Malware Analysis Report

2025-03-15 05:45

Sample ID 240509-1skrvabg85
Target 2be4dd24679af4e98fdfec189af0f649_JaffaCakes118
SHA256 a7c8e4720af0da66a4c8499f151837bca5d6298c902cc88cfb4a2487fd093f74
Tags
aspackv2 persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a7c8e4720af0da66a4c8499f151837bca5d6298c902cc88cfb4a2487fd093f74

Threat Level: Known bad

The file 2be4dd24679af4e98fdfec189af0f649_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

aspackv2 persistence ransomware

Modifies WinLogon for persistence

Renames multiple (91) files with added filename extension

Loads dropped DLL

Drops startup file

ASPack v2.12-2.42

Executes dropped EXE

Enumerates connected drives

Drops file in System32 directory

Drops autorun.inf file

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 21:54

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 21:54

Reported

2024-05-09 21:57

Platform

win7-20240419-en

Max time kernel

145s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Renames multiple (91) files with added filename extension

ransomware

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

N/A

Files

memory/2036-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

\Windows\SysWOW64\HelpMe.exe

MD5 1132e25e5fdf32e788c9521c94fcfa81
SHA1 4cdb34864eb8bed50c4fd6ce5825823044e6d941
SHA256 4976ad57af86ddf6d1904cbcafbe33e25af3b812f00f7fa921049331fb299caf
SHA512 0fc0ea9b0fd23bb8ee4b17af37fb45a687d80b5ba269de39a7c0fdabfbbad028f0611bb72278b3e7dbd3b5779569f1aafa7369952b7d1e6a5489a3fe77eccd6e

memory/1252-10-0x0000000000220000-0x0000000000221000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-481678230-3773327859-3495911762-1000\desktop.ini.exe

MD5 858641d24069dbee79a9fa30f5699ae1
SHA1 c4c9b445d40537c3aa87eacb14614f935ff18d9d
SHA256 fb076a31ddece16b4f26c2d2d571b5fde914c1106673e83aa88da81d087b1405
SHA512 13dda502d1bdd90ed307c861346fa444ccf3393b92f556f39a13345b002b85d8b02ac509cf2b1cde419d98ec20efbf28f52f69051bd067168c8999ba94274737

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

F:\AutoRun.exe

MD5 2be4dd24679af4e98fdfec189af0f649
SHA1 c98232a649386e254af6da55d0f12670307d3d87
SHA256 a7c8e4720af0da66a4c8499f151837bca5d6298c902cc88cfb4a2487fd093f74
SHA512 15553ffb127b758fe5d80e3aee44098f95ae65e569cb2350bf2a305244e8b0f8fe0e91907f3a04ef4ab09c502e9e3640f5ee82f5eff502872e3e5cfb1a549100

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0763cd93b068813570e046218ef225bb
SHA1 101a208c073bcb51a0b924b8481d6d04bdf7880e
SHA256 8cbc3cd3e39255d2a07e1124ceed9c2c443a48496775f4db305a1444547838aa
SHA512 c6f191d293cf5119da85239be59fc46fb8c6fae650b6f967325c37c087ae392e88a01acfadc1204be0a94345ef40613c158e9d81a95d699655f74c7607c155b2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fb487706d4842f79543050673d17d9a5
SHA1 5d316d8c4b189209ea0947eb9f8dbc9ef7250975
SHA256 f40c82972f6b07ec936656c17c54f8e3858407edf81211ae366201be91305883
SHA512 c44e25fd4240319fe143c4479dda07e3cc6955ed5ff47ec444de6ede0b35b97bad39fd6c6e8585ab8d8a8ac6551ebbcf0ff85d428976068f9526b43c100d7a99

memory/2036-228-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1252-229-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2036-238-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1252-239-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2036-240-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2036-249-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1252-250-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1252-258-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2036-257-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2036-271-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1252-272-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2036-281-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1252-282-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2036-291-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1252-292-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2036-301-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1252-302-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2036-311-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1252-312-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2036-321-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1252-322-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2036-329-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1252-330-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2036-341-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1252-342-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2036-351-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1252-352-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2036-361-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1252-362-0x0000000000400000-0x0000000000478000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 21:54

