Malware Analysis Report

2025-03-15 05:43

Sample ID 240509-eyft7aac91
Target 2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118
SHA256 2d0c69c0abbb080a635a97af58cfd710abf3eadf83dae363c7dcc62204b62171
Tags
aspackv2 persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2d0c69c0abbb080a635a97af58cfd710abf3eadf83dae363c7dcc62204b62171

Threat Level: Known bad

The file 2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

aspackv2 persistence ransomware

Modifies WinLogon for persistence

Renames multiple (91) files with added filename extension

Drops startup file

Loads dropped DLL

ASPack v2.12-2.42

Executes dropped EXE

Enumerates connected drives

Drops autorun.inf file

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 04:20

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 04:20

Reported

2024-05-09 04:32

Platform

win7-20240508-en

Max time kernel

145s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Renames multiple (91) files with added filename extension

ransomware

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

N/A

Files

memory/2224-1-0x0000000000220000-0x0000000000221000-memory.dmp

\Windows\SysWOW64\HelpMe.exe

MD5 c378c77f977bf63d6a1b6d6ea8247bd3
SHA1 73053ce4027e3f530979e4f23f82e547520bd442
SHA256 610250bec271b8072d9f6b6a1373f413022dcb5b687336d73f5f3559b4d1139d
SHA512 92da359260afe58a6455c50428e30248f9a6c2ed81c1d385898bb65a5f010fba1035e69d454a77106b741856f6f2bc40590b7686b324ae8ec6c80b446ddf6362

memory/2424-10-0x0000000000220000-0x0000000000221000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-268080393-3149932598-1824759070-1000\desktop.ini.exe

MD5 33767234ef1abb1457b3315404660060
SHA1 b4c385193fecbbd25a16af30d6723bab7ec7f724
SHA256 e6e28241a3ee81e6158d8ee91da25f745bf7b129d181a072c6056281b2d818fe
SHA512 5936d9f4338df4f322715da575277282fa18689e743ad070decf16c5ac2e33636ccdce8424108644f2eec9081c478b48b78d40f8d6e9fecce50964acbf050467

F:\AutoRun.exe

MD5 2847aee524dcddbf33fade6a4dd12a45
SHA1 e7e94fd76b1cd0dd40b40a7d14ea64db0e2ad016
SHA256 2d0c69c0abbb080a635a97af58cfd710abf3eadf83dae363c7dcc62204b62171
SHA512 7fa875101ee474b0a6ebd10cd3a886d30f9eaa61877fd629d8c187b5c5570b5a4e84ba648f12a8799d63f91d8e81a6ab2c9c6e2c38c1b0d2152332670820c173

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 03e2eb2d605daeedacefd535bd1ac92b
SHA1 479ad53884e98743a48ae666c3c21a4bdc4303a4
SHA256 6b02346ab1d92be0f40dabc83e33e4083cd4e8263605b7c6aa7e32cb546ff0a0
SHA512 8714545af006f20bb87b228f563701e60421a9a9eed2ccaa67c08f026eca0f76862df7f7ae6de4338d31398f0aed3451dc0a77811dc879d8924f8fb65ed4792a

memory/2224-228-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2424-229-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 955357b23420209166d274bed34e9bd3
SHA1 8964763ce795041fca1dd28c95dd7777e1211a1a
SHA256 2b05ae219ff453cd4c56645757cd8255cdb385204c761a98ad97e3bc0b62ef43
SHA512 7141b6e3a90f94e9cb744a975e1032a40ad4fc0722b93050f1ff5f3654a54a7ce28cc24ad64270d33978521bcf9809a01666dba2ed8bc212c00cd475f1bff2f5

memory/2224-238-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2424-239-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2224-248-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2424-249-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2224-260-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2424-261-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2224-270-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2424-271-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2224-280-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2424-281-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2224-290-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2424-291-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2224-300-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2424-301-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2224-310-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2424-311-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2424-321-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2224-320-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2224-326-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2424-327-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2224-340-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2424-341-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2424-351-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2224-350-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2224-360-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2424-361-0x0000000000400000-0x0000000000478000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 04:20

