Malware Analysis Report

2025-03-15 05:42

Sample ID 240509-hg428shf28
Target 28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118
SHA256 7e862226f685439f0e33ebfd42a08e3f68298fd3ca4a29006be3401a09737124
Tags
aspackv2 persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7e862226f685439f0e33ebfd42a08e3f68298fd3ca4a29006be3401a09737124

Threat Level: Known bad

The file 28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

aspackv2 persistence ransomware

Modifies WinLogon for persistence

Renames multiple (91) files with added filename extension

Loads dropped DLL

ASPack v2.12-2.42

Drops startup file

Executes dropped EXE

Enumerates connected drives

Drops autorun.inf file

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 06:43

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 06:43

Reported

2024-05-09 06:45

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 88.221.83.192:443 www.bing.com tcp
US 8.8.8.8:53 192.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/4560-0-0x0000000002220000-0x0000000002221000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 5db8318f4243e393c6766c868f25099a
SHA1 857fe7a985036964f7ec0a2eff98b214c0c8195e
SHA256 2f0f1efbfb69aa0da870c175aa7ca1aface944a7f02f8cd613b1256305dbaf18
SHA512 2b0b55b88b5a591289fac86135ecc83fa3cdb48169d107316e4a3af51e8dc2177d1917704737b1411d5ca83e7ef304cbc52d16b66b8bb1b3d62143d7bde91e3a

memory/4204-5-0x0000000000650000-0x0000000000651000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini.exe

MD5 506d97b9bd8df688c370816cbf2f467e
SHA1 52dea659c55fa06786a51352b77d80ea3fa90e2b
SHA256 94c53c60e507a04e5e90a166e9d1dfa5bc45090dee394f96e05f450b2480b98b
SHA512 6c36f1882f8ebc387621837a1a61ca9ef11127cdb4b282afe86a4a6c2e91c8c84f971eda97ea3dc46e390741d3a2dffdb76482941a8fdd464d9e1b987f2da53e

C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini.exe

MD5 a1f3f66e624c583f0f704311f7c14bf2
SHA1 6dc6eabfb04d553f8fd5820eae09d9106710edd8
SHA256 9e696a5564a71635a162febb6fe283ffb0e73e80f4ec160769511dcb6e266ab8
SHA512 45eb58fedef7bcf7c68910e2a9867f7e0e8e0231093c751983024de1a235534a62bf8a07d1ea5ca9766deb962829c6e802f50207dd2cd41801c62589261effae

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

F:\AutoRun.exe

MD5 28c423a0fa0a5094ff5f7054ef3b0ed2
SHA1 a9ad4e7f3da9004b98dcd264d444c07eb58a3067
SHA256 7e862226f685439f0e33ebfd42a08e3f68298fd3ca4a29006be3401a09737124
SHA512 bacebef1231ffd1db387995935c9ef86894c61cea37e87743bcbab2553edb4f0b578941e2cc0a32bbfd9ff391212720b370b59e1438bfa04dd26c096c161af10

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 24c8161d8cee302b0975e90a5f95b972
SHA1 a1f07296e4737c6b6c4b1c916b47911d4cf1a9f2
SHA256 656876177e9eb963e167e722312f4783b3c94069af8c918c94ca682988a87af7
SHA512 8b68774ecb91b50d55435880ed57d3b1e684ed0f4002629f54fd51cd3576da0b4954188a39dd61cb7ec461974a4ea9ba7efe21e7fdf20997b75d1ec16d4c3dba