Reported

2024-05-09 21:57

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2be4dd24679af4e98fdfec189af0f649_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.196.96:443 www.bing.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 96.196.17.2.in-addr.arpa udp
BE 2.17.196.96:443 www.bing.com tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 98.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/1728-0-0x00000000020D0000-0x00000000020D1000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 1132e25e5fdf32e788c9521c94fcfa81
SHA1 4cdb34864eb8bed50c4fd6ce5825823044e6d941
SHA256 4976ad57af86ddf6d1904cbcafbe33e25af3b812f00f7fa921049331fb299caf
SHA512 0fc0ea9b0fd23bb8ee4b17af37fb45a687d80b5ba269de39a7c0fdabfbbad028f0611bb72278b3e7dbd3b5779569f1aafa7369952b7d1e6a5489a3fe77eccd6e

memory/5048-5-0x0000000000630000-0x0000000000631000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-540404634-651139247-2967210625-1000\desktop.ini.exe

MD5 5579be747d3eac10add978f2bc00bf34
SHA1 2bedbcc689c20e7fbe6481d8c5360bc85df3ae53
SHA256 584c9216b0d2ddb934872c0c712d76ea843c85410ddcaf7f5f6e49251b6b64ec
SHA512 b4d86dca50a0a56739d09900e49f64939e94e8cfd44d9c08b2fa1e68230d312d81c0540397eaab69eb045fb5bca4f4cc04ba2f8a0185f2c74209095671f33af1

F:\$RECYCLE.BIN\S-1-5-21-540404634-651139247-2967210625-1000\desktop.ini.exe

MD5 90d137ac794bdefa1c61aaa769b56d88
SHA1 30d48ce4bb91c9f1c166e838cc3f26e1f9f86e40
SHA256 f17863cf22d06e1b3d02b9388a6114643f684c06fa40e8735e6b023e4c700abd
SHA512 2cb843ce942ae36684ba1f2f6eccae81102678a64b67852a8cc8064abaa5b620dcb5163c92af041ed609bb99252b3b46ab67ffac1462587fc2ac154653a64001

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

F:\AutoRun.exe

MD5 2be4dd24679af4e98fdfec189af0f649
SHA1 c98232a649386e254af6da55d0f12670307d3d87
SHA256 a7c8e4720af0da66a4c8499f151837bca5d6298c902cc88cfb4a2487fd093f74
SHA512 15553ffb127b758fe5d80e3aee44098f95ae65e569cb2350bf2a305244e8b0f8fe0e91907f3a04ef4ab09c502e9e3640f5ee82f5eff502872e3e5cfb1a549100

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e67d390ea133b3cf2ee747b70ed67fa4
SHA1 b6c5c0a456879bd5c4c0df1a885197f95f38eef1
SHA256 e35b0359c6b782b54ed8d9f3686494057696f9eef4398c56e061d5cb71c92758
SHA512 e9237aa2a8e8345635b36348c5ec0bd475c5efee778011c315b1eea3129b77861f7ef382e0f874ef8ffa0c598f7a118535531ec9b0890a7a06307101fa545bf6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a78250bc2964d343052c329581c43534
SHA1 9f0ded2556099c08cbe844a194aead589bcc0db9
SHA256 9b71517ae40202b68753df1afe1206415f757dc2a4a20a757970ee0c25f80412
SHA512 858409347dc18bce2a431e7c55d6159c78fac7f5b95bed71f0c175b5c8ecce557b6f66be9db769294572f7674ba2623954c0a1cc427ff145763bd95c045bb90c

memory/1728-49-0x0000000000400000-0x0000000000478000-memory.dmp

memory/5048-50-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 75a58e930602618feac27ca05e791be1
SHA1 3b878bdcdb4d59e691ae0e1406f5d00a8a3db981
SHA256 a7481d8c14c1dfae8fede1e69d58b41563fa4bd380701b77884accde2cda9790
SHA512 2cb37b7a0ce733f2a57ee8d28a21afeff5b11569eabefcbf53ae104954000acf8f6b5e3c7b59156362ce05e1ed5876d56463b142034bc93fbb84fbc3353d5917