Reported

2024-05-09 04:33

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2847aee524dcddbf33fade6a4dd12a45_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/2332-0-0x00000000022D0000-0x00000000022D1000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 c378c77f977bf63d6a1b6d6ea8247bd3
SHA1 73053ce4027e3f530979e4f23f82e547520bd442
SHA256 610250bec271b8072d9f6b6a1373f413022dcb5b687336d73f5f3559b4d1139d
SHA512 92da359260afe58a6455c50428e30248f9a6c2ed81c1d385898bb65a5f010fba1035e69d454a77106b741856f6f2bc40590b7686b324ae8ec6c80b446ddf6362

memory/1636-5-0x0000000000640000-0x0000000000641000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.exe

MD5 304eacf67c6a10dd8b9db9c9c33bd1ba
SHA1 49f1639204f4972555ae82be1b5cfd45a7777d8c
SHA256 84e8734c2f2426c83076063bd3f94911f3128b5d5d5a1a7fc6fd46023d10c08e
SHA512 cc99b7d5573fc4c2e42ec10308585126b217a139358001fa20e76adb30877c9c4b55d2de5d09e3c4c0a5cb3b44eb47ed909040a62d9ee90d3e67b642e7954168

F:\$RECYCLE.BIN\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.exe

MD5 c938d64c07d2d07c5c6df57d92038ab2
SHA1 8b20d6a91489044b799bf686cedfdb661b9a3069
SHA256 4ca7b372be2f408c429228e077888a706de0fde1a5bec1cce46a6cfdc4af457b
SHA512 89de91f54502325719c66d20eab1f98b023388a7687b879e79c76963c6f363e79087c77b07b6b7170b80d2863143036494b1560740aac5293f693f828e2a9871

F:\AutoRun.exe

MD5 2847aee524dcddbf33fade6a4dd12a45
SHA1 e7e94fd76b1cd0dd40b40a7d14ea64db0e2ad016
SHA256 2d0c69c0abbb080a635a97af58cfd710abf3eadf83dae363c7dcc62204b62171
SHA512 7fa875101ee474b0a6ebd10cd3a886d30f9eaa61877fd629d8c187b5c5570b5a4e84ba648f12a8799d63f91d8e81a6ab2c9c6e2c38c1b0d2152332670820c173

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6b4d23402552ee1296644eb91a89c044
SHA1 ab5ddaf239e9955c306e955e26040088936cccae
SHA256 9cdfbc3362fbaf54b37a316e534ce36d8dc13d4090b92809f214b0023602286c
SHA512 7bcdb56eb12795a7069dcd6470e9e4a2b371a7f5c5aca5a8d645f07ca6f8ef9abc3100d1ee9df7fc75f76f048d80141373782138a296d4f9854ecc23bf49dde1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b80b7f379cf3146390fa2fc1e195de93
SHA1 629ab77abec5c0dfef505148340ddccfd2eb234a
SHA256 62a18fd24b142bef32ce99406b21d8b370f8562ab50c7dffe89f0e344bfe1691
SHA512 6da51749a9558aac288d864a0f91f16be0453b87b55a86939977b86f25c6df3d819313e0d196610309b8820d4e2536a37a9aef45737c3a2f4560dbd6200dfbf2

memory/2332-48-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1636-49-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 067e07a43ec39ecb2454f48dfd9c385a
SHA1 992ae164cff28683615c7437cf845ce93f096ce8
SHA256 9e32ae293acf63d683d0d03c203cd44e093345af34d1917c6b0796b563eea6cd
SHA512 57c8f2225cf66b479c7d1ad2be865bea71df73e4907b217aee69ab7d8f7cd03898b56192a25e6d4944415df4fa3a1c9b93cd9d76d630f039fa8f3d5e8034ec8a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c5f7f7efa182fba7d187d074821d2b83
SHA1 e746ce21a924e8c850dd0573974db0312531e447
SHA256 d2a3ddcec304fce2ba2e8d71aefba6f4b1f9f70637e8a00644457a973a036ae4
SHA512 230aa6c2e3a1be57fdf517ac0ceb0d045a694205e12c320f2d4fd05607f78f082ea58cd91e825da83c1ad6a5ca5a25062b31d8c746c843fc2f408613f3172016

