Malware Analysis Report

2025-03-15 05:43

Sample ID 240509-q5eq9aff49
Target 2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118
SHA256 3a81dde4b638df30022d899c14177578688b06744f9bfbfc07071d653986e476
Tags
aspackv2 persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3a81dde4b638df30022d899c14177578688b06744f9bfbfc07071d653986e476

Threat Level: Known bad

The file 2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

aspackv2 persistence ransomware

Modifies WinLogon for persistence

Renames multiple (91) files with added filename extension

ASPack v2.12-2.42

Drops startup file

Loads dropped DLL

Executes dropped EXE

Enumerates connected drives

Drops file in System32 directory

Drops autorun.inf file

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 13:50

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 13:50

Reported

2024-05-09 13:52

Platform

win7-20240215-en

Max time kernel

145s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Renames multiple (91) files with added filename extension

ransomware

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

N/A

Files

memory/1876-0-0x0000000000230000-0x0000000000231000-memory.dmp

\Windows\SysWOW64\HelpMe.exe

MD5 0f4a11370c4bf46df2397042d445f84c
SHA1 b617773bc05ce671b21713028e77981d1c69601e
SHA256 4e4c9a72d72e1b9b6245c86e6cfa1d87547e186ffbc4e6c554262344baa1727d
SHA512 43f0f254ce46b7e26202c8cc484977b70ba44b03ca495ae22fe371862d03bb8262a6af9893e734150792e5a62f7411d058ec765605d7cc5c9d4ca2f571f2c102

memory/2936-9-0x0000000000220000-0x0000000000221000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-2248906074-2862704502-246302768-1000\desktop.ini.exe

MD5 9ed460c698cfba3d65f6a548677fac6d
SHA1 dc75c782aad79d2b462456c1ea13babb9da0ce14
SHA256 517329631968a733288d9ded8dd73c48910ca652c3c5f339b5a6170e7aa50c50
SHA512 36b3559a9ef364af368758a17a0f4efe20fa2c7495ca0273ac4ab20354dfb08fad06abcffaea1a5488ede751a1624fd2e4404a0be202e983a892ac60d7a36f2b

F:\AutoRun.exe

MD5 2a413fc28008906ff64b62daf1ea0ea7
SHA1 efcf0308d29f9a821b32cb4e538b06a54d59b018
SHA256 3a81dde4b638df30022d899c14177578688b06744f9bfbfc07071d653986e476
SHA512 808a88389e51e3acb333890c5c260946efc99600cc123c142a63c706958444426b07adb5ec40c0443584ed20934df6c9be3e98b190166841758248fa1fb89d4f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e2480e0f8f0343385777b2763a5fe223
SHA1 b211d604545c09cc264ab7b6ee1df62e9d2143a3
SHA256 29f23d591c690f0fbcf750243bafbc2b313511aa766901a3ac35eba01c2118e9
SHA512 dd57817557bc9766f87dcfe8c0de79470eb55f3f870ac6f9c9579bd825add64a6c84331480a7cc8dd56964b811b3cd92a97a4f784c452e51443f28b7b60f3abc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 745ee286118b091328670bc3b49eeec2
SHA1 7edb46cef139aab725420d82d80e94327ea3d7db
SHA256 434b2f5e831f76a2b4f5bd6f676936309f2bfae55741ab2823f27f43e20123a5
SHA512 8b75f072fc5130bc6a5e0c6c4df692d9a50fbbf1bbfdcd94056bdcc7871a4355a89969690c7712fb695ea25dbcf7abf5f20e5f58171e392b1403ffa089ad7272

memory/1876-228-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2936-229-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1876-238-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1876-240-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2936-239-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1876-249-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2936-250-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1876-261-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2936-262-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1876-271-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2936-272-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1876-281-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2936-282-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1876-291-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2936-292-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1876-301-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2936-302-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1876-311-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2936-312-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1876-321-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2936-322-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1876-327-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2936-328-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1876-341-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2936-342-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1876-351-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2936-352-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1876-361-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2936-362-0x0000000000400000-0x0000000000478000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 13:50

Reported

2024-05-09 13:52

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2a413fc28008906ff64b62daf1ea0ea7_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.203:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 88.221.83.203:443 www.bing.com tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 203.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 24.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp