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5cf71a9a49dfe1607c8b3c23f0225e0a
SHA1 6ada9885726480f17405bdea5689a1e19195520f
SHA256 5314c2211bdc4e624e173001b5494954ae34ddf4d3b962403a9a9ea23326ef9e
SHA512 bf9ecd358aec90a1db7f78236d445ea47937f4c3fdd69b2f090e5473b8fec29a948830e187340b5eb5ead05343761891b596e02516fe3f27cf1c923ca15c7acf

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7d9e9a5647ec78c9d3b95a12f38001c9
SHA1 ea9292226ace4eba2dc9ee2af41412659df424ed
SHA256 3b2ac11392e809ce8614e94ca5ce6000fc2ba77a528fcc38402c4967f6a029a2
SHA512 5b0557dd8ab45c631713a195fbd73fd6826b509da623b26819e80e78fab43b9e4a342718d2254bef3708a58bc85a266214992225a1939838428d239091bdb76b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 048d1ac5a5ee4fe874ca6e61b0fec1ad
SHA1 48f79092f7570573ede1143b3178b2ab7b206aef
SHA256 16db5de6628ca962c49158b56c6b9c46b6c25ba2b65b304ba9810af2a87fe90a
SHA512 69d5b1f60832fda49221466070ff82ac86b0430e584ece35a154d8edcebfd2ad1cfef6605ce693d5179cd3e05bb7aecba2893bc7e11278f3f394c194f8c927db

memory/1728-59-0x0000000000400000-0x0000000000478000-memory.dmp

memory/5048-60-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1728-61-0x00000000020D0000-0x00000000020D1000-memory.dmp

memory/5048-62-0x0000000000630000-0x0000000000631000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 be3b7487cb1670ea77d1f366cff2b17c
SHA1 ccd625c2cf9e0713d22ef7902fbf19c9daaa060d
SHA256 3b29fe65cfd55f66c39c5fd7c16db04513aab99b21c2f908f2dae361ef4136ff
SHA512 e284b838a823fe87e5b69760381703e46e9c34006147c5a1fd18a8e782dfe5c56382b34ec2110ae9438f8d47c667a26a6b9a0f70d45078ff1dd9df717be44b0a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e063118114cafb5dcb776221bb047629
SHA1 318c7dcd55ce0c07d1d68d3fd30b1e66901a2b46
SHA256 97ef77fa35ebece413ed19d2339fd5442dd2c75d16153cd5cb91a6584a422519
SHA512 55dda9ac1d6fd6d62d82fe957d733cd53fa7eb4145af3b4cc9618697d44ebce077cd89b61e760b948133ec594d3caff0ee1c0854d93bbb0c9b52c33713167f00

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 571b89a668ff3b2de32e8a7a9ff5ec8b
SHA1 85ce8ab12dc7ff9e078da47350d2e0782eb123fa
SHA256 660f9dae715344e15661590a30d6e31813a62fabd071d1e8c6e7ec7b1fb4a18e
SHA512 e4816cd4863cedce8f887a788743d64ddb3c31074356b480603b1b7d3ac73f01005e7e3056a764f4b8dd8439b9e4ca8ceb7cbff2f745682d5bbb07514b4cc122

memory/1728-71-0x0000000000400000-0x0000000000478000-memory.dmp

memory/5048-72-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 277f3943619ff1ee93b2e4236c7e1ca5
SHA1 9d7038ae711d5c17169e7e134dfb3821da076189
SHA256 80bfcc735a430eeaeeda2fd6a9acd1766724b841461dcbaca4ae62332f4dcee0
SHA512 707695817326f664550d318071dbcd553b6cd3d74accd092ae8e879041aa5dbb6366cf2ee6fdfd4e320dbeef8e5d41e3535ce7b7459cbf1c19a33351d90c3f67