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bda6accfc014472e54e15d023a4e8111
SHA1 a8e60d9179e8166aa3f2b1c5f54ae426b3faa71a
SHA256 27605cbbfcac26e72411d0517a82fd535cba0fb6df0824872da42363b98e6697
SHA512 54e07cb95793aaa342cfc57213d247a679ea1794a177edc88b40c69bbd5b21fd7d136228176da7004645777db6fd4cde725dd20b52033bee058e4317f39b37ff

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2332-58-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2332-60-0x00000000022D0000-0x00000000022D1000-memory.dmp

memory/1636-59-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c6b2ea7a592388c9b9cae02bb31df2c2
SHA1 ba4bc2439a798739c132e002bc043767470d29bf
SHA256 5f87e5cae7046ff47b182eb141a73cb3ab3d98fab48fff2320a4d06c7f15a38b
SHA512 6905bd3e12e3407d408274cdd82432947ef2409d8c0e4775024fcd7b42a571b772628ca71bcbece282d736c12473d57af30d6f07460cc47ab00d849d6b340335

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 21fc03c819d0a396af6db528a0e55b81
SHA1 77cc4a5c9fd38dcf83180b7990b99a43f18a09a6
SHA256 9fc6eb40c42c5f41047fbc209644329bcbaa334b9654f6e107022e23a206f392
SHA512 923ef487b91c120d852ee632d3b3662f06fa5ec97f78b90440882045cd4beb482ea727bdbf81c4929addfd16f24bb45f4797a240b8544bd2f1d3c195a5e37c87

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 795c00e6c0c20278d32ff2a003c9d550
SHA1 7fc3ebdaaac17f26e5cc434d57a108f86da42dc6
SHA256 602d02c999dbd027a6c5c42b4723a96625b7153718c7044b82eb226c02497429
SHA512 b477e98d668d0299b71408bdbe53872e5e177adf33912ab5d79c605d029c3facea0eafa7d2338cf97b62f05555e7c8bbc457c87758f2e7500fe958b87f0c00b2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a14698ec075edd209f1ee9077c909523
SHA1 f6326b2298dbbb50e55187ab9fbc28bb8a73d9b5
SHA256 cf693caf5da6621aba52c4532b77924e52023c00ec4f57b63d94a022c75beb22
SHA512 31cdf88089b75b090edf415aae2292554081b834a0069d6a99ec46b8515c3ff7fa28741aa3226a1bed33232788aac0ae2974fc3df7249f3d72bb70f72988a643

memory/2332-69-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1636-70-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0818a9f8b45dcb3b8370bc285053eeb6
SHA1 b7deb2dbf2ab692f5d545bc2d513d4de2621e5fe
SHA256 b3202b181b31248d0c76a02b2152bf28b62be8b85b34168619edc2c0fa7a077c
SHA512 0f9a0cb5e70ca540ad0dcca3b084192d0c4e9097e52a56e88967174407f44c0f6ac08c5004e53fdb2cb8cc3a9881f353479ca01279a2dda5c6ededd6fa333c80

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 53c525a87bbc1fa91a746f8a0e360691
SHA1 f37ebfbd318d1794b0521a81f0c0562fcd9f3bcc
SHA256 30136adb78c633b0dd74fdee30c4e5a4dbadb48aad54237d87025d130e80fedb
SHA512 0038ceb007002e5072688e997f1cba17696da293429a2f9e24a5a7faf3ba3927ec4a1c5d6ceef25946c384bb50564fc4d1108db51eae11189e051a3ad51a3776

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ff72ecbd100a88aaaf9c386bcc23cdb2
SHA1 39b56e1984f860ecd77747c2b360595b7ec25ec4
SHA256 3e58a53ae6548e2fc9bc659f8fe93018e4a8cd4cf57ef2ae3508b401cf704c51
SHA512 64393b515369ac2184b83843cbe6f084c67cb1d2879ca7031c586ee8e106e7f5edd0c53d2658ef2cc67dbb7268a2263eba94ba919d6191023480cddf35e15c20

memory/2332-77-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1636-78-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c04426e4dbe0770da8bd4a2822735015
SHA1 3339ca8b55b3b96b6fbb7737711a2bb867517dfd
SHA256 d05e22c8de29d68523ad4625abb6dfe0f67312e6100bb78de534212b73e6ae87
SHA512 97c9f4452e28f797b541a954a4b366988a15b0671269b171fe82b7fe0a7d55f360c0f5caac9c3e72c081fa2a04cc503fc6abeb580ab453879646acc91a535b03