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e83406b3c7705f33200dc815c91dfa8e
SHA1 6801b2acb9962113fe8122b11b9ad294a205342d
SHA256 fee4892e5504e5d4335849bb095bc69430f4088780abca9983eeba4654605209
SHA512 90e17e2c985f49c99fbcc418d37228d4f71ea8da808cd8f33d794f31cbf1724409b2f801fb5848e0a9c1ffbc3a44d9316ede2b4e946c52fb39a4e849e04492e0

memory/4560-48-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4204-49-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0567b23b72494efa6822b8b53a070c95
SHA1 5c61e06a17ec8d84e68ef049680b08c307f5b1a8
SHA256 c6fb1991c97e0fcef3204fa2338920d34a66ca604688cc9ffcf617f48bde6fea
SHA512 99298cbb563c6beed5ad6ef49af979f55c5b752a51f05e554a482bb543629bd33ef6f7c3772bb0e6c4c0bbf7770d430292a2e0bb4f52a898a2d276e5376ae36f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6564f13ae0eb9e30b1a206adcbc5da5a
SHA1 8397d2784e290565eb335ca0ef43db06fbe6a8fc
SHA256 43fc8e2c17f58511a9b5f3b66023effa47e0aa33235d7cd24ede663d1fe889fa
SHA512 23c89de0f49b4011dc4ab632a182d7db8e251e34250543d40fdb6317862b16411ee4a6c74cf259eee7cdfa7057db7c289ee3df4e088a0cbf7d642614fd4a72bc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2e9e7409de08ba0f288a63629c8b0485
SHA1 9fb0f195e9d8311a918b58e0144bf319a9755687
SHA256 d06421b9924842b5723c3f1a95ced749e5d3cc72ca304bddcf7ab1a24d906c95
SHA512 be63d8c988cf7bc4b7e744519158213c0fb266c6b4c9edec545a7d7eacf13a3dab6e2a21a99260e9f5b1a5b1f213f5c22db12a5a68765b5ede2b8d58046b21a0

memory/4560-58-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4560-60-0x0000000002220000-0x0000000002221000-memory.dmp

memory/4204-59-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4204-61-0x0000000000650000-0x0000000000651000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8c708958b2f6039b5c62e6a9541cd359
SHA1 cb3c80e27157ae20a5bf8ae821158bd197cc1dbb
SHA256 87d35734f2fa8e39078d3f9a6978f134d342af782c99fd53c9771b4947fc1fc4
SHA512 0f92f3445e6494a7451a124f6a3571e0353169ba363511d46bb77aa59d3b58e8773e8bc67acfbf96758d02334cc2984bca8415c8fc7e6c07b61e32623424b4ce

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e4c82e9c332143d1dde4080eb9bd18a3
SHA1 912c74415483ad62abf96916eb05e31f331a77b8
SHA256 c685b5f1ad49854b6a84ebe27e918d41298fb1dc7397402a82425bccc48e73fd
SHA512 569faa56d22a84b014dec8f144db80473bc86caecb81cfca927cb122be8bbcae34c0d1c46fd36380285c81172b2dc922e89ab3558eeab1e0489565e789a47ade

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2790164abf25dc58c8efe0134b98b4a1
SHA1 ee75b19be17db8c41c7dd61e78be59951573f223
SHA256 367c05983e0b4b144141eb5a8e36d94757c1d271eeeb368cb07e004eeef45c89
SHA512 e8db73d82fe4528d221ce751de8e81f4e55880339e44a5890b50ce5fd4f9779866d82e06766b5610b12bb14c09e21abe179e90d29ad7ffda1212b79bbba8ca69

memory/4560-70-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4204-71-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b753df19c41a940e601f1a62c8404c31
SHA1 488676d4744b574004e094def3f762a7c496fdf9
SHA256 0c68e68ea3d4fc335740956e408c641e10145f2f0455b12c4465bb60760f2ca9
SHA512 1d19622c66ff01b896930e33bc53b538ef8bca3d1eb77bbc13212091ca19b0f634a78caa6535c8b8ed57324021f57db8a0d7c6072e6909f74eca0c8539876e1f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fca445e6cd6389bdebf984dba5ffcb90
SHA1 e548a6a7fc69f4bce1ffb6351e3ebd16f09734e7
SHA256 03b2930c31e6460b4cffc6c649867dcd44d0f57c9579fa6efffa503d7b42dd62
SHA512 5c44746a75edbe9e487ee40f452c42687bced2c482ee02172389ae981fb9ef61b2bf8b7486079e51d8773820da624a3d5274794ad8b8bb4498c6f5c686198918

memory/4560-76-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 760107a5939f36a01138a3a247410a4c
SHA1 607227507447046fc5901e5cb81a2e8b515b3a4d
SHA256 a28ca697ee742fc674dcab1a6593c09942c4032571d0d941511966e06ef102e1
SHA512 afebde9bd0765f633cc88d4deedb6fd2267fab93943f30ec0300ca734e3a825237e8021fcfdf63eec3570597425e439e0752ba7c800d3acfb89dd87fbbe14328