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 69b9491aec4c2dcb1285e38fd9f9dc5b
SHA1 49cc7436ac64e5cee5913213648291feb4b7b6dc
SHA256 fdfc1ef719224f457e19b6af646835fee01319c08c4bcb330b96c5433cd4d5f1
SHA512 e053d0d67b7d9f3627ef94fa3741b9709526d0fddc3d5137536691e75cae0f4e6e083ebfea4bec482489bd1272f9e424abd4a8b02f778be16934264ef684d006

memory/1728-79-0x0000000000400000-0x0000000000478000-memory.dmp

memory/5048-80-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8ad1fd487f9c8aa83902912a518583c9
SHA1 2eba5cd6aa89a5ff36aa7deef4fb1c0d180a536a
SHA256 805460f630b935b049d59d937f8f10fc936b77a859adda66a8107c9c2a85e94d
SHA512 d53e5885d944a06b4135400b24de65e5fa461092e128c78b32d4b57d84dea96bdf84226c8977854168e9ddf8bbae2bdeef89a6edd5f5b0c074986c13cc0c05f0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1068c24c22c02b6527bac9b06a2957df
SHA1 134ba92c358b04ba89b0a4007b95d6767e4c3a72
SHA256 ca91616ff49d4bdf51dc6f09969801f1d1e061f5a966e81da799ccbc0cd33cef
SHA512 b24275b854e0c372ac2023d65136258ccbc36fdea8f1fad9a50c090f35a695472d9c3efa0a1340a403e8bb4b9bab182b18cebb12ccce1b73858bdf54513bd614

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5ed6a580457e046947e77e4ab3fd7acb
SHA1 42d412853922d1915f320f1e30f9fc40d27400f5
SHA256 7bb3ed4fe0e97d71a984afffc5b6c6932f29baad2ec7a4e625ca879ed8fef5f2
SHA512 be3f3289630b1d3f8c3c9c0532cd56bf9e8aee8c1d99aa5f7cd56581c3d4c445d9c81a537a13b909fae52687a36b5cb7d6369cd0ffe34fdae047385b8761acf8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6cada2dfc85eaf4f7efb2e0014418f30
SHA1 90e68d5140f740cb78d13ace462f3da0e3080920
SHA256 5f09a239970559e56879b37c517fa894e6e4385c9cf55c447f144e941f602ddf
SHA512 71a7c6267149ad45871b1cc0d6c4d400e825605dc12f81a147b3cbc0d5fdf709dc9da66a08e0b28d5407bfab886520fdcfd96c645b81bcc7464c0db0e45dbbd4

memory/1728-91-0x0000000000400000-0x0000000000478000-memory.dmp

memory/5048-92-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 76f1d6588440ab94b07f01dbd0f7a8c5
SHA1 06dbc0aca56056d25574ae4e66bef21be4120b36
SHA256 a727af258cc968bf5f718d74dded829ebfbd52cebc6e79dbaa7852c8a58ffec2
SHA512 3d36173f38ef771d7970a7aef94f06f1d51973987cc53e79a142d9cdd6d15b43482b49987647d3a1e1f9fe4178edd4a713829aca982e4a55fd3d322a5fb85599

