Malware Analysis Report

2025-03-15 05:43

Sample ID 240509-ly97csef77
Target 296f056e253c378ff1be1af2b304b8fc_JaffaCakes118
SHA256 311184ea9b8d4b0eeefa2bbb164a3e3f4dcd8b629981293eb65c2a9bc72ceadc
Tags
aspackv2 persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

311184ea9b8d4b0eeefa2bbb164a3e3f4dcd8b629981293eb65c2a9bc72ceadc

Threat Level: Known bad

The file 296f056e253c378ff1be1af2b304b8fc_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

aspackv2 persistence ransomware

Modifies WinLogon for persistence

Renames multiple (91) files with added filename extension

ASPack v2.12-2.42

Drops startup file

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Drops file in System32 directory

Drops autorun.inf file

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 09:57

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 09:57

Reported

2024-05-09 10:00

Platform

win7-20240215-en

Max time kernel

145s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Renames multiple (91) files with added filename extension

ransomware

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File created C:\Windows\SysWOW64\notepad.exe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

N/A

Files

memory/2348-1-0x00000000001B0000-0x00000000001B1000-memory.dmp

\Windows\SysWOW64\HelpMe.exe

MD5 fbdf1e8566377fd12bfb63cd81663159
SHA1 3eacd988672213cabd8046ce5155aa433cc073fd
SHA256 35e81ce70cb043f7692529030f89b1bc341778202546212212950ed7ce030400
SHA512 f90a1f001ef025148a24670733199e7edcbe3da4badf31bc5fd975831b824e9eddef4eca9e695cf72d63e702e1a2fbb63f5abc9d92f71046373344224725f65c

memory/2640-10-0x0000000000320000-0x0000000000321000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2248906074-2862704502-246302768-1000\desktop.ini.exe

MD5 ee1b98e4463f255e1ccfbb7faf80c0bc
SHA1 b2bc184f1dca5c7bc8e8c88d1e956b3ef8451f8e
SHA256 2b6a7dea4977a1cd2606915a93e27ec1d871022e04e355c4ecb64f1d18c3e69f
SHA512 d17afd67305b62c11caf05fc6f8a20f22d578680837d89ec532ba078949ec56d0e2ede4cbf99917c04122f479f0dadf6820a401586490b75bebbd8e51a00d91f

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

F:\AutoRun.exe

MD5 296f056e253c378ff1be1af2b304b8fc
SHA1 655f1860efae8d7b0d0c5120e90fc8905f67339b
SHA256 311184ea9b8d4b0eeefa2bbb164a3e3f4dcd8b629981293eb65c2a9bc72ceadc
SHA512 dac7448d3fa6be0e5a0ae5735c327d84cec386c1d2ff337f953c33d28336787a25acdd6375267a820de5bac77d1699c977e61c77c2ea8cf27575cf9a52428cba

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c1ae2f6c227ef3c439b34d7f5605b0c7
SHA1 49722411a4ca78c4fb50b690cac16af34255dec4
SHA256 eb18bce2544dc3465ef08fa31481f68cfbaff31270a1e6257496dc2faf2a8be1
SHA512 73a1a91057aca8ce606ba7bf72b1ae8edffff504c8a76d9e01ad57c503fe3bb147602918ba85ef4642e1f43a45a469253d0da9b10e26b421afdcb74a454b7fa0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 be8bb046c436509d5c3485259e0a78f5
SHA1 02b8a1e6ca99658a487e203f40650b461701ecd1
SHA256 ad6c01b9e4801f2c9a06fdeedd4ccef87ada5ee186c306af0e15af10bbac983c
SHA512 eb4baaad69f919e8e6ba9c01bdb15e7c5e802f45f6e7fe7f0b028d055ad0a7d385efc260a8bb46ac48e61c2d645c4e302035524723f90d080d56b377fc79f2aa

memory/2348-234-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2640-235-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2348-246-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2640-247-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2348-258-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2640-259-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2348-272-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2640-273-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2348-284-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2640-285-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2348-296-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2640-297-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2348-308-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2640-309-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2348-320-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2640-321-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2348-332-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2640-333-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2348-343-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2640-344-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2348-347-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2640-348-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2348-355-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2640-356-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2348-361-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2640-362-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2348-367-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2640-368-0x0000000000400000-0x0000000000478000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 09:57