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 cd3120449f34cf7399ac0f3ba0d21bc7
SHA1 db228a7914a68b0cca00f985c46ba98b74c3083d
SHA256 952a1c0c85ff880f2a1f294a714ac2094dd82427c967d4ed4c3892fdb0c7c13e
SHA512 431320a8299159236abda2538524294ac3685f54c3b9427ee1dd5b5c1ea3376fd941d5d58fc34b809992645e55ea119b917d9161915e3a347b48b6fa95ff9cb3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 73ceb4e809f1b74aaaeb12dd7f3e0ae4
SHA1 f7bbec941f6d3cef58b3c46524a8fd1e2ed972aa
SHA256 ca204d93dd11eb4690b657d68c327cb8a52faf56cc540b94955990cc0818a1a1
SHA512 fa27d1049eebf9875ee598a390795ddf1cfb0ecf7e0852105ce84cb0717818b851de25bf98f23a880919b874537253e4187a4ae7a1e328f1555a0a3cc80a12e5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d8c48e5b8e964addb9ab3a1cbfcbad21
SHA1 ac362ac6289273c9e55bd9d52bdef9e1e0fc06dd
SHA256 5d890114f13c984f1472b2dd4e0b9127c4a5613d97a27ab89fac9f3be4f9ddbe
SHA512 2724ec153b9379c3510990019875d78325e8156a0d19f04bcf4183f937680fcbd1ea389c8bc02e4ca14ec274c52e49381cea1f3fb13632b4c8840d6d748afe0d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ccf7644928051735b6908207de5b5574
SHA1 afe54a06f95d4e80ffc18df2770159beb7816c01
SHA256 3828b742b8006e176003d3f0bc39dbadb5a5a46c4988beba4b9d006cff3f34d8
SHA512 3cdcecb7ce4ae516e1c582aa473b43c7b144ecc1dff559954c162b315ccfca6e74ce18489c74d831ce20af7e3a4e108f82d3bcdd0904b586289c81d112bb6206

memory/2332-89-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1636-90-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 af581148bf5d6bc894e13409e78ff484
SHA1 fbb31f3a3286397e5e8aa3adde8fc262e67b1a45
SHA256 5472e9483cfe92888d9cb88ae1b5013f7f456fa3003c6ce926a2d49ce2d2c69f
SHA512 d07ac55647ae92f17990aaaf31ef9c26a87d5fa5e5a5ead6d63471e25dd75f816bede7e5b80eecee5e1e5ece34402a071581a4d8de2fc48b92fa2039c8b9f5c1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fe7f5010ada9e1b34197e3d245e225f3
SHA1 aae846fd5b6e0bd1acbacf05ea6b3e7a48fd518e
SHA256 bf2617e8c0735d1716cdf820d2244a3da3b736e971c4da2f92dd64b132e2f50c
SHA512 e693c1090e5172b5444e9ca15f28e8aceddaed5bc1d39869c8ff9c1cecf724d47633598aa903f95868315b91d351be07ffef789a35b6b93c149e5eae63cdc368

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1766352b26761681c29ee4994ea7977e
SHA1 21e742b90975eb20a87141dcbf1d55a6847f8fac
SHA256 3a28b1d34674f9f354cd973bc4c5d3327d507e84a8b6c9a439dfb2819b44473e
SHA512 23244c061012a4ac3b20a1f9c743db96e4dbe30b275674259e4d80327b36c9dd83c66e2b3cf85c2fee421cc269d6c97744e8821300ebe88492d46ae7133604f9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 04db235b76d44640d284fa527517f8aa
SHA1 f8a0b836bc501fa4638569fc0e20876573f0e2b1
SHA256 bef9b70311499899d18594e84ece841eacec50163d7078301a601ca81928579b
SHA512 39df5d3b923fe1027f4cb1109d447baad4f3a7609505a987c2bcd7e60e68bcff6b3affdac49b4bcb2fa5d9ae61ee249dd9440c4fe22b32330abf6bf5aa128fa0