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d260dd8ec6b40b73a06dcab84f3ba749
SHA1 8b43ddc435da23f2ebacbe8e6ad0848b44d2e853
SHA256 97f4f83919b6324e52659988ab22c4f1965343f5d993950c089855f242b57162
SHA512 05652dbb6d2ef608b079f5c7f7fa6f2b08a38f162139e89029f56e10bf99098aea9abd4443444d9efd4d97c847460cea2386568ec675b3805951fceee917642e

memory/4204-81-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 91c41b2d5332bff33f734cd3dfed290c
SHA1 9fd49063cd576601561508a7fded05b56faec498
SHA256 9144ac9de87467ed8b1bc58ddc32b52447c695188489a3224a232cbc94b288f5
SHA512 11043515146874178207c3b070aed459fd99363ac7fca4aea8ff94a6cd536fbfcc789c77113fa8753e2bbed93be143cef1466449c9d02ae5ec6da925be82ea3b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 94c4f8b2b1019f46f9c6c3e0c6c71b47
SHA1 37a4297b9695957e2b9023929d3dedaf4480cf6d
SHA256 0c54c82d89c781cee2a5c7940246d065e1691c69d7f8ed1d7cce4c90f0096749
SHA512 0db53de1ea068ca156373a4603da4131e9e46e8dbd571a8a4301c87f228a2d9d7850313f0bb7f2778114015132a27f1771bbb6c5b90bbaa19d80acea80af48e5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7b57ac16a36834cb62c0f64da22ed708
SHA1 ca76ba1b524653ca1336b804abea310d1587e3da
SHA256 9ce09aae5b37d10b9ff5914dc88e0ff500616bc02d7f317fba0753b7dcf5c8f1
SHA512 10046430ef61f775ba88a4acf633aec6645f17ceb03a22e08a2119df0a2d5782b7d9cc6d42aa68f00d653085de59ae4b08e2300044dbc6ba1ec638e4d06967d2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c0d8496f6345b1516dc30c14ca33ea07
SHA1 199a6a1049d2b09ba054ab516d37aed5d54b9b08
SHA256 5dd246d5dd595329ecd8ca06395a3d229fae8d8dfd60b6cd3837bd033fc2c29d
SHA512 eb3bdafea7da1383208586c18f7f73cacef8475cf707e1fc8006a51f2fa9baeb9d44620553fa208d788c8bfa2adc9c03a25516934504d6de4c3a0a8c4e8efa14

memory/4560-90-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4204-91-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ab5aaff6cb02c4f1be7af6ec6976d492
SHA1 f922f5a9c2eef633a45311d8b7dcf1b6df496845
SHA256 d3b40fbaf04b231e2267428fe62e399aa825737b6ce532685b55b9ab513f8ee6
SHA512 3096dbf91ab69b00451b85b6e70ea10fb9ac6a6f9b83bdf1d4728f94e26923fb7c05dc48d39cf295e0e552c60f21b1c76a34703cd9956f11d2b307fd4dce6019

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b62026363b27467a2f949111cd1bb6ba
SHA1 23c8a42142443be9a2f12750a9b69b9b9e825145
SHA256 fb0606a49ad64fd53f8d3de5203e1904d5447af301c7320b3e66eec589ebb568
SHA512 f981a52c95ea4906673973a3c4365c605bfa83346add900a1a8d1282d972d229a0403da82dfb822f574f094cd5aace4770eac18b9a3551741183a94f5b8c396e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ef2d4b7317bd7559d44945aa3a340f28
SHA1 c70621bff79d4ae634f405f8810cf44c62e265cb
SHA256 eb385150df78385135e8d269cdfec1df04efdc9b74f02d6a2db95a8abf8000ef
SHA512 726e25a19158caf04162e0480a0c46c6bd7d8a45da42dcce76ee61b6c35785bbb8eab45d04bb535e2c511cb8b00c05dfc9ebc77c7a901e028d01a5541302c376