Reported

2024-05-09 10:00

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

93s

Command Line

"C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File created C:\Windows\SysWOW64\notepad.exe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\296f056e253c378ff1be1af2b304b8fc_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/4912-0-0x00000000021D0000-0x00000000021D1000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 fbdf1e8566377fd12bfb63cd81663159
SHA1 3eacd988672213cabd8046ce5155aa433cc073fd
SHA256 35e81ce70cb043f7692529030f89b1bc341778202546212212950ed7ce030400
SHA512 f90a1f001ef025148a24670733199e7edcbe3da4badf31bc5fd975831b824e9eddef4eca9e695cf72d63e702e1a2fbb63f5abc9d92f71046373344224725f65c

memory/4568-5-0x0000000001F70000-0x0000000001F71000-memory.dmp

C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe

MD5 ae5599abf8cefc87dd26423f0445ea7d
SHA1 bfdd36af58f5c4512cb511322f7e309948da9f71
SHA256 03412c8360d639addb917d46d44a596fd3906f39d94058381cae7dcee55a858a
SHA512 c1a11adad44d283e19c09c899c2c4c8eda948f0aac3b7a458330e0d33a22e58270dd939fac8e0f01e32ffae746d63def998bca85c8989792832b1c59e81f8088

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini.exe

MD5 e87a661bbe4558a5a9d4536e94c620e5
SHA1 cdf4a5b3a5a4728da57449b2f9d58efaafce502f
SHA256 206d4644d40d52065eb263a1a8a03d233b386ebd180fbb0d662953a1f071bd4b
SHA512 218fa22a65dcb9fcbd809b434291e3fcfb4c83e16f4073ec4104eeb58f2f46f226287c9b6df7e8fde653f9dea060b44c60633bc27b18e8075c4eb617d03a82e3

F:\AutoRun.exe

MD5 296f056e253c378ff1be1af2b304b8fc
SHA1 655f1860efae8d7b0d0c5120e90fc8905f67339b
SHA256 311184ea9b8d4b0eeefa2bbb164a3e3f4dcd8b629981293eb65c2a9bc72ceadc
SHA512 dac7448d3fa6be0e5a0ae5735c327d84cec386c1d2ff337f953c33d28336787a25acdd6375267a820de5bac77d1699c977e61c77c2ea8cf27575cf9a52428cba

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7fc36d921bddc4a0eb351d5584a887df
SHA1 e7a24d50bbc4986f319ec1e6b286d79d8984ef7a
SHA256 95dc27f2d5dd143dd949d950f6b711c788cc0795b40921049bbc86b212d8d228
SHA512 6f267110d828b4a21e598efd5dba32d3de2d1287218bc2eec082e3d4efaa75f45c7168878bb95205ba557d03fbb5c846ef3d02cdc5060c53c1ce83a128a9f037

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4e8b675a3884d65217ce3940359c151f
SHA1 4e7a06ae1458de61161a0f44e90bdb15af648b2b
SHA256 b04d201903ab69b55a751b01fffdf7d71b2462c137eeb50602653ec0418d9091
SHA512 1a683b82544df7ba15d26a19d1b04abc623626a7308c2dad405809f1bd96502d93af884a42818f3fcb9f932993179e10a9d6a310a75616fc45a11d65e470b90b

memory/4912-52-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4568-53-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e36386f92f69636f5b7d1a49959a8a6d
SHA1 7aec9b4c47ef2c5749e6219276e0498c18389150
SHA256 906643d0f561c0397d51428ea736080b18362ef33e33ed56a72ea04a508ad7ca
SHA512 ca462b9e933c45fdf4f8e4140f9f032449456c1dd199e498d9b7f3e4d733dcf35b7806ed906eab40e9899b8aed977236d8ea08f702dc134f77c6d1c36125fbaf

