181

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d1e73b72f08715a21b7e4a88043bc820
SHA1 1d3356b460b40048f7dfd45954c903f81ac75fe3
SHA256 d2458defa982da500c1ef820d3ea388fbd6de903015e9c77f6853848705fae8c
SHA512 22607ea4dfc9a27aabf79c8e5f83e921418be04c3a4228144c2df8ad9972ac1de0c2e400d44721fe2264abfa66798665cfce6449c188411b1e8e5fa29d02575d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 546d4c3e51410fddf92d17c87db04e91
SHA1 63a62b276e2b79766dee9003580fecac23decf8d
SHA256 882dcb28464fa6502691c4985683ec30ae02d3d313e0bad6d5cd16dfcb12658f
SHA512 93791d983a8c8b289aa134d8998af8fae7dd8a036c14b8c914b62e5765cd38ccc50ae84d7310b1c05505a9422c31aca9e2883206bebffa42570a8673d48500cb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4f7cf1ed65199bb4d434de43c9220067
SHA1 57b993df0f4026e3f34c4436c7744b91733436f2
SHA256 27867e9404324a40d94b58db16ae01fe3bd106bf21833a6bdd0484f8f034e0fa
SHA512 ab5bb6ca6a36ab358466499bc6a5ca48dfc5ecfecdf6ffc81bfe7419a21211da5b0f7c9c5dd6b610b59a674532cbe0f3b774e6654027c256f3e04f58b3f2ac16

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 64a81d9e1f082282f4243ed5943503b1
SHA1 602a77b54ea1c5f661cfcec0b1ba8a55f1644a91
SHA256 00229d7ee896248f3cb7e08fe771e31e53695ed2c058ecb80439124d37fbc3f1
SHA512 761f7f5858bf2b2a7ca0f51359d85aa0ffcb0b9fcf4c2d76382b9244fc522943bb47092e86499b54cb68dffd0e5025e0bb59a3cb114dab24ff0c3663b101dcc9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 cdb2984566f3f9feccbcfa6642123987
SHA1 4d03b46751552d5d17e7f6fc03c69a141f31ac46
SHA256 81f255a9da3fee39c2c21aac27492eace6afbe672868a1aba190f8de08bc389f
SHA512 624044caeaf4836ac4fc3f31687968be125940e455d538b5d5529a5c803c5a4cd5109b02535216aa714679df7b3cd1df046372c5f8a3a77d80dacd5ce96a0122

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8ddae51c650b7f128a081b8268f14151
SHA1 bbe86e711257401affc6829c794f3ae007939fab
SHA256 49fe61ed6be6dfc2e7cdd14958fc99cdae90ab1c2fa29b5cbce4bf678bf23080
SHA512 4cc34df6ce5b2a8029275cc38b89cd1638bd89abcda7516bec773e732b5b6d864520c620ec53ab38006d065125e2fdafcc01e7a9b03fcb39f4385d1e067cd15d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f18832059e40db9f808fed7b841bc771
SHA1 35abc69e2f5e99d507b71ed1961ee8ebd37d96e8
SHA256 24267b85a8a5e5a4e1ad972f455af9c02bddf92ba0dac67499fa8405ef381dd9
SHA512 261b1be3cb2b1254cd78431b51645b995913ce51d35338c16a211abc2d2a0ddbca4244735cad2b82fbf9a2e0c45373f36844e822ae4e74dfb6acc0117137de4c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2afad141a6697f532b67de12bdf8d30e
SHA1 5aac0d3d8d7035d5e503655c7ad80623bcd0f450
SHA256 080ddb63e9e1826bae075c00df3a7c199ec43ed413d13905a3994152fd6fa4eb
SHA512 043066da4818f55c0fbf91f734492adf96a6ba215217146d169b6122c7e637027e8abc1acfcce372e4d66edd99d0af298368debd1c5376d306f10a031b4f0f2a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e1f7125ba7e6713867fb64a00c108261
SHA1 d66120bae2d755e733c0bb2bdd18640140dbb136
SHA256 b1c75857a44cb13613a3ba548d3354f0e2fc4e2a4ceb4b8fe57d583c2e517045
SHA512 f9fc9ee1546c7876748b9a6af7ffdeb7b8219677e74fbe0794da53c79467269151004736c9c79f8095e9f943817b6a1157f23482acc466ac5e34e7f7dfc37bfd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 087f2fb4a1c4f27de026598f501d5138
SHA1 12ebdd0c34dbdef8c07eb155b2155e534097346b
SHA256 be8947471097b27ffd653f96702f33f96feb3dd4d54cc42f4ecee1bf998ea2c6
SHA512 1ea008ae329f9c301aba66dd677be8870c491fce355440370de87aa596375f52c25254600e08019a70489e30fd31c9d62f1ac903224652f6e831f63f954566a0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9b03e448bb87860c5413fea6fbf547eb
SHA1 e86360f0127f7bf2a81601c4bfc8cb32b16bda88
SHA256 aa9813c8faff4890c9ea2bf9cc86bd9f5b6edec63d6dfc33bea8fe0f00c1b23d
SHA512 5016efaa0c22ee6217a262a9ff43c4f8ad086f54122432a52ed89c822c2fcb230a263552b2fc65ae81e4e402d8a2aee2083112d9ea9d8584aec20107e8951479