Files

memory/4540-0-0x00000000020D0000-0x00000000020D1000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 0f4a11370c4bf46df2397042d445f84c
SHA1 b617773bc05ce671b21713028e77981d1c69601e
SHA256 4e4c9a72d72e1b9b6245c86e6cfa1d87547e186ffbc4e6c554262344baa1727d
SHA512 43f0f254ce46b7e26202c8cc484977b70ba44b03ca495ae22fe371862d03bb8262a6af9893e734150792e5a62f7411d058ec765605d7cc5c9d4ca2f571f2c102

memory/2528-5-0x0000000000650000-0x0000000000651000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-3558294865-3673844354-2255444939-1000\desktop.ini.exe

MD5 058c009001afc5cb343a50530cef3dd5
SHA1 1dea7e656c25315a9fae52c70296574c749ab21b
SHA256 4dfed769b4fa4a2233d6f1092cb4dd3baf5f780b1d5595d465b84a75bc8f0aed
SHA512 94eebeed40b33eee051d86db75c0ab660c847506aecd9db4fd24ac2ebc2d4c3d6de0813736ee2aac135c29655781c8c5a44cf0109f211dc6bb24d2dbc64c5a99

F:\$RECYCLE.BIN\S-1-5-21-3558294865-3673844354-2255444939-1000\desktop.ini.exe

MD5 7cc3ee9f96aaf1919b72fe1dc98a59e7
SHA1 f0b8d56111d815ee18fc494a7ce5c06006c4dd80
SHA256 3a2803b9c78b610e570249e3bdec18ab75595b2a054c56d2a95c69b7cb4c97ef
SHA512 cbfb9936e2a3faaa2d9ae2a3792b3519c85c93888ebcb0240024da0b7d7f1867dfb083bed5561d4b76a25f57d54a40da0e7e4c067e89fe0de5264654630e6ee1

F:\AutoRun.exe

MD5 2a413fc28008906ff64b62daf1ea0ea7
SHA1 efcf0308d29f9a821b32cb4e538b06a54d59b018
SHA256 3a81dde4b638df30022d899c14177578688b06744f9bfbfc07071d653986e476
SHA512 808a88389e51e3acb333890c5c260946efc99600cc123c142a63c706958444426b07adb5ec40c0443584ed20934df6c9be3e98b190166841758248fa1fb89d4f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a7e0a87fae78fda68d600c6a4b844778
SHA1 c2db22deddd02ac119bbfde007d40594bd1c843f
SHA256 962e5dbb3ab8653ee8a58da3c14b9c74daee91630c547f0712be60e22b9f9e03
SHA512 c3e8790698b8e81eb888cb579b51857983efb82a11456019cadd160e8b4b41a545886959b7d3d400098a733d1e3c916e68a1ad952c0398a39445c1ff5b5db362

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 859838b95dcf7ef1bcfe23d35bc0bd45
SHA1 9c76312714106c117d092780a52af0bcc7011b68
SHA256 09e0bb0ecea0e4745a47a0b315d7a050d7447745f2508ca2c36169d22ca7a658
SHA512 c6ef4140cf8f652acb3f83f395277bf8a67df74cd9bf94e22699a11536449ca3603a10c2bc9e664e005da554296f3948c575a7c743729967da2026f6ee26d125

memory/4540-48-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2528-49-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 add8bbd628551007ba46cafbabacc019
SHA1 a22ed8059f7b83b01af240c175e6fe846497dfa5
SHA256 e8f8d5976339c8ef0dc7c726baf9f23acc20d53c73db4b755d881998044bfda0
SHA512 647e269028304f29bbd818845af15969d8d7b96ef5326b273599db76dcc62d5105d081252b5122080ed78efa93786a1104325bda297115e29348324807cbee2d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c5f21bb247aa8d0f490fdbbf6cd87c14
SHA1 63a51360002d43a457ae3d7663926833ee9a6412
SHA256 ea4fe7cd341a3d46d71f84a1712151f58be7d6a5b6e7c5ef78ce1a6d8524cdb8
SHA512 7e2ec0c6ef71bc2ae45e8f8ecd707ae4f24690e696522710a87bb632cae3735169978f3f20bb0471eda72fc9bdc8e1bd7e6fb994080c32e6bf1080be5cbee403