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 779efd3f256fb13e0f20e30e711963f2
SHA1 223e6f9556654697fc43749365d6c5ba6b64617e
SHA256 882eee50d67b643fdaf972c3cface11610da52b01d5ba994014dd5b9545d97c6
SHA512 5597fbcb3c4fae07d43086a9b62245df061e4f3caeec75de3c013f55d083d6fc13bb126b239dbf156c1d1b7135f4769e37200a8c6ea9ac359ac4a87dc595cc49

memory/4560-102-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4204-103-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d33f362cb612fb6a1527e5f02fee5234
SHA1 ccd97312cead242a54b06bb9be96d4fab9e19f36
SHA256 3ad9424b3bb10237adae57bd55dda6fd5dd0d80cc781dfadaecd0a8aa3388d4c
SHA512 748fdb22d095c6fc73a9aa65831ef4fc97779055adfbe088ab5b2651c26e755b3f342d2840a22ee5d0a584290186e9877b2d3b0c8c3a0895306b9545f716b202

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a8e01ffe7df642e23446171a90111c12
SHA1 6623118e0869b82c33d11620bb5617bc29f2e4c4
SHA256 df30a038faff45e38f5bcb7f5b2b9788303702a3ca3f8170e06c8b1137b4ec44
SHA512 cd5559897a0133b81529a98705a75faab2e603c7f48436e395e76306d3788669268d6f6e8699ba1c36109838fb3f5374a316a9282ef46754687d479df51f7a52

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 051f842c493e0a574127c62d0896db47
SHA1 b5a4a9ff802f1e2ad888859db4fae12d9224ff72
SHA256 94f52dd7e8dcfb781b1fd393cd2e56392b0c2058474849d0edb63a2a57c8d5c2
SHA512 4e02ed1e1aa6b363ddac6929b8252e02b69e1209ef78e2d63594e848ee6decda6ac7d9f54f69f33d24bd1429c653725d35025e09a0afceaf6f8238d69f2c7078

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 aea035bd771787846ee5a8247322524d
SHA1 959ec4921c1720b97b9d8ec0f51c65bbe24b02c7
SHA256 a79c77d3825d8a89f519e9cac1a3726917f42ad63ca21af61fd8e29416cc737b
SHA512 7c731e734719974144b48ed09daa12893f6950a7a8997df314d77b18dcff37c0f754efaa4265ff5dbb2e340a1fdd13f33d03ab69049c5d25b7b541b2023da7e8

memory/4560-112-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4204-113-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0aea875ffdb4ee57dda90714f4745bde
SHA1 fa67f08fd2f449d4820a02230c250937f5b76721
SHA256 7ca378f026bf769a752e08cb9c742d0e25c4adad94cb33b9c0ce6e4dfe14954b
SHA512 cb0a7ce341f233542e9048d2020f14422d5100fc7cbaec92dd3e459c5e96e96a22fecdf63dddbbb12f2c26a6c519506d79dba438340d749317f4e76530b37df3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 47bbe3d123b88586a50500c542add74b
SHA1 0f61e9fc178986e87fa4b38bf55b26ef11f45fbd
SHA256 ffc23ae50bf58fd1b971402bcc54b9cd8bcc609a7ec48d8237d862ce7f7b1d4e
SHA512 ed13fec6268b736395fe00f897fb567e11cc25d45967e4fc74d16473493a3b24acaf080d4728d2ba5b994463ed1605bae28bb89410ca1e1a50ccdf11bb832b52