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9f76398b3f40873f6807d2d16e67443d
SHA1 3e0f3777c1a3287cbea5b0a275ce32f0ed8752d2
SHA256 15225fecb07748d3c6e78be2d024f1cd8922316028062a5eb2b051d9a683ee75
SHA512 3947e88d5be225eb74bcc3143db1f11c8bb36d6b270cff9ddf55138240335583029efb208be7f198a6a1b32aa0fcf3281f42d08f005f735ace7e138570cf99b2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6482e280d27eaf7e4bfda38a4284900c
SHA1 bfae729b11aa153024055c129e4910c50e166740
SHA256 482f235f4052fa2791971a008f8a97c52b65cacbc44d0aef03143fddc5c4acfa
SHA512 89aa7f87de75d70e836180f53637ad2772928a99796eca2bbd9e84d9c3a36d52170fddc74362054479244b693d4907e8c1d16dba375404261b146865ed128d91

memory/1728-103-0x0000000000400000-0x0000000000478000-memory.dmp

memory/5048-104-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6dd7131f53fbebf47fd3a725386d1546
SHA1 168bc8b7357dc5118832985de4b990d98fcfcbb0
SHA256 cc750a5531c8d5a1d448b1173ad767d44b8721639daf4e9180926ae38fb06dfc
SHA512 1136608f715f41df09c287ddb006ace9d8e479d069cceec753004c9d1213bf049041c25d8fec51342ce6a0e75b421aa4bbd6938f50817a7cacec5612921e6d00

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 dca6c0055d86022e6be2107b2ac6c6e6
SHA1 cb79905ab8e0c4063e44d798f99b2b8e1ed48fc9
SHA256 ea316614b253fbe8989f94856ad488806fd233e12cce64043df82fc5b2a5962b
SHA512 410e1d58dbd8fba10f3039f80852107b90e50b17f96a854e07d201b95cd6168cf521aa9da7e0a8dbee9861b2863693f49d5bacb798eeec9ee8558969965fcd1c

memory/1728-113-0x0000000000400000-0x0000000000478000-memory.dmp

memory/5048-114-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 771abaf34ac01b4b6c876c29754d8f77
SHA1 3b728f3ddff481b171eee6bae084ba47a36ef82c
SHA256 8e2acb4e7815e40afac4053cdf9293fdd94a50b665bed30d5d41e4d88d49b654
SHA512 2336857e38354a69d712fe0d5ce58004d4606173d1b79d2218c4424be461a81c2bffa8f5150801c406aa35424bc9b7699248d95daee8293bdf362d4ab89f249b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 413736d8869c4686b61c07e029dbd0c6
SHA1 57b7c7147a896a8b045268643ed566b8522fe70d
SHA256 43be6c4865d6ded802b4f9bc3d3728d9b14703633a300559e05527b7b42a54bb
SHA512 a75e02d0cd8abab0b1135811359aac50a28ad83d334c740e1d342b2394d3141c0e1dea9275220ed77116ebe7a5b63efd1b97c7715268b1c16a72ec3e39028fe9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 23bc6ab71ec65eb821f608bb90b1da64
SHA1 189d300447c0d3f5b31a2a78d74a0e89f4836bd6
SHA256 8d524519a4ad16cdc5ea32cafa1315ee312ee7559da754aa4c1382c5024766c5
SHA512 7c25c2e40f4ce22b7422dc53a4bb5113cb83fc1c72cf276db2ae4df7b4c7a5b8891a7490bf4f236ab31a5ce56715c32e7182b8bcf7db0f8181d27726546198fe

memory/1728-121-0x0000000000400000-0x0000000000478000-memory.dmp

memory/5048-122-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bc6a3a8a1dbee4469777327374218105
SHA1 bea796c933d22476d415be343ded5807e2853554
SHA256 1c854c194cc21d8f2bbc5d552796c4b977b71e0d8206e8a0f6ac11fbdd7fdb44
SHA512 f88eb828bde408431534f2a78a4589dc23d973a5bfeb187f75eddbe22656007c0cd25686498a0d24507b014ab38b1674c4d580bfe9af70b4385055af76850dce

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6530fa7dc8f1ffcbb9830b85d2c9d29a
SHA1 0066c15d1c2e2f648294427098631f2da407b272
SHA256 325b0afb1206f1056f8986f954207ea59223389d7872c40bf8723ecb23e638bd
SHA512 c115a6d5aee0cd5c8e22906cbd54b9bc484500917b5cfb9ab1685b159e10f061024fd68b6781de0db09174ae6e8032cd9e096960a472dcd3a97d7de9d92ba402