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bf877e954f306cc45970db041e8d25f2
SHA1 6eaadd504de947c252be80b6832822845a18f541
SHA256 1b659ae4decc287678960c03bd1d30ea682e05ea73f5b6387dbbaf242f3cb784
SHA512 d7ec4c50c9db7d1b2b5255d392affc0c088d644173e2e420ddb32d987f81c9044dafadd5981839fbf29349519db3277989e53d48de312141acec45dd556e2d3f

memory/4540-58-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2528-59-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2528-60-0x0000000000650000-0x0000000000651000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 344440613ab8c9e20d526835b6907457
SHA1 f4a78de3425d11961b2f1c23d2522ae7eed0cde3
SHA256 ed99c0d83dd3eba25837f58f87661c4ddc7a431bc268c483a363668725f0e8fa
SHA512 b1909c7f02bdafab4f5a97363c38914bd9978b88a269d960cdc388597f88f11d9ff2d11797eb7c080c2a376a82886cb9e542de22d3e1b0eb888af90a5bf33d03

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 36e0b1c22d037873157631f5a841de61
SHA1 2c3afff885b3bfdb0b4cd1ad15e77ae0730ee284
SHA256 a6d3ebaafeb003788e4b8b06d25141cbbd131b0fc967a2cf54e8b71b51273987
SHA512 01ba722ee66e1707f90a2d0b7c0d7f276ecf231a5c4226c8cd5f8e217f8831bd77d8bacd0df827f64f2ae6ddc76992d19d2b83e15fa3642fa4470aafb231e53b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 093cb77032a5535da91eb6fe4872e36e
SHA1 abd5eb983d369c3184560277313c0c5b48df480f
SHA256 cfde322a86e8f82fdb0d5a53ac294aaeb3580994e4034d515f8bc98413909a5e
SHA512 e0c3ad2df7a5af1d8bd561f4e0193c968cb89d433e63259f63fd87121ecab9dcca946e2da0984dba5e1848548ddf9766142f6b05e49e30b25324ff856844498d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b5263c98c541b439888c4fe26df00c3d
SHA1 6b83d8fefa6b389de169c6f4725293c4958e7407
SHA256 0b6119b6046682f5245d08320f6921f509c2680c105b28da4093c2193b3c7f7e
SHA512 7becdeed5a8672afabdb2d2d90d4b5756e4931eebce835f5361dbd70535914b920e9a39a690c4d7dd1b7a7a3c54527fd6e0e527eddb3efe30881bb9b4639fd82

memory/4540-69-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2528-70-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5159ff4bfdd7c602c408b87c8d99b575
SHA1 2ba21820582b0ce86e66fdfb2af93464e164c832
SHA256 5f6fe65344f0503e5f6228c578e6c9fbfdc50909bee0ef6d130fea8850ebf142
SHA512 cbfd5e5651a272a4c6fa34de255ad8922ec301ee2ff510c74f2c756918177a70afa02a1f3eb671d82e4904d89d7c1d7cbac382c8a57513160eb1ca631e14bc2a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0e57786c0b57d2639cbffc35b9e715f1
SHA1 3f8a5582453835842804f64fd74896621894e66b
SHA256 b50fbd06536c147dd7739f06c7ea18267bb6f79b21fc169a472d02b7b65ec4ef
SHA512 c53b0c05cf32e9eb152eb0fe814d10821c2a1b5596d4e0e820d243a657ed47143397745dba944ff9e2411dc9c773dbc6240c2e40072724be923e974f4d4f9a7b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e0f7e5f1e3bf1bff31fed49fd2941c6d
SHA1 00c06c5e7224b603b1d49494baa200ba93e54423
SHA256 11580b24feace3b4236192e3f900d4862e2878928be5b58fabd49db32f9417e1
SHA512 f664620196246e7c2ce47ae62b31c8adfa6387a34ee414326ef11a7e0cbae444283d88dacedd38a6409e353f5114a139c9b369dbff1ffaeae5b99a437b9ddac9

memory/4540-77-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2528-78-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 310eb62399704306e368cc5f49e3a5bc
SHA1 ac75cfc72354053f15e8c9dbc63d55b126450c21
SHA256 3a84cc7a9f0bab6ad7b8f4afbba571fc1ee155fe69b8ed87cb18ec18f4397766
SHA512 197da6c8414839d34904683c75057d9671f6274907328d5ec3686a19cd22c218883c3fa01c2b916ffc65ddf40543e1f155c14ec6b8d4505c1f091c4ca5628e95