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e03e4e0fcd0445d9710dc4acc4e3f1e8
SHA1 463fbcaf0616b2a9fa3ae3f341f1d19c9bb65e08
SHA256 af7d8bf0f1a8c889530a845cd8f60bd9dc07bc0be2b8b1a7583ea66e97c25aaf
SHA512 1a72a6cd3576f41368b41c52add63dcf7da118b186970e3793ec89bf5e15c1a7d3b1f814a143187e9b5a691f18d84086026d7ee921f721312fca2039e6988fa5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4eec9972c46460ec3bbf871070666ca9
SHA1 64fdb3fe0ca0180bf9094256a02225a3c2df6cb5
SHA256 c833a5293aa3b8bf20c6e937340fd87f27380b61c3c7de3061d7545d0d402b87
SHA512 495d7be521dfa9c003505bef05091018ffdbca6454169d50163a5f6512a267cc0396ce13f24d3d36d03a9c19651e6f39319ed9112699e837fffd74e46d2d22c7

memory/4560-122-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4204-123-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2354bfa3f2fa4326f79395e071cdd236
SHA1 690817c5eb193b1da5cf598cb919031d8b47957e
SHA256 271a0ca2baf9ba50b10b256b34f586e00f742ad21a537189be527eef3da62c2c
SHA512 6dacaab626d7f0b29ba00ccd2b02f3b371a416b7bdb6554d44a66a46edc685c753627f8053aa2246c9ea31ed3afa0ca72357cd62039b8dd52124d1728a9eea4e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 14f28b26a9ccd29e1a6d8e24e3a98a55
SHA1 c8ba3b082b2779028994a95f1cded8656a8a9b6c
SHA256 759e1187eb6ec3acf33f30cdde4c1ea00d7590a86e001ca26d99b89c8a1cd40f
SHA512 9984893da7037c8014f10e14b48e7c638add0998b671791c6af019c5ae3dcb2c18e3bd3ee9973eae42e730165d27e06b7f62100a718c52557c3e5ec2a6683aa7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ccb53fc44032db12ba76ee1788526e1a
SHA1 c32810dc5c45f41947ba1e528ed1305c12e78de8
SHA256 b086f53fbe03667bc804e05e3d89ecdd795fafa4a13acc7c9f6ed6a63705799f
SHA512 b2a8c19a9a9479bfbfe90f352a1ebad26b05e83402d95fba0b29c2041542aa2549c8d645eef266991721fd3ca0630e4e54cb3e82c10df0e4e4da42c672092966

memory/4560-132-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4204-133-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b6af1aa3cc81439d94f518b6cef52fdc
SHA1 5ccbe323bd15e11ed6f665c1bf88094064014f53
SHA256 1ed81c8d42e6945e94cae7e0c1a00cecb59938c5091fbac1e31e800050a93ed2
SHA512 b3ce463108e0780152a73feb9d60a954cdef541654a389d845af6d3280949312b96e7c2a41e7d4d669ffecaaf03292899d71d5b3e26dd0fb90a89ad7980822c8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 70503c3c2a68a22a16c06c3c44a0db5e
SHA1 18db5c67b9ad02ca632517b0c43ae698638e8f7d
SHA256 81efcc7ac72f66acf842ea809d9423f617236285906bff2005bc4c29601d10fc
SHA512 e8eb2fb9cdf2bfa6d606b4e2c36f2edd94d9c0f120eaba17a0bc3d3cc9852f91c4db9085e80467251a6fae107faedb086647cd0334ec841157278b3093b8b0d8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 594d6455a6b22b6ab9b9d66dbe3b73bd
SHA1 03e66da0d6ecfd04f3bd87daf6f0d33950166087
SHA256 6c01ebf912a2eb54b968e4dabaee4931c5ce7993565ad980fe79f50db061eb7b
SHA512 2a3d34402e9a4c0052d696de060b716de546c171197cf4ce7a66790c87a487fdb15e01f7461c416d95c6b812eec838dc8e212aef7d9b682a71ccf648b943ee87