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5e0040b833d55a443db91e9264c768d9
SHA1 7917cb54423e22d4491f542b92b3e868c2af6cc2
SHA256 6fce5de8f94c7f83cfb51464b25983a085ddf42411f8d212aa47a5dc569357e5
SHA512 831019cd142349453ba8da8c6386f00b04701d6c8192fe592cb8db1c6c4dce2dc1ed26ff8dec69d4bead171b81c7cb90e612f7ef1bd2a869165951e46ba5bd37

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 92f4e6599acd00a88b86dbee6e8d85b8
SHA1 bc0b5384e18639d90b9074a07aa7e7a34c1eaf7a
SHA256 783b7505e8fc7655029df14af9cb21272f2c3837f72bedf80d63170b1590bef7
SHA512 626917323af6f77acfe43064057146cf171734ee0dcb36fec9a453aff72dc288f79df5f9720ef783e04d241df6659a53cbd36760b9b72093ddb8f7de3ae8507e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4912-62-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4568-63-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4568-64-0x0000000001F70000-0x0000000001F71000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6ca8b97673fd68fe9e093153857bd17b
SHA1 238b95fdc099968a4736ecb7a1ecc9e86e14bb7b
SHA256 5aec22733be251a7738bc12b5e64faceb20a33841402fdedf309ece6ff2a9152
SHA512 d1c6f8ebd5a38b190fded4e9b72b17c0097951a9cfbbc994a854cb8e9550fb3f257b0ac2ebccaebcdee6366c12c2c1a5fd4c86ea88098acf66b7c58e5ea945a6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bbca388282cde025b04f8e5575121199
SHA1 a1bf81493f1ac89b4d23c08174d0868ed1f28494
SHA256 e2de69504cc6e75d8262522bc189d4ff2ba0a5d78569e68f0c6b1edce4019988
SHA512 5d688be12c4abc52e6416db1c6391c45b500900af25e79fc8a5b95bf842efa7e029ba27df4f6947f4341d23f9da61187b31cc662b86738b6735bfff5eac4b67d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a0675e51efb6d54a62994b1077f3cfe6
SHA1 9602694af1f6078689bf4f91c45bf19dcb8092f8
SHA256 ff9f627c04bc37f9c345b414ecae73c37864e5b5ce208b93123faa685f9d2dfc
SHA512 89b914e951849743bd90b908b9661ffdb3b0e44bdc536d623ba3baf86a665e833e19dcf8f0a571f10a46c39141d34e5ef6162a50754cd86cb94048d646ba0beb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a3fc511a208c0f1a57c785b23e78519b
SHA1 a3f1683f7cd68354bbf26eec366bfd01ac8a30c6
SHA256 d54b8e8dfc815cf45621d5426c6e4cb38d14e2b75fa351e6aaae3dbe2f344157
SHA512 884502426bb7ca27862d80fb20f1eae67f446385182b480de5486118cf8447bea4b550bbc65fe34f010b1c294b69fce342a224b6c6a4876d7b918ef6a76e9f4f

memory/4912-73-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4568-74-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b338ba55bf3980aba77f1503ad1d91ad
SHA1 cbe5d195941a5cdf874c2e143afc95b322596a5d
SHA256 5b51ed6682919e1f71e28b1a1d1e388349d1ec33e335a7e43e5763f8c7dda868
SHA512 1d88b28068f9687b0638e05f862605bd8c98cc51ae80d3674535a52cfea84fb113fc2214389a22c6743f21154d99e72562514c77c531be2a9f9a0836475441a4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 44e4d4a474cdeaccfe67208ea493ffa4
SHA1 5f156a0c44255572ce21888994b4543872ec85e9
SHA256 31f03a8669507740f3fb082e9454d6c54822e025bfeb6760b3185ac3de4e6492
SHA512 7ecab2daa6d09653034dd5f7282f608a60f2078178c0605a2dddc37fdd823321254c86f76141fd12b92211dc2039aa3ae28abacaa4957b4e903f3ad1e7042486