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 152af77fdf0ac847cd0093e8d3f407bc
SHA1 2b300e934c63aa8bbfebd201e66869ec42463ea5
SHA256 cbc23aabc493dddbe398aec04428b07a6398259869517f524df7f310225c298c
SHA512 81d9ba86b384b7e0ebe7519e32f9e429369ecd61be923e00fd9c1c5b72bea3bba9ec0de97bb6f632404af6968bfb1aa404f7e9cf3e1c969c3abc249d4915f3a4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5d4e4390a7a0a77260c90d88a9693ce1
SHA1 3b5d1c28a53f31afdaee3020cc63d756d0bde457
SHA256 0cfb4998ad1d24a7a404f8d1db38ab6a4548e771122d3053d4efdf68af358c9e
SHA512 2e271db63c67794de4e250193631409743f0f2d254184e4b881090f7527eb9441a32e0345b006d9b0b87e3b9dc07d566ec9e60279d1b31e8ae793800fae59fb9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fc61d107788ca84a55301643a2c873e9
SHA1 def0fd6884a67933f16e51e5ea8a4cb38fddadaf
SHA256 7465e0fa4cefb387cb03ed9d8bf5edeb47bab0c098cec9d63cbdf81e360415d6
SHA512 e4bc3822f586ddabb2eb8ec483ee21f5e0bbd269c89424a39d4a02738084d2e0e5a75c5c0e0eed1d7d4b3474f7c1005818572ab2e944414b25f24df54859a7e3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2b6c1a085b8842679529b92f35a30304
SHA1 58550d073ae28dcd68cae71a7566aa606b9a010e
SHA256 d816a1192dc7d80b118bdc73e93bfbd6a88dee2c72f3919fc9454956097659c9
SHA512 bfc59e74d97fe9fc568ce7cf43ecc745f0d7273b0486ab5b25ddd81ecc3fbcbfc0a9af7fba14e7c6281dc40c319f0096d0b2a2f7246cf45dcb33cfa6a9bbfedd

memory/4540-89-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2528-90-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 71bed2d651c5a48a7c2428ea5b5cd546
SHA1 65af7333253f8b88f7bba59f29409f5f0841592e
SHA256 28d089743d3373b854f17226dc863ff0c6ee0649415f0e71bdd9f5670da9aa2d
SHA512 8d95ae6adf3f17c52b380ff7eec4b00e1a390435bab1fd40cc890652c7afda573b3b975adebd7503c5d4554c114534b3bcf2996c1a935c96e2d23a6e885a74e2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b590e83289d10896ca050e29954f30e7
SHA1 cf98f9a05bd936fe998dc384c1de5850eab202e7
SHA256 6a1038fbdf438a980f690dd0a29685c94849106c1502640a4d32d45069d9a78f
SHA512 cc0508aeb1652be67bf91a8170b4e39d66bac89658f64349facd3ca6dcb776a9e805b2dbc9c75d7339fb4c254f14180a4b8cf36c23d22ff42be91ca00b4e0485

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 30c1b8bd79e1429c79828f33815eba75
SHA1 3bdbf4408a8288adb546b0f191d92c71e048ddc7
SHA256 2339a10fa8c5a50e0454c009bdbdd464f65c5f4ab05d801a09d9f799b3b4d44b
SHA512 ac2ea93fab7669f7d1a0d7788a90596c66734585b4828ee3b41d76bce70c1c434b6b535a254fa250a4932e159e684e580fb5e49f7838982b17ac3c9b42055817

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9621e34efdc84fd77e5628a83b82b68f
SHA1 34ff5c73810391a4c477324b4e43447480e87a46
SHA256 2d8fe32db156c1ab96a3cebfecdaf75b4af95b785112d4a54a9f22f0a07edd82
SHA512 f3d16e63d2eb230eb52c9adbd120ebd65e4a40b5947c5fe0c6bd4d7309c31fd60a8fd14234675143dce10e8ea8cfbc34521ba4c72e6652fcbd71097e0fb91b36