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 dd76141a253b1f71dd8f37f12c526c42
SHA1 233375dd7ccbc92993b08e24b35fb507f309f079
SHA256 f65f843309de5a467657929a89a6463b741b6a176bb96e758498ab61f6b72536
SHA512 f0a130ca1f9903bb37b82857877c1a332c66a7777977b5ad8b39fa202248e899727df3a6f008b4dee4b4888fc9696a179e4cb9d95961faa0fe97eb3e220b31f3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a214ab9566eb8fbbaa6acb8e1195a32b
SHA1 38b08427f3c12b41940c85229fafc83c38a9c76d
SHA256 01830676457e7a29f3ddf426cda1598dc88acc526f68e09e063003b399667712
SHA512 11330e375445687f463c07f1ec4d5579ef1e7d4bdcd002c4dc8ee3f6880d6f7ed366828800cdc769d0f38e6611831f240b4110270bf79bc6268cfde1da681d59

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4c844224e4334a118c260542514d6267
SHA1 8939e91b363964b84d06e954c9dd9156fadb58c6
SHA256 a406dba1f132a3301ee2782b1c31e957211da1d568a0568db47553ed87f5cb4e
SHA512 41a63f9c6b7ae1c866e0458fddb834a04420501b908d62bc17b095c7b9eed43bcefad5844eb62dff4be9c55587b0273008a25b0a75b218d174c2b2a008ef480f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 80684b67d3209fa46f5b8e7733bbc5f6
SHA1 373d610ea4b7baaed433d035fbf2a353dcbb1fbd
SHA256 d70165749fb13ef8bbf787ff18ef8333ab192ce698b9aabce6f3f9e73a33f2de
SHA512 034f030be3fea3d0442a19338ed513eeb64be3f108f813ddcc5085c80589879285574417c8751666da865116c0043e990ea7ba5fe6b14a98c4bcb5197a5e002a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 50a3298ed916c20151459482b5b5f9a5
SHA1 f4d29633fde4e36b3fe61c751683302b332e9c53
SHA256 09f6a9b202bcb7c3a98fb71ba22d92f7a4a9cf35f8f86c8bb76a6ddfc1a8a4db
SHA512 7a2fe90e64bc54ecf6616bf83d267305f961adf8b5dfcecbc90378971154813e5247b8225f45516602adedc306a6e9f70e1e98cdffaad7ac009f06d1e580c133

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f76a4c07a2e78224a243a3712b320bc0
SHA1 e02ec0821f8b0f8e9483cccfb41042947e5ce30d
SHA256 86ca4b16e9c45c06963f55fcf18fde0491b3c02e5d5b0d6696d5e1d361f940e8
SHA512 89f9ee97f71eb0910c67f216c5e69038c3c8c9848279742cc76212635b57d69b97f35b0356704b05e11319c5337c6aad17451dfd5a9f955b2399a07ebb91b57c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ba5ce7c2da52c82108db93491ad3c9c3
SHA1 7ac9696a52286f5bbc718b13289805be9467bb12
SHA256 264272ee69e31621a3f66aeea7d04b042a0609c9c217599174f8e4d1e351e878
SHA512 b99bc156b4ee92579c91ea0287cfe61e625ce040c50728a8ebe83476bb5f2d2418425e29e9871b99c77789ab082d4c5b03dd4162c71fd283c4c4a0d38754e2bf