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8481ecb6601beb5e596109f3f773b682
SHA1 3d83cef667ad4f13c66166b82fa25c73ba8d272c
SHA256 ece611dca262a6f90f418f6340176cd7bcab6898e268b1658838e7339dcff554
SHA512 92c5360006d734fb6dab74b354685bdaf0386fc5ab6612e7928a0e265c27f31029aa0207fbb07b874427a3401232b8b0ce0dcba26156a4db8e87cd6cb198ab90

memory/4568-82-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4912-81-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f7745a057d9d2b2868d48d22177f559a
SHA1 57922853fd38418e4dc3e8c8158110be5bd07498
SHA256 ea660ba124e9dcefae5f9036a86df72ef415b4d4b5a90fc516f89d264d2a080e
SHA512 40c9d7db3ea981ea0a297879d298f715b8f07a6b1efe6dbc325c224b4bbbfd74eed5aa6f4478fc762ed1ae3444fcd1712255c4cd8561d2f0b2ab57ad6903474c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9ef7ba0aa67a9c337d6d7bd3dfd7eb61
SHA1 b55267deac0bbcc0307c4e1aca26c07d4f728159
SHA256 275ad50cca5417b4baf50859a3c672a3ac24aba20e39f9479cbed3068029be24
SHA512 86805e3c67a79b9905706671d79ccbd66021aa8e970ccc586f0d5d98b238cf97100f02ce9f33a4e397d9b835e0e70921b90cc467de70773c9b37062181f69110

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d744a8ed5c3020542171668d2c9a726b
SHA1 730e137d293b2f316d0bac12aee2601a5e70f9c6
SHA256 34bcb9a8b401e600b84c10ef32b6a7ce7a1e9a69d2471f69d741ca470ae27111
SHA512 4f50808bf65064250cdf977b92e005d49cbdadf301bcd06c5f00e7a6bd4911f2e42e9220aae2ec35803e5162b9f5f6570a5fed9f91326118d656a6a8c6ac35f9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2811650d8cf50e8db4e1630086f7282e
SHA1 5e82e20cba2619f22847e815667cee6ae43046ae
SHA256 bc55879fba2730813d479771baa511348c4f71646dd47b923037097c054f157f
SHA512 ee29bdc00a3fd67cf76f605ddf83053158f33abd471dd5cadb526994c373ff20154b998e64d7d19f8f04b9ac771511dc077e0416d25ed094f26f40211fead9b2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 06b554a0d831be7c72b4a6a8a17a44cf
SHA1 6bb4252449b4365290e8d838702b0b5ea43d23c7
SHA256 adb3e6d742515f781ac674aec1eb27a2bb786f4554deaa46f8745ce0520d906d
SHA512 273d262772837687bbc241bc7e67fe2eec182ac49b83a1fd4c6b802c6c9e50bdd7b53fea767589427587a911c35d6c0862241d31bb7196b63b4d18d52f54e432

memory/4912-93-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4568-94-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3923b77d78407c1de7eeadacc01b9712
SHA1 46539b25417f67ee106cc6c717c0ea86b5b844ae
SHA256 0c1a7bc108aaefbdf91869acb1f62b83f9f77dc4d7776f792fc2ee5c679d1bef
SHA512 e319c89657e1023ec9043300b222008fdeccf5d7b7a8cd193456d03df8b1d2cd61a94c32166e31e9e9a1044c358e1d89061d04a4674a4cb30788520c0f5cbcb8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f3a0dd6cd6649bb5c57f2ed709e38891
SHA1 9d063e4280f369f0abe517b4ff2d2ab878feb016
SHA256 7a36762f9529fdcd99e6034ed25a77ea3ef580702d7fed95bca2c9ca84a35535
SHA512 4fba5326d1ff188c73ec67593c61fcc862c708dffff01c16f7ea7ce66b7c8e1dd370005e34f2ac564240a54d44c781de727fcc26e02a46048cf6eb99bb2381a5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5e1111b286e5b9d6b02f9280c4068c55
SHA1 c64dcd8cbc8c787b3a57165a51ddc9023f9076c5
SHA256 3a20afa842c4343175d2507f0b479be9f6503f64259aa7fce4da4084a55958aa
SHA512 228adc7a6ef098c11c901506c469c775485e204f10494ba6bdd43381d5277e110cf5883706a84702cfbaa5a101c4968798ef2bcf2cf0aed32dd1ac15f8d6437d