memory/4540-101-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2528-102-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a9384e82d945275d3fc26ab20e2c2c82
SHA1 413e041a7798dfca3ea56a4ad679eda7f44d922e
SHA256 c77847e71db98461cef1299167a309f5df21851d2eec2cb1001e146151ff68b2
SHA512 b64df78b0e83fa733e5514ce864627146a142c20a1ec592215bc31896047b5b25ff43a505b4beb43c2001f148b4753fe287b9e56fa252a6210abaf4c83a41e3a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 08d12805d5d896e4fc9136df03acbdd3
SHA1 131f44d279d409b9961d23c8fdf0513ef6a82195
SHA256 1b9d702d317fc92b296dc0d0ffb31ef181bac760701a321d32a0053a36a4669f
SHA512 ffeecd3aa1ab8f4ed8b838d244daa6cf6ab67fac58dd5323f101d4f42dc2089096e777173ecd2405e746d735b8b682daa8f0b11571b8c9c589724dbbc81693f7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f2b024a2cb2ea7a396991a58bce96a8d
SHA1 ffcc32cffb11f40cea61478097ee3464fa144151
SHA256 299a19229f358028488214b6cb09de95801a14a730f87cdb3489b24b64f84963
SHA512 8d7ea58ca2102c0a052c4f3b34ae974ff2ddf8a45393313a433d09290aee65a4c1ea4dd4c75fa3bc7ee7e779b1e0ba267a4ab74c60502ff7db3b1a44f327b248

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e777f7812451b5064422344ad123c12d
SHA1 cb8c60ea9ab910b4af86903f7b67f12a8ec8a800
SHA256 2de39af18ffaecf0a20cfedecaba86cfd5bfaec287c4bc086481ebe16bd95aeb
SHA512 b95ba4a6550196d75a0894bd53f5210b54e3346c33d7ac81ac7a66db8ff79714d784ff071e5500062a1061db7b0d0a75a0cabe9ea08c41b911fea0c96d946919

memory/4540-111-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2528-112-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6f80b2dd1c1a43114e04b03524cfac2c
SHA1 80c7953cd62d2cec3a9515212fdce586c4c4d2a3
SHA256 57fd9bfde6dd71cc38343e3f3fd11862257f14e5f13b8481796dd20d274e834c
SHA512 8ec922040e6da494710aa36f47369e263f923fd266b8e4246e48bcf76af4b5249d220841a3477070f9ce75c0baae2d48527d77359b634f70862068c5c3db735b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 876cce2f6558c2e532ef18286dffac66
SHA1 e8665a364604fc3940f26f5479570aa4d56eca2a
SHA256 1f718bb23c07a4c68131860b7192ed30d43ccbe00e0953ad4b0d0c1f5ebac56a
SHA512 78f8e50a314f08f311aa22fcbf7384282aaedd67fb65f9ac2f5693139c0d06c124cfe5980f37c6a98def03655c3329a9daf90bf1eb3a55e3039c8ec6e1d46d62

memory/4540-117-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 26d1e2c4136da0f1de5602a35964e427
SHA1 61a4ac276af1d7073e901539adcc0677f3d26db1
SHA256 ac3d223815ea3f6e2a17d385edfee81b45eb1037bdbc2fcf36b00e44e513ad26
SHA512 78aaf25b9893031e7979a99ca8450200c0480a7dd98f34381a042459f58764b3e7322921273348e5568ca88ffd2daabc680d64064cf9432d8f34b3f4410ca7ff

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f16b9116711f4515c563a039c2828e50
SHA1 8b23a4cdbc755ba05dd0721f672d67900ae7df6f
SHA256 0e8c89edd182a9c8fe7d16e52b7f44878ceb6049cecfa5985c4e344491488a6e
SHA512 c0b449e63b3c47db2ad57463aad234d108a8c4d64d28c6d6cabfe9f0db8cddb344b00a8f96caed9a7368ba11fa14327cadda827df7bba28bd964b57ee63525aa