memory/2332-101-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1636-102-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f143fe21aa446e98f7484709a8ae3178
SHA1 dd708b07df4101123789123308f38c40be81042f
SHA256 52cfa5f8836136865537db16fd9839ed3521fa17656968f164873e464df286dc
SHA512 de72a9f395e9b5cd5db4030f896b779a8048896e22fd12a2352fef23965a431b77b222ebae2c82ab31a5aa61af8b65b9653527b4c9bd03ddaca778f3246e94c5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f5fab851d3fac5285b675c5cec08f09b
SHA1 18f901eef4d2c9b733e00a97f7c907f1b66e2c48
SHA256 e0812376535487b7d894027e77427e8344331941a668c7a7053c5e3831522a2d
SHA512 270eb4c384fa64ac0e5c6757070c65242101a75416d619f9d3dadd505c662b86be896f4e6db4cd2c74bbda15ee320f88690cde96de097c511aa02f1cc901fd36

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8e99745657dccf52599300076a926f3e
SHA1 b30f455349d26d42ec5d71fccb3e019147c216f2
SHA256 6d9c0bc1dfee630b52a80966616170631e704c2126c6b30f2ffa64093b8f6019
SHA512 67bc16b0fafd86b03603fe0d9bde5ac376b88c6ac9598c675d79132f128cf85e26f5877cc2b2d483ff855395a9890203806806cc85b95b4796e575c9225d638d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 195fd9b9b83aa03bb7549d0d6ad2be4f
SHA1 5a39230390d5e041c8d67cce886c7bd776ac0f6a
SHA256 6bcc70fe35e791aa5c29b2109340a0135f9d2ad6b671a9f83b7c807cc0b8fa32
SHA512 fab0c2bde38de8271c0ddea2c7db2aa55e41002f4475709a0f818043f1f950a369c88c20a0d502e64971e9783bdeefb4f5d97a10eed7e7fc338321271289b025

memory/2332-111-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1636-112-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 eb499f079d36e90bd74af18b6cafa486
SHA1 47a22d052e3057f7d713870ffc1aeb9d634f7adb
SHA256 67a590544e8b712db53a1e0f677982a472453a51912dca70dd4bb6a5ae71890f
SHA512 7808a6d7e826e48e0091388d6226da8406c55a9d64a49dab18685a8aed8df70f0975c5c76fa0e2ab514b3a802995637fa25075ed91b35ee66609143132a87de8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 53d3c4f96843ce0c74418e98853578a4
SHA1 b7ff2cd16da40a7c1b6a34ff1ce14a548bdd3550
SHA256 d191bbc194f1a022c164cd168fefaafbdf75648224e086e69acc5bbdbb1a790d
SHA512 e61d801e261ddac4f0dc52ea28cedf6a07788d582372f80455ea3a75b40fb040718017bf2bf191ee00830c4127476331b48565ebcb3a4dd2c6450ff663713282

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 cf90807d489c443f02e352cd10ca4c4d
SHA1 d3fafa3470dd417fc4ef863cf872a6a0b91a9e13
SHA256 c4d39f29b7439d191758379b7c610b3291fc1fd1ac665f2e19e39f8c14f9d8b2
SHA512 d1db8c2d16b307fb7f4dfa519c0cbd6627c710a1c0b3bdff8dfc36473af1dec4a48003c607f9992a72f451a141785f656eebb087dfc2a24010f2007aeffbac75

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 07886f65bc3926ab5de065c01278461c
SHA1 31b2d2e012d4229fc77c5a15007a66306d3bd8d2
SHA256 a877e86555adce82caee16215bf3afed810a654014b5d72920edb74e599292f6
SHA512 94bb4c674eb8d03319a0c75ba88cbdae81a9c454ced2d7a413d0288464fbea3870c30515727a3d4e287be5a23b31f48a8363c1541be0406aea4e8d9ea451e1c2

memory/2332-121-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1636-122-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4fa4fb5e86637e7be31dc877e65b6b3c
SHA1 05eb7ab56eb39f5b4467cb3d65d7a320efff9072
SHA256 943159ac531613a4c35b30e3f9f9c7c5ff8ad998fa69185d8a0a963265c37060
SHA512 cb26aa925172c626fca6f3a38de1b38ba51b14030608026a8908f5e55aba03537b588eac5716589249e6ec6ea45739b4fa73ee35599d3e017024093e78b61406