memory/4912-103-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4568-104-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 56463fba0030bff269e06e841e25f19c
SHA1 94087805ba85546cfbe68d055066e9076f41531b
SHA256 fde98c1cb62e9ae4035cb950779e2e4c4a139b3e4c0d870495710271858cb796
SHA512 e0172a0e1e39ce3a0c41309f5fbbd455b450d9abf9eb21fa1d236c24da3d9f451c04b10f525882bcddc60c7ab76873a2e87292976a3ecaa575a81f89d1b3a6db

memory/4912-113-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4568-114-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c183e790309cd6721f8eb8cf83881a23
SHA1 2751451c6f9fcfdf88893ae610e9f6fb442c4e1a
SHA256 19025f1f203559437cf82e189418288d0329d6352970bd361d910893ed62017f
SHA512 55812b30ab3d8097ff9dd5f2a0df65454e4fc4d8dcfd8c3c23f4679b292989b2488fccaf7043a0fb262dd440040a32645e45fe4546684f73b48379912fa842a3

memory/4912-118-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4b2686eb978b893c0dc95f8039cd6ba1
SHA1 341d81cfa2185a02ab5332d75b138027e9b2ec90
SHA256 6966c082d20c19002c3eab8674e85720582d7181f2568036160bfe51b11e926f
SHA512 672138a965282a4f79913205bf06e9e50131053b4ed4bef79143ba08f5188b76c02a6bf5bbfb6d48ecfb65ef070fa01f98a0cd12d111c66f0d4e791e175d5c07

memory/4568-123-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2b1257c1409bafde2d56fce8e036d980
SHA1 6cceeae665e7c525c53a3bdb7256a8d7e98dc2bc
SHA256 b10e999eaa80355e0183aa61c544861780e40c4a2fe1e4fb2930582c1dbdcceb
SHA512 cbbf1bb2fc9535c071513677b3db05f7b701b7d4e745b706a9cc3b0a496366af4555ae4b7313ec78c6b010ce3ea986c3d2dcc312c42096c01d45c711a69a9049

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5f3504dbf859710faeb32678be104391
SHA1 f47889df4b95b2914d4e9811eaa75460dd40dcb6
SHA256 6fc00e5c69dc4528a20f70cbfdb9f77f716ba35dc2f88d7492e2d20bc26b727d
SHA512 bafb8546de68eddf06bf4620ea8a5a8e4b3c33e0c2106fdd23c20b723413851d6916b3fdb1a4d4904de94c13ec1685c74e93d0934d3d57cbbdedb48bd08e9dc5

memory/4912-130-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4568-131-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 423e12bff1041fa98d91c1bd7ece837c
SHA1 4950d81ebc47a4cef9090a5c593ebb991b419902
SHA256 e0425c9e0b9652ebac14512b1f0e1da550ca6e988d755f37cd43af9922cfec37
SHA512 fb0031588be8478229fa89b867e722f4aaed8f2cfcdcb9b8f88fad791991e0c1ed893a1d8756cb237c805904b91383937aa202e317cf7d220b5f598bb994d0df

memory/4912-140-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4568-141-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 dd9c33c5d9198e569b06ff9c6114f63f
SHA1 39c128995436f29921f9da784ab2be33b83da35e
SHA256 792f92a5e005ed9e3eaf17c0c697aa52b5a29240cdf202b73410c6fd3d506a66
SHA512 426cb744a10120d638761387f575c5350c77568a7e56836f60d957f58c9951d8d03b8b3a73360f909eb6ed6c9e6987f17b6f8951aed22ac92279405e5d05d93d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0790297ffa215b0d1ee653895b9bded7
SHA1 03e978e298f618ba38bcd031e5d9bf355cebc8d5
SHA256 484c312f59fa07cefb5542b4d13ca6070baeef868175f60eb19a62bec176661e
SHA512 7679d80d3ba190839e92f79c723e9c2378dfb1c81a06dde05f017d095ce35a778504af7d7bf56e46568c90857f7027077500d26aec5ea7cf609f8291d181db35