memory/2528-122-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f214959c4e5e6e058ec02da6cddd2148
SHA1 5148e6030c18d4e77b35c5b79c9ac6feb2436137
SHA256 04953df955fd6a7230ae302e3544cd6b26ca980391604f984eedd706b41a2178
SHA512 4a4f190979465e5b26b32eda5046f5fb3ad423bf5f84e2a28b65ad6cdd702fdcf66db2c2f0a3bbd30fc41927194abb759f515268be4d42886b8e1d3a6370dd9c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5e7399c227805bfea8be0a87bfe43674
SHA1 ac41f3224009995129b0432922bf84b12efa64ae
SHA256 5aed5a87681ebd6a7a924245dde0284b97e208136d8be41e22879935c7e6f06c
SHA512 71ec4a5c9db542c807db5e406db6d1bc1f7dde36cb095937491c5b3a78c336426de58e5ce951985b34a4675ed540c71cac9b0886c762cb9de8e4fb56a50123d2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 89e3fda53f7e162834c0d47d62c0ed32
SHA1 2fbbd2acc0daa276f97a31d0b9fbdac65af1f64a
SHA256 80bab3018cb1a4a573a2f764083af3e7ed593bd75ddd93ee20a3ed8db19b679d
SHA512 509a211506137e064312353e16caff7bd53d4a92fb0c8dfc9a58f56eccaeeba089fe7afb21a04e53b35a1a03f46e19e531223ab421f6217d7cf75106362bf26b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 325f43e068e7ae44b68d21f5c1e38ce7
SHA1 35b0a2b37ff66b153ac7aa723edabb57e6d4cc27
SHA256 926ff3e7b1f1548ce953139b319213f549a0baf05882efd2a0b92290917c21c7
SHA512 d9aeb2e55da1240e65f71f17113828b64ab7a4c8225098730140dea8b5258addccbbf405ebd8c482e8f907f7882f2ded3613f1c901deede1a53d7e5b5060040f

memory/4540-131-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2528-132-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0cc481604b532ecc90a9a49a7b1bc7d6
SHA1 318d5dd6f6271ee76b43b7ed262427e017013d1b
SHA256 9f4c2afc50944ddfc5fb9144fa498c0285e2ed99e462f3dac591ec1af6f0bfc3
SHA512 4af791e47e303b927916c1e3d47c82b50f5aa3ea512f8d6836ae9b4551a75e4c7bdfd4dfa0d292dc3814b27fe4362a9a05a9bde1a46cfc8e8c54ac23bdf4be69

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b0c2cd9de103df59ab03826d6532fe95
SHA1 79a894d6e17ed1d4458bb055ad10ccfa15f17da2
SHA256 a7521d0cf43762d52fd6cc22a59697b861615d37ff9eeae8b374b22e95c234fc
SHA512 f9de5ff496ca53d86b6a7d09da6759021f499dd3d3573b524179310c8510b8add34462b910c50026147ba83af3b54d31ff5a674c1a839fd8b085ffb44eaf4f69

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7a48edc241716a4b5ade84ca8bee0759
SHA1 176d60e3a1e8be4495d48fd771520ea340fc46cb
SHA256 425b96b1f9ce2f9d4509cf0936faf66c7c2bab270488a516d3074791de27128b
SHA512 c7d57de9fa63ca90ee376b164993d1a92186c973f4ad17fcb307ce3dcaa09298f18ac72df208ea11a76b8432b0a57dd5b1f67e051868e0cbf9c6e8d5efbd5c82

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a4c7dccefd93d3ebe4ff96fe14f21e7e
SHA1 de6c484334a7e40067522c170a49f67dbc76ad23
SHA256 ef7fb162acbc1c09d74c30dc83ca3a6e88f6d822e531e2d3e18e14b76adb2457
SHA512 2dd6540ab422266442a72da26a01ee9a4b647630b1ced2d84a339ea3e5532a8308371eb09e61bf238bf54f59c92b132711b00652b7edd6787191d853c4de0634

memory/4540-141-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2528-142-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 797233886cfcbb09bb375b33bce15e54
SHA1 939c86bc401e5c2e30a0892ae562f51d070fe80c
SHA256 330f44f23871be2193b4bb1b1459126e8acf45e2c27c4262c8e81a74ac3101a2
SHA512 4946224992cf692b7bebe1af3a59f3b4c4704b6244863090104728abf7d37ced26822a718a75383d7f1187fada50b765dad5e400edfc1a3de6d7974602bb230b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 78872e24ca7ded3ba7ec75b9a94ff9ac
SHA1 8dc3c105dd86f80f311c15d3d9600abfa0fcc21a
SHA256 614bfa0a26be42d0ac4323a836219226be7f5cbe8d5727deb4a4286d712b8201
SHA512 ce36d0762560c2c86f3fb9444231595bfca5f28aabacc1faa0ab1e7d4e87e9bc03a3e65e2ffda5c4f234fd829936324159c0dffe0b574a603ddcb630cc67e430