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 762c4a554f23ef020b2fa87fba05f760
SHA1 0fa9d7de182a8574bad823107569186abef2d93b
SHA256 2c87315bcf8650630e8361e7c5dc95d15448f6fb9db8ec3bc994f408741ecccd
SHA512 e57c61d64b8dc31477ab48bd901687358d554c7be79fb64c5be096739dfac8d78f860aef5012138ef1eae3660ac0ea3ecc01568415704446b906fb80b0888109

memory/4560-142-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4204-143-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7884c29d44d7a3d85b1200718099fec9
SHA1 75d1fd791d6cf5e2067695632903ff98e7ba26dd
SHA256 7dccd7d37c69ccc3bbc0e85d676c045e5f26231215cf7c54bf97190750c35a7b
SHA512 dc5ba28f6853f59959f8d91871e2bb8c285f32871f6b5043b8f034b9e6fc5275d3e241841a889f02c46dedc61988fe83770d59306f6df1dab19374df54f4484e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0aa44079ed84214fedacdff3bc88f64a
SHA1 473650a6abd5a7890b529205c96ada81d5176e27
SHA256 3107855ed311f56e61d0a38e630f9002718dbfd1dd0d48d42efddd1347d1b475
SHA512 4c52813fd78a5e67a9cb8f2493303ccf31a459ed47174ecc4db72cdc722ee18a1a3d3dbab1ad0a1ded6a9f1f4491e45380408605b76b029b080235cb0731c150

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 907f9119a907279764ccc552f015dc7f
SHA1 c327d244c8f53537da044b270039097a719df0e4
SHA256 ce459e4beeb0e90feb27fa1037a11c381fed6bd1a544d54cb29e31c2378cbe72
SHA512 93285975955cc32d4f97bc2c97f5fd8e72c61b4c3e9286a053e6d4248245eff3d57cfa298f1b3c30d3a474ef72a6dd12e08b665ffd6b5e529dc7857432578254

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2a4832511c838fe39ea96fd47aff1819
SHA1 77244ad7aed03cd2a8dd681bf08823343373bba4
SHA256 2eb2c982fc6087ac5cf65577d8863475e9a302b47e2d2c5b4bc4316b7620fdb0
SHA512 2f40feb7a268b90f985ae92863e057487f47bda750f51dc4214817968000df94d3f17146ce21810e74f081ff5bb76c2843553fc82833b6ff47157da28307eefd

memory/4560-152-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4204-153-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 14b99498b7162d040e38554720a69328
SHA1 7343f7e2f75715b7f63bbf516952d7211bf92266
SHA256 48b8ce50aed1d1cfb3d0702e618e54c62506411b3a18032d2af06750f494605c
SHA512 ff2912e64c9acae4fe4b1b7147b7e359b8da7c32769dacf945526813dad2cad93deed31164450419c1046f7b83ca192f9f76a7eb27211fd588154207f9ad39cc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9774a09080bb725c40557be4aba78eea
SHA1 8624323964f66765155bffb6333f9821a0a2da8a
SHA256 7d243d25aa1492b9ab2d5fccc3adf6a21217f386e1cb845aa30e48532bd98d49
SHA512 824179992cf2b133b0e4ee955d515ed10af0d028317815c16957c8ccb9e717e7d60b6a20ddbd9f8146a67afa3ab01a8125d04de6fc8450de95606aab0eb680a3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a054b638a038191deb1fa1eb8170ef97
SHA1 e522e53b6207d15913150f0ad0525738841a9572
SHA256 957b99ba6e40ba365551d28741f178d9c53d362c85ef397aff66ddfa7545e16a
SHA512 b7686d310bb940fd3835bd2fe7efd374f2ddc162a648cd9ef24d2959aa2aeb3526d095584b3ee6c16e669c036f81f79a79e7dd0a2e4ccb5bc2f8d92f9ddbdb54

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 689d5511b620ff0c47042990add9864e
SHA1 9f08cdabfced40a31424f5f410ec0d065823a78e
SHA256 3066fc6a28f0de1b044f49a9231ba780b6faaf72ea4fd8c9d906dbb5df82f6e3
SHA512 0b0e88ac9b2cdea72664624de7f42123f33d2433f0a9a9eb888de36f0806e2d95820c35846040c80af735efef66337baf89e419bb6f43ed6d62fdb910c788487

memory/4560-162-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4204-163-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6c3094c83b714eaff9f9fd7b493cd6a4
SHA1 d6d2ab5a4e9524e736f15be5334cdc859c86304f
SHA256 ef763384d2befde470a5a28238c61bde60be7f4936aa3b79489ac8a906e5df50
SHA512 3a149508ff5fe9c313e0e4b30ff3801ef58c039c69a4377a13ac840d8879d782593423548ea4b90007a66ea535fecab75ae85d83d10492c966c27d0318bb5e20