memory/4912-149-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4568-150-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 542eda1a206b2c90a2e8cb5a55e4fe3a
SHA1 03cc15e07086352417d5868d02990f880a7c9696
SHA256 8f08ec55348258276b4789c24da1ef90dc54936d2047eb8a0f01c5f7212e4b29
SHA512 35bc4018b4ccf42f64a71865f0d8d5e58bd0515c226c01c798a00cc9b003959592ad0853448760466d04172e3bab21983f21b94d440ca13abdd210cc4d49e905

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0ad948d1b17ec9cf59483892efa52f50
SHA1 f38914aa133c0a2df6bf56423518a21d80f8809f
SHA256 b942c18c2425f41fd307adbe498442f9e34e2965d08f374f307e0f3921c0f7d9
SHA512 77b451b26fee941dcb6f0daa763bc575742e81003fde1be617e9bacec1270a14c7a6d9f96c73184765fc13a43ca0ff5fa31dff44ee1c5366550acba069cffa03

memory/4912-158-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4568-159-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 179bde3328b84e5505a77ba818a382e1
SHA1 0a026fb89339626af9545dd14542f439fb920bae
SHA256 68ef2db49359b7e1bb7d554d7390f4a58bfe7afd4051e9a2c28f97f2ed3c4c6a
SHA512 ad1fc316235bdbcfc2b95222d794d8f59b27a871856fb826fe0dfc50ffeb2da1ea1a58134bb24fa53e5c02f70901ab3d36ba7415dc87526713bfaf9bb7f57ddc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 90e752198c39897a54d35821bbf5e4f7
SHA1 f51c44eacdca6fb60e4e0433f1a2e9c264048d70
SHA256 4a2130139f5a8302fb15282b95111a6b8c2797b37f12dd1fff85d13fd9dc8f8e
SHA512 8ce32b4f064a1e250474a0186b86412f465932b99d1a11e45bed5c6b7944e8f580235e5e3037fb31f6f55d8e2195f88ae96654c667328ff3fa71e27e77ddb60d

memory/4912-168-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4568-169-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c3e0f5be6d349adaf71591ef87eed600
SHA1 8570614f8f2e446cf87e6c75760b4b8ede24c7d8
SHA256 ab1d51dfcccffa52e5d395df973c97db4c11c996b8c829fefb115b9309b7e923
SHA512 a73e24af8f5c8a78fb9b9c22ce921ff847c95e6bf66c3257ef2ab31f620b26375b5b472acf81f8753703d6bdbf4f75dc766958c0faeda02904fee44327ca4745

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1545a53ffefc9e6b92e30ffaa7500f99
SHA1 b16891c596b5fec46629b8c7a8c80fc968fa7272
SHA256 95f80c218b45f01a06d25ddb421b6fcabe0268cccc3c3efc524551e62d693d8d
SHA512 1bcd53113120c06ef49cf5890c0dba8542a442fb564b1bb941c640c309061025cd98532632510e054325f90e53d1f9c707390108fe5fe1a393c30443d63508b3

memory/4912-177-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4568-178-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d96a8cd7a60748a5d09d2730a770d882
SHA1 57e2737ccfbd2d2df7d4db0f76d99861e542c8c4
SHA256 7d8c51a043ac87a15fd4f5e42974f2435570a2b6b7f36d7607012f99ab5db388
SHA512 712681f8d5533db3f9a3a46aaf90184949d5168fe6b9e5cf974c3571f03428f3f73a4814bdc57c683b6932436ee0fa411a46041576889eb19774d85895ac8b43