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5e413540aa90fa375bfd6ae988282830
SHA1 90996f52b52542e64e6f63e9f19841d1b27f7330
SHA256 bff47fdd98a028ebb495ba2b52119335f2508e3aa069436b137cc5f04ec0f921
SHA512 06c6fc35779c852396df1cc685de5492ac9ebc8075fef2af8637fe6aa63636f5e660d49dd348e031f1a0b5a48533224d1aa9d4ecb75345c41bfd76cd91d0aad5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ce321adba756d178cfe22cf122298fc7
SHA1 c9f4602f7e88281702a3a32df25844b6ba5e9dbd
SHA256 35a74401630492b67cdaceda812b7b55926e0d0fa18b488f33ae7d88b84a6de4
SHA512 7b2aec6adede65430054041c6a812ab892ca4b545ee990e03a63d852fd793f17f274d261671705a3de1a26820f34001f805021e89756cc1dc24262c7c7f1f528

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4fb46757dc705c608cfefd21749121b1
SHA1 369a41f03ab0e4ab0ec1231d770e6bd00ac1a414
SHA256 42579697025d54c3d465d1f18f2f0a761c6f32b3c5fac66c35bff3717a8fe8d8
SHA512 c5fe10fdc8c7ff8c0f074cf1e5184bd02371c92f272427cc01aa659a828444c040efa6b75cb8f20587fe2efcfe4abd857fbc1e05a8e8601efcc00b6a71d9c5ba

memory/2332-131-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1636-132-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 adc3ec388f42763856b4ea82bb1b11f5
SHA1 087d01f9e6a74a255db96380209b40abf055aa39
SHA256 676366c361c7fd6483d45a286ded1d49c74ab60dfeedc39a467df481faaf793c
SHA512 651897aabaa502beee267b57f42a55b1dd228af6e8fcd8b996f279b1da3c902ea67780b26d4b64ba5391e6eb5994baa8bef9805e7dcdb2792f5876f1863ffa26

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7e651f812b2e2dc7da987f7cf7e030ca
SHA1 aa2d05245bd89dd91ee665d7536dfe0c655a1781
SHA256 a52eb12c26f53da09e66ffe07b119ab843554ffb622cf2e5d108e3c5b00f3fab
SHA512 af380402f86ab0013636fadf91540f9580fdbee389298b85f36df371d7bc3007f88f3b393b6ef381ef4910569c8fdee66d25c60702c8be9eb2f11f85ca49e579

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1547cbf9f1f122a7d0c72c0be672d51b
SHA1 f5f06f564d399ba5f9cf878f5f4162046a3c3d6c
SHA256 8c75b5f5c6fcfbf4b00b17256f1282d9b2f8053dc30031675a477b0c01f3b61f
SHA512 e39b16012f5d611d67eb18616bb8f41568ae3fd5f66ecb9a6e1d34759d328f940cb6e7517081d163d02085de6a5d2b5ac6119d37ca87a44d201c5b1caae36492

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2212ea1986de21c567168ab3d299764c
SHA1 4ac7cced91e947e9e1e25141fa0cce3c985b5b37
SHA256 78bdae31220a529a7bed2dc3145e216dcb895cb99d17fb591044cc267860bbee
SHA512 c8443b3754bb2bf46b016fc2ee2742e2dc3f48452a8c2e12edc845bcfa94c9ba75932c786b31ff915dfd0b3ae95f6b6098a1c6514e3784f31c7fff6cae91c876