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 cd017050ba61eb7c778ce3d47cadae49
SHA1 08b0638d2f376e25c0b20c5d68676a8c521a18fe
SHA256 d1b468a0599f4755b11bac675bccbedd81a79eae8aada7718e4d99d5a2c72683
SHA512 10aea9b9a1643abff5daeeccbc6c9bd324623bfe36a66957fb9d90f31fd448de5b68b972b275b5247f1c57244a9a62c63fa49c8234bf0b28e959da90387a5f09

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d091fc0c73c2cb0871273c452ebf5031
SHA1 06b96b406b9f24d70b51dcd32530343a82c61396
SHA256 62ef84c31722db56ace7fbac825078810154b440b28976847e4d4b91cf2628d4
SHA512 57367f45cfac7f8292324bef1c10b44116a5cdf403b0a6b5b1cf26b5f682790836e374f003d4860bdf5e83703549335477e3963aada7287ae09ba2e858ab3563

memory/1728-133-0x0000000000400000-0x0000000000478000-memory.dmp

memory/5048-134-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5f5031a3e25ba14b64efedd1387e32be
SHA1 178c44aeda4c7b5d953b287fa3a68631a924d501
SHA256 3efd74fb809eb673264356f200584f5a8ec5ad0684e35df96a0b517d1eacbc39
SHA512 db546e5545bef09e731ef258cfb5d7efde76bae4fe5545e9789b25360360e8b858e4792008fea1af8ed73ce7316b5a88a106d7789e2109bf664b396f5de848b0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c2c5d4f6e35de101911c134f116083be
SHA1 d9ef8210937d4d9c40ecaaf5de9d4341fd03f051
SHA256 2a1f3a2e7849b47f60ad20f9adeb64e99cac66b6a92d206163d788bb00788b18
SHA512 929d95a3d10cb01245a2b2f9f0d6b2a2fa20c41e011a091cd945887b212db80b39988ee5510f8fc4a78035fd0f2369fd2ec0ea6450caa73470d3907911baf220

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4373e164d7a0c6666132a5513681fc57
SHA1 4eb1cacf785006717b7b5c7a609b1f5f50c3137c
SHA256 1a13a0c3200b2a86094980703e982cccf2211ccc55cd6285c0538bc84cb6bfd7
SHA512 eabcc058803528a3bdcdd643791023d7ea0d92b8a7a94e3142d172550bec73c4bd38ce01906c980de6f8daea58f861ee5a8e4bd0e63816416f49f43eb5ac3755

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 cd7d6bbd99d09591b76b96fea6dfe23e
SHA1 0a78fdf2804d72670a480ffc69514038bae2c4f9
SHA256 c7edb008d1b1356e73a9cce49fd441153e4a679b4c993b3af6425e158c4df5fb
SHA512 06eeefc8f8988797f7194f998f8b0bd85b8899dfb8404b752a5650a763697a44bc7d98d3bac13b5ceb730ab426bbc3fbe2da9185591a06b7e4a9aa775f27871a

memory/1728-143-0x0000000000400000-0x0000000000478000-memory.dmp

memory/5048-144-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5bce3f27e2c7b94f57496d6a233b6a84
SHA1 d454f23a028843d17f978329e20cab26e0d8197f
SHA256 8d2fa3a0ba430a785d81b65db19ae533cd53fac81000861a62da1fb062d6c4a3
SHA512 45a93bf734f04125c9de2e10194fd9ab0843472c8cb6b12f0d4fec896499932a63d731bc363e1145aa600555e619ecf7a0fd825c2d853349bcc5eab21ba055ca