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6020cf12ee7d0f20be19c28eb26b297a
SHA1 78d67ceb708238a81ce906e0e0775cf38efad603
SHA256 e4cb7dcc486168b7cdcc4f6784515e1873859444993f86ddad3706443dc42b8f
SHA512 135f6693fa5af96d42c15e034392b329ab8abc0d9e0d7c1b864c720964cc9528b8b63a2742114d2c4c273a48d8b3d359efcb6f82f806b9e4e2c2750150884137

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 849b3167edcc5c060d24c0cd90481793
SHA1 2ea76c376cfe01883758b5a85993b5fb85db12c2
SHA256 a00275b302eb57857f2225ef7f815a5d1bfed1e8673c0b7516596e25bf752c64
SHA512 585140d3a7ae9e8ac9054d4bd070513cdb5abfe3d5d98d51a303015079da549a99294f999c7a49c6788e7d6fa6470fb97326612ad37e4a4e8ace56469160e6a2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 95c541de1d778c7248472abbde4eabc4
SHA1 a0a83cd7539300c7b35b0b7f5a54278306994893
SHA256 b9a09ab2e73418382ff1c5b0f8cead5de8e2bbf364feb3a4f4a6d205c929580b
SHA512 b0b539df3fd7003e0b5eb5ed16079401d891e8e531118dedd979a03b2c9d2495ff4ed958956204ba6b1ebe8439209e89a7af7c85c55e2cb6a7e9016ed2260ccd

memory/4560-172-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4204-173-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4e92dffc9e257697fe36fa3bf6101417
SHA1 1b2c2d348b8cfc63c4a00da9c37bdb0758624292
SHA256 2a985a928e282f8e2aea7fc5f9141232086e1f02bbc57257b09d5d5e1da15003
SHA512 b4cff09f088b7fcafe6de04b51997251047f04563cdeabe25e431dd4d3f6d946c02e4df7c41cc78cfe30d7079c445608f27e479c7360dbc36891b503d4a35bc4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a1b1a27328ab156a78eeefee831fb0fe
SHA1 a956a35eb94689ecb8f9dc05a3c41a4336be7d9c
SHA256 b06ba3d32552937cab03f50cadbd301496e9b421134ef3544f3f336ecb5f00a2
SHA512 2b5573391b435e48b8673e3dfee3c23892297b758839123816ebe87697b01aadaf6fd7f416a707d3535ef98be80695d6bca600fc2956eaea671efc01820834c6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 53e02aebd8e4535c897a976c28698429
SHA1 d6c319cab13772fa9c96ab40c02edbebe0c3bc3f
SHA256 dd38e23562a43cac1124ff79f613bccf61e506ac842f000c831809f7d154662a
SHA512 f73b3cd982119f4ae2c849852698bd67ff635055aa69625946a1a91f007c5deb7db5a67cbe7c2a9d5c431652e49d81f0cbf4798e12f80eecb58f0c663206c599

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 51f05c8959e98435dd99b0b885857232
SHA1 2eefc996ca50d3fa0535a57fd6c5fcffdeba00bb
SHA256 45585d01fcffd8b01bebdbf35454d9aaefb8190c833fe864a2e1d48f276b10df
SHA512 80efa657e723834a4a0cf18afa39b37e5829af1f95d629e0d620b98e6f54a234b520b4f3147c637ef010eb940a53333a43ad2df1d4bd3ded781268a6bf73b523

memory/4560-182-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4204-183-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 41af321d0a9c322abe8d5953d246dab8
SHA1 fa55fb2eea6e5a959167d31e537dc67ab6c3ed45
SHA256 9db5ed05ac3bcfa8b39306c0c0e84c77fee3b620d419802c921cd851ccee67da
SHA512 de68abf76196115b284e13d51cefcc50808a05446587c8cdec776f0735562a103cdc52354b9cc19a516bd959952d1e0c8f20593ffcb7a0d60654b470547fcecd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 13445550166a066677e93b50144fe4d0
SHA1 bfc9dbb47a3590c32c6b3c386e6766a6646665d0
SHA256 ff125c59a471387aab34bb6b410e3ed20e5597573fed93a18d8df02e90c2bce8
SHA512 0531b94d4eb41978c418d0043b10ed302038e7857fd534a69393ae4b839b6eee1f079c296d834ce70c29db68fadde68a588b1c59bec7fd38d4eafa4db23abf61