memory/2332-141-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1636-142-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bd4121ac60de41af28589eba046d4852
SHA1 0fbd43144df34dd3578d845707147a101866c6b6
SHA256 eb01803cfcd5c51ced48bfc433942ceb0ec5ef374dd01c3c2f0bee43dcb0a194
SHA512 2b58bb14662d2b503d30e8da29ce3f04513987a57dea05b048758d8106c7a647791422c5e53fa7daf18b356e351438909a833aa71b683d78eab737a43ab4fac2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 78f8e97ddb880f59ac07ce3a350b67f8
SHA1 a77e403173628f9d6416334ccf63b616c91a91cd
SHA256 a555a4c62920ed01ba1510aad00d0fa192e59c3ed3b213e46526537134c7af05
SHA512 7bc6c62953080b0e1441ad1380e06d10ca46c7620648b5f9d95bef6ce8b7b71dcfbed1ec6b07f664644ccc0494adccf11e7b42d63a80e77aba654714dbbb9ce0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4a814477ccf1a322efab0f752dd82721
SHA1 ed1c620bcff81e96e63ac4ceb513a14a233dc527
SHA256 741f004717556ef8da15cb531c933026d607e8d239b656f54491595f4409562d
SHA512 2bc255b97d2d225b3066e4cd253ac9d97f092decc42046d87a9afdcd08282165be8ce38a6da4347ab2cf32deadd8cfe41008f2ddd4c215d9502196b618538253

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9f70a657e9ffe460c4d98a3640edb0df
SHA1 58d76048ebfb70fac322ba645d4182f3adcb747b
SHA256 932163dfc1695dace62f956596701374c11b994a096a68c8ec167725143c21dd
SHA512 0a9ddbe04d4a63904e33d2d5240d4554d9b799827f6f6905c1a513d987f32869f27475a1750ac7ffa1e0a3f103ec2476921c97517053c3c418b796b094615824

memory/2332-151-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1636-152-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ae493a5e30cf1c6fb7c5cefd069c65a2
SHA1 107c81f0ef72680f4f5518592cd652edf1d29531
SHA256 d2d8ffa8bbccd66f7f4216399b623f8d0ef737c72fd7cb753e5eaa77f910cc9a
SHA512 7e9beb52242183b944bbe2c4fa3899f0e0b9795d9318abb1dd03d69de591769595009e91e6c463ae1e1ec4693d69c0e198a5a46495cf65e085675ef4be6ff8f7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4c514fff5591edb8100fc45c6e68712c
SHA1 c042275786ef2db17d1ca79b259e6734c21a0e35
SHA256 73715de561a7efa2b64813376e66f4067548ce1dcfae1d1dcb9a9eec1617f55f
SHA512 74927b9a1f271c886ed59481ced7642df7cbe76e7acb488190592737920bca2987b4b4e81c3bc51425ef392177feb9fe50cd4eee0ed08d36d21a691106dac182

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 505487158783680726e874d6633b9f42
SHA1 88c4c4fec7d9231ddae5d55a9adfcc0dfb422948
SHA256 14749bcb013a783cc60054985e88e9a73ae9c9b4a4a4aade947747a906a0e495
SHA512 94449af6326c753eade942433b9b6dfa961c77a0c712daceadf46b8d839f3f2f99e17ea77caebdde62cbb90f6fe257afd8a5acfbb851832a1e9e1f8ce570b184

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c5b9fe59528a27f2c84f5dced50e7f33
SHA1 8a85d30552c0284953697fb28d8746adf1ef651d
SHA256 09ebdb10e9f01f4a3937dd5d05cfe29267d87df45fde4d215561905bd4bbdc7c
SHA512 26d087b6c15ecffbc3a3e8dd6074e648df5ec926325f4173e2ad7e3e2d8a0f8ab0b8baeead327281b13b9299851c39aff1c691d2781a03eb6339df95b59938cb

memory/2332-161-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1636-162-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1dfe5f81e9ae72295498b4923b295f1b
SHA1 a409b7e543813f158edff9abcd59f06de6ada485
SHA256 8efd6a6749390c624edafc22b7d2cc4ca56996dd2713b984c0a66c3dab51f6bc
SHA512 3fc3eb983b9c9ebfde5a91bbc1cebb8645b97749d20bf87cab2c230dcf0f4900672341e539d30d0d6d6ffb88c04f8aca65f0429f16c2225380f2702c179c2449