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 43b6e04a80f6e5c59622047975c7bb06
SHA1 6cc7cbaaec6e89b44c80622647eb31a7cfa4e318
SHA256 d364ce4ebfe45245e35b7bb7450e96ef67ca6f2e47113233a8b460b5407d5dcb
SHA512 19987a138030cd5fe896a0bfa971b7eeaaaa27b0267d4d11b5d14112420ab771be41e0868cc18fee1fd5a31ea3e3ba43d7476da49c7c1769de5056c44aeb73b0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e6133901e66a6823aded2d2cfcfc04a0
SHA1 439719d76bd46963294806c94c5dc7ed1ef7cae7
SHA256 2f9afe82f3aea181d69afeffe948a13bc1682f9fe810130a13a9a7d5ad027eb0
SHA512 9b6d89172b38c2ad1eedf62f1ea1013819964fc115ed3924af5f1cd755a525366c8a5aab732443806e9f2413606398b31ae543a9b9655b55dd00e9677cdeac01

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7d8c7ef9f7906b4a924f7639c3cc3381
SHA1 afb32b113a4bc1b6a918f91e61e2277045d563c1
SHA256 b557a1661083302b35c7672256350173772dda4ac57cf09bbb9575240a0ca146
SHA512 2e45c3adb7bcb38bc7c3c93e3c349a5f43fcb9928fe3f7553d8e7c8fc7272a6140441522917ffe37b63a6213f640671ce447f883afb0a979747e3536727068f9

memory/1728-153-0x0000000000400000-0x0000000000478000-memory.dmp

memory/5048-154-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 cd05c1335ce901cedf348caa1651a5c5
SHA1 e53ce760eaa2c22380e09999649258a5a4cd90a4
SHA256 d2548db3a55529aed4a153964daa9423eaf21bd5f782965b6ed43738ead776a8
SHA512 742f0a80ddfbbf36617651e86b13e80ef307a65c8fc7c6e7ed395dd81a82abc81648a72b5411df2c00e805192faed2ef263422dbd7a89235c877ac4c230e561a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6f6c9296012488b72c492824d0990f16
SHA1 30572ea31de3dde5aecf60eea727560c05f9fdb7
SHA256 c4a4ee9d0dcf75fe81fad7d433cf284eed3d5b9a88aef0c268e7e40a9de0ea24
SHA512 e36a68cd626fb146a7f6ed2312eb249fa924cbe5a92e7fd216417ce9b588b4d44dec94c4557aab3eb1b07b81da5f5372417099fe188e6a61c995354ab1ece354

memory/1728-159-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2d2d2e83ccc778a589a4292ea9ad384c
SHA1 7b9b2523412fd6afc566657853c91d8a4560a323
SHA256 abd470a3c6b5b34a583f7b767fcd9fa5fa6f6823f90d1f4d4baf61803f01c3aa
SHA512 5a3c8fa9906a47b47af98250472db35cb0bb72f35aaa5262e19710cafbf6c0c2a984ea6252ff267e8d6dfd0e6225f610537bbd15496f4dab9ba4cef6f93a3991

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ac9e31d560a2aa8e492f2bfd0eb72be4
SHA1 ac38aa672ca8088e1f00b182ace1859cbcb356fd
SHA256 f0c15fb5e4925d648c2c50cd6acd4a5cad183e74281792218feb39d558a90cf0
SHA512 ef39a115e595337d2c70eeb8a0d85512aa29782f31e4ca78e9f2381c2a61ce3638ca10df7cf8ff0d37a154eed85985b1b05bee6de4f2f40bfe8948a7db18361c

memory/5048-164-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c6b58fd7b0324409b528af16bdc0c958
SHA1 0c727fd54760e215cf7273b0b72893354466d662
SHA256 1c66055e4b33bbf8613764e850f511c44aba361b869642ecd963a00d7be89ecb
SHA512 9cd199857c86751fe8483c16e634fd091bcc9b1d798280e4285805f06e70a5a600e94315c3948c2993ea5e374721ba2b7ea303fc4481c169ede89a5ba94220fb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 cecb2d7cfa6750db8afec69f4f485c13
SHA1 f9a581db50077fb0bf83c39bf0f1c49bd12d2990
SHA256 7fd06f5474298df075e6d326f92732460c7807802fb20503e9417ce5e4bcac2c
SHA512 3de5c85f0a85850e61d7a6f7f5011d4551ac2044f1d88df637259b2ce4677037f7acd8e20a4ec823baba42d3952bdf7cce0e804cd0f34a0f9ceb051406a32644