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7b6edbf3b783f6d50c0a030dd893f94f
SHA1 d158fc8c86544c0eac785ccdf8490a5ec2bda479
SHA256 e67783b5d2493f106c9bee9cb3f264b0c10d1292fb6743e266178eeaf432dce9
SHA512 37c816befd53d04e9e0d74e21bbd83d962e2fcaecef57a3c83939eef5f8a9fb8bc33bcdb84bf3b5e451baeee23c08ef1f34d329825f2aa25ce82a29de7c761bd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 868fa1260e563b6bbfdcc77a16619974
SHA1 814e860d8458ee6869035f9543ca5d009c562fd7
SHA256 8711746b88355b0ae8460e44fd9349c6bb671745d481c60f137ce17a89137dc5
SHA512 0611d023abdaa863a5475b7991b7f91c636da0d29146299db592d440ca5ef03d01ae0746ea5cdc2d2f2d706b29e552e75a803d4c1c1e1c660d3367705d7bffdf

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 603755e422c90ca6ffc20306f0429e04
SHA1 da60dacdd2bcd7aa3a6552147437fd6d44f702a0
SHA256 a3d8dd527c79156644ea18fbd7ac3468d10b27c0b5a07ac5f8c09845c48e7ebb
SHA512 5a5e5840615a425c318c1ba7825a88a3fe9e8e8cf8bc1b81ce77f19c161397aa3e85c149330f045f8e4624844cfd4f0fd4aae3d6e41cd7c5f9260b539d09747c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b4f20c954ee105665347d4a6408a0a11
SHA1 079ea079d71ecffdd97eaa0f0ee193fa516012a2
SHA256 5e01f892b9671c2574fb3c9ae90056c4b85981b800568491079fa46107295480
SHA512 ed93e23e6d52cd72c8cbace5b64daf0c36d37ebc454567188992baf43bf7bc8baac3f7214200e3815ec100e2225b2c601dd1164cc96133f4b6c9abc23a30e11c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0e929ff2b011780639db085810cf408e
SHA1 375012a298bce05d485b0852142f4b7bf148dc46
SHA256 240ad4fb93576add912612ccd8a90cdcbda67a9b66ffa77af20ae52bccc06ea4
SHA512 a0b4d99c324b6118318362b3643c4592d1c0183ef892fbc883f52be58ea140bf11fdc610a837eb77c218815c6390b9edd2f1e9df7b066689ed4f8a306372032e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 99f315ce4e926370dd372ca4a56770fc
SHA1 05dc9d2c58e6cbaf4dfd162b520d3934c7aedabc
SHA256 b1c44eea2a01a5420ebb302840f5b1930885dd9d9c271666fae7a2faccf43241
SHA512 6a3a9bc59986cc688d9dc9af520ba3691ad447b77d40d003a9c266dd67c62fe627f1d3ebfc9f3d277dcac58ed19f3e75634a0f17685a1b66e16bb5814a4864da

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 10ffca50478a0650ec4fc1cc886eb29a
SHA1 ecdaac0dcbb64d83566e1cc3ef08d3df3c699b15
SHA256 b3a7deb226b8846859ac49ad7184ade9f4e82147fd16c4954661ee7e2636cfb8
SHA512 d82417e04fcb046f8b500410b3ef1188000874291cd741905f07924188139a0abde0655ffb4356674863757340167c826dec1e72e4f2e47be055f1478c1b0aab

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a457b8b38607558c5a19f52f590f6e0e
SHA1 8fd12c241ad410066688bf6be518bbe09872a94a
SHA256 14bf312a4009964d04f463b2834367e674fcd2b92f3b2ed0f08e94ed48ecf8cf
SHA512 5186ae87b8222fbf5746cd1b56b59ec794b20bb915a5fbcdc6f96caaf8be00d3d6870f2e630161abc8efef852fd656a575e440b095d74e335c90a81a6b001e76

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 54ca419601126c728373a04236fecf63
SHA1 7a84820e46fe44871bb693cb4c56eaebc524741a
SHA256 96a5fca970c1513ae068d8b4a803440cb3b2c76f8bcb7a798771479ee9ca300c
SHA512 b8bccd7d2b27b970c1dab61098835d90569b0ffb1fa82a02a36733a1a529e387c9065a74ec673ac6de8b2808d2bde6fa73ca96ab969a6e69ab5444c45d73fa3d