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0f884636356fd1aaab0479c0850fe295
SHA1 b0c09f9f6cb598d323e440fb34edad0da4c760d1
SHA256 789f3c937fa95d108a344bbd48fb46f2c878000e162654fd67e900a2fb250a19
SHA512 0a5ad49be9404bb1141c0c0a32c3773b1a34a7492478af1d2af7876b75805ae4632318ca100166e9d626f7b7836d38142a64ed51e112ead275ece71378fb658d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d3329998cc14c81b48186726f3de7da1
SHA1 aa47f481da862b187c89374e867e88cd17a308db
SHA256 c5b9e723f0eebde259956bcd4a4cc83630754f9501948767618cbbf67fce0cab
SHA512 697d199afaaa23d18787181367f0a1184abf58e683c61e106f17b1f5dd44a348847fb07b9ea6bfaf3923ded4c59ed52fd996156e8febaab9834febd220971e13

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7f9621038f198890fa2dec9194ef5fa9
SHA1 acfcd1536591dd1b5da7f33947754460648f30d9
SHA256 0f86cbcc684b9dfbe26989cd44b0312e3eb14f82d8b71073e58892e22121dcb6
SHA512 c2ab06528c724cf2d894ab33b62e3331a8f52b2760628837430f0afc923963fd95004b53dd55cbb28c9510b7e3dab0f1832890d619ce84e8b242a681c0706d4f

memory/2332-171-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1636-172-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2ee2522357dba57c47bb30107b83f9c4
SHA1 8866f1720806cbe9004429b1370e02e540c83359
SHA256 fcc64ed1ce04e3b46d4f44331ebd1b9caf8b9094bc4f1fd97f022203dd333070
SHA512 0bbe4248f4501e6462cd2d36d01a659c4143257455782ac60bbfcb4f13c6819997c7793d20404da9643dc8e907c75a25a0ca092ab82316ec2176440b089b9695

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9677ace953848eb17920147c65077ba0
SHA1 386caaf454f43bfaecf8c44e85aa5a3571fedace
SHA256 6c0a6560e354d4fd2440e9d79d55e3e7bbc62025c4b548636105cf30f087da75
SHA512 c67099444c2d562c8cf5f110c6979251fb468e125e06b51c7adc23eb04f4cfc4604f7619ad7a73edc459842e5bb33e5e51bfddd22bd7017b5e3e8bc091277a43

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 eac5abc6c3125e85729ab96c134ad167
SHA1 50c6a5c98896b00eb66cbed62f4f6aaa02fb8a3a
SHA256 2eb91ce45bc4d73ba8d664e2813461fc8cc9f0d2e74ffe0304cdd592dabe0fd6
SHA512 6fc1c73f66c783a80e43edfaa3862f97a68fc806a99c6a09de3b4593964180b7a6fa592cf62edbc8f7fdb19b2dff3d4f0165a25e160d2ea937acd0a137d4bc86

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 48e7fcf14fdaccdb741316ef1f46b8f8
SHA1 2251bbac645b3b846180a892affca29fce1430d7
SHA256 00a585da6fb221ef1fb27cc09b31e849a5c33055d054082979aebefe59c41df9
SHA512 f257fb9ea85f5f61b967bf848f7df365cab3ff9bd3e6cbbd894f4833477f89ec58263559344b9b6c90b1147339f0afe448d6f9d670d2fbb3d9a7c506516532d8

memory/2332-181-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1636-182-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 12808e1e52847bf6ab01f4bf31585282
SHA1 2a66cdd24fe949b2b26e75d303d8f59b327f2549
SHA256 3e3afbe8a9434056b912d032dcfefc3f38d4982e8cb7d0f519ff9307fca9db1c
SHA512 3bf1d0fddb078d4c959265e790312481d868d3258d61c6739068e8fa36676aacf4082a0a526e5fc52184f5981a759d5631cf5d32398128ebd061e8c0cc67ee56

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5844e5dd57bd6bc232d2fa20f0939c33
SHA1 1353281406a4e37c6552157a63026111c2bf09d5
SHA256 c18a3cc4a608e724f530653c56e2add255f7ed03f0d9a8d0d08943ded4594176
SHA512 b5eebc4bebe822703b28641199acca02a1eb952bec4a6508dbbf8314e1c7bcaecfd79041e62996a9e89f001a0872f8571dbd670eb613fb45b19400486c2cfc2a