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e3424dac27f938e066932277fd419e1d
SHA1 779fa9f40727ca42c5c8f2d84501f65357212a36
SHA256 aa362f918fa39ee4fc0235f89c7931a239d26340b878cdb012c855bd242ba1db
SHA512 14a2cc754be930d53b6443b528c2dc07a5ff6402dfcbaf02ba72e51e725b817740c86acd7c64554cf4d79201fd319febbc26e983cb5bdd7a256c1874d5649c11

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 cd17ecbb524bef481586b870030c1036
SHA1 a8b2c4a4280c3de5c2421a7dfa6a67895dcbac85
SHA256 e4cb798436fd66f1446bb04ec29e2b1583666940cc2a5308aa7927edeacae558
SHA512 f1fe569804d99bad72b044f295d65f71d69fd44feda92debb008a5d1b920f856e07435fd6864ee45041aa7f8f04f17bca97098f88148e25e8f93de2b6c4f6811

memory/1728-173-0x0000000000400000-0x0000000000478000-memory.dmp

memory/5048-174-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ada9a9555dccd728eaa080c796d87ee6
SHA1 54ccfbde62295b2efb45cf6e3ad462fa65337ce9
SHA256 108373ae00b2cbf753eb055b404d3091aeaf77fffce5094ee7b4cd1afd8e47b8
SHA512 2a910a9de3284c9e106726aed7fb9f805a4b1c8f102c40c22939a1b0ce7b19516357af5c8ad7078b85733420bf82a33626817137acf290032236b4d45339d68d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 cbbb7e0c0306210b639d8214e4f1c51f
SHA1 441b3835778988be0a85b04fc40cbdc4b5239cd4
SHA256 bfb6f4c170fdaf14aa3ec2b24101e240464da91e57eb1cac1017715f8dd7360f
SHA512 78b2732b7d1b3486bfeda4e9fc10c461f9355ebee1871b714fa0e053546f7b754d4fadb85a29178097434d72f6e97f7a567aacb58206bac215e72d7c939ab8ac

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 926af60ecb8124b91e82b4ee179ccabc
SHA1 240d9bf589b580183e7f636f5f5a5fd3633ed890
SHA256 755aa353d1e9822c43b8d1221519a437631b90a2eee105550d639639a69b9a4c
SHA512 b9500af640c901eed0d147c67b3b6acb4235f2a43cf51953a7309f921e891b4f580d623e95c18e1116fb0ad945a4d307b72155096f28333ec70b6ef81120c856

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1e7ef99d8e864de582d857fe3c427cdb
SHA1 f7b8b74705b2e9c498d3333139e906d1b4ebbba2
SHA256 6ddaf6cf6c48f8e3186719146b05a512eef42638bf1fdf5b708268abffe32d46
SHA512 84708014a99a712c70dfec5a00c8ea672f6e03a9b389b8ab000df10d396c4753df6caef8f48751f10eafb14eed373bfb5ba0cb91d3de6b4bf80877f26b17b22d

memory/1728-183-0x0000000000400000-0x0000000000478000-memory.dmp

memory/5048-184-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 12562bf6e6351892dd83b6b68eab70e1
SHA1 9d9ba7bd1f0687dcaf160a36159f22cb30bbe93c
SHA256 60be9d6b322ed994599ff48d1580d187f072b07aab8a9144358dccb96a45f02d
SHA512 5cc26c1843b9982ba3adab43e93d63ff18a76d0c225d7de4e1b1783f05a04ef419557850ec3e15d62c48f5b985a0ba975fe130ade1d937c444e199222810d1e6