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 06:43

Reported

2024-05-09 06:45

Platform

win7-20240419-en

Max time kernel

145s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Renames multiple (91) files with added filename extension

ransomware

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\28c423a0fa0a5094ff5f7054ef3b0ed2_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

N/A

Files

memory/1740-0-0x0000000000260000-0x0000000000261000-memory.dmp

\Windows\SysWOW64\HelpMe.exe

MD5 5db8318f4243e393c6766c868f25099a
SHA1 857fe7a985036964f7ec0a2eff98b214c0c8195e
SHA256 2f0f1efbfb69aa0da870c175aa7ca1aface944a7f02f8cd613b1256305dbaf18
SHA512 2b0b55b88b5a591289fac86135ecc83fa3cdb48169d107316e4a3af51e8dc2177d1917704737b1411d5ca83e7ef304cbc52d16b66b8bb1b3d62143d7bde91e3a

memory/2448-10-0x0000000000230000-0x0000000000231000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-481678230-3773327859-3495911762-1000\desktop.ini.exe

MD5 b2fb07b9b3534172487ed8786eb36c83
SHA1 b0a67976d70ed81b05732c4300b525dd32293589
SHA256 69f237d60f0be8e5e3cd20b8a19beee79e34c48b39e4e10311f2d720d6885609
SHA512 999dc99e4d204d5a1f8e060259efe8db00e0b26109b915ba17ed45fa9dfed2c1c4ba0fe9cf50f5e791720df5d40ba60fee79bd86126da545079351793cc4f2c0

F:\AutoRun.exe

MD5 28c423a0fa0a5094ff5f7054ef3b0ed2
SHA1 a9ad4e7f3da9004b98dcd264d444c07eb58a3067
SHA256 7e862226f685439f0e33ebfd42a08e3f68298fd3ca4a29006be3401a09737124
SHA512 bacebef1231ffd1db387995935c9ef86894c61cea37e87743bcbab2553edb4f0b578941e2cc0a32bbfd9ff391212720b370b59e1438bfa04dd26c096c161af10

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bcd2938f4928ab325ddbbe0f060c6f51
SHA1 5e0b0442ef8566ea592707d61a9e14a658d6ccda
SHA256 ca6b6419a4c431dee09377ad928bba069b76638b18857dc089d921f076b3f0c0
SHA512 2541df4f89a1bafacff2f4a5699741c7d6c6bbd10e4a6cf2cbde8521851cb143a590df67b9decc57733e7b5587298e02380ee57572a7b5cdc929debbfa7cc278

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0b22d652bcc2f65181c902dba814a98b
SHA1 0550413a7855f6232b1a7524964b220af660d8fd
SHA256 046a07c24e5605e63d1f67049962fe5f41b43180e523228b9e93d87bbec6a74c
SHA512 9b22861155e379429b0ad57c0b244b4e737a3924dc1ed2aebc39e22292a9d09c34596f543c656cf4298c52437a6cd81a11c47ebd91185ef6807b722e0deee5cc

memory/1740-228-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2448-229-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1740-238-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2448-239-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1740-248-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2448-249-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1740-260-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2448-261-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1740-270-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2448-271-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1740-280-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2448-281-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1740-290-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2448-291-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1740-300-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2448-301-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1740-310-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2448-311-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1740-320-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2448-321-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1740-326-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2448-327-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1740-340-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2448-341-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1740-350-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2448-351-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1740-360-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2448-361-0x0000000000400000-0x0000000000478000-memory.dmp