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 296b2bf831bb87fccf5969471ff20fd6
SHA1 38872d0e434fc2e7d38c72116a0ea95ebf5a9554
SHA256 8a46e0316039234eca66264d5d4005aa44d673b68da0dfe3d3f304216d30fd3f
SHA512 48c0bb817f7fe29794f827e5c1226fdde0eb349276ce791e6a570fffe6aa501ec8e4ce8b8de31c9e760f8e58f2d1b07242dbd064c14dddf3365eb606f40f52a4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5a9809556cc2d77c8d625a86061f27bd
SHA1 b8467c9e3f84825074e02a06e39402e9b52c0677
SHA256 58789fd3449c77a8fa86e196eed20e2fcb274615109e3950001fc2bef3c46474
SHA512 2e7c0b4602bf4e86fce930fe4e6d55217a8086eaf11d48e3c2a9f41b66392cc73a3e977f24723b9cad23d9aac597d73ff374590c37dc394cf5347b2caea1c5fa

memory/4540-151-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2528-152-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e64b41918c3bd7ea76c6134d97bf673d
SHA1 0b19517ef7d6b62e8322fa62fa159e6f2460c326
SHA256 283a2a46ca09e44d5b8a0fc9f9afd371fa13113d5119e158e20e0732962dc5a7
SHA512 06958dc3dea81473f6fffe31345d11ead9cdd31950377b273e14b21a32c94a34edab5a43a90c8b5557e741dd65d413de450c8389c0bbf52add8a10c4aa975a59

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3bc95a10b91bdcbf7a9f00d6237ce781
SHA1 3398a5bf80ed13ba9b2f2dabdbfc8956c87e252f
SHA256 0ff93a8657f4c1fb075ea0994fd09744ff35681a0ee46d0dabb3936e2109ad67
SHA512 a1590c5c4ae11eb844f42bfc42d9ca239087969cc2b2b274e31ffacee9a043c8d4d88c65d2fd5028598a4200c243ef52d2abd91585c309e9c934b8e983658a2c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 04ce63389b2cffad0359d4be00ff2679
SHA1 d961e5e4dd477da202816429a43a2e1bc48209c4
SHA256 d0d887086d3df6e92a04c4aca428671631bd944c18cd72f167d212ce95413ece
SHA512 7cc1acf17fbcbd4dce1008bd206c272f80f9a13d5dde635232a4185c9cb9dda9e3a6997bde6a65448777b07742a92eb20f01d186639d44f48bdf57a68c5568ec

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f91cffe37a1906fc937e305d9bfcb977
SHA1 22b9984696d18aff41b826aa2ff3d9f9501b0332
SHA256 9727ae86aea64f29f835c47db8e5e19a0dd099db76efe14586d6c0062a14fcc7
SHA512 8daa27dac3e3873ea11f42f3b5f56354bbfbcc0559d5e2d958256aa417848a6f50ff38c7dda191e6cbb2033183bc48a6c362b146fa27c8cbc43edc0dae2bc36d

memory/4540-161-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2528-162-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 58cbc9107baa8e6e7f77a8a44803906e
SHA1 dcf54dc08d7e19f7d95bec6fe0d42783e7d763b2
SHA256 c9381b896af2d85ddd32979ace038b7af01517e4b41812795771fd172ebd4713
SHA512 d9ee532aa6cf799e1e07f006bbfab1c03f3e20e2ee2f19032b6c8ae605d63cee4c7fa6e19fab7b4ef53a4665eb439d053828da8685ed4bc3f82f981043fc88d0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f8c36230fedf69230b035d07d781e28b
SHA1 05bcf9ae85b93f9b055c14ec202c789acc91a038
SHA256 b3fa3718f316af05d1b55fc9d81e31b2f3d4b0aab1f225661e57f46dad907bc8
SHA512 aca054b5b1a9a2a26414b5440a9e12ae48d4f71227e4a29a0bebf6b4e852b5a46ab1ec567d69c665de77640f55846d391283962c18f50cec978f88b050a22a11

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6c86f6f271214829981415e54fd3b91b
SHA1 2c96394180d0fec22394cdf89b49bb39baf7f66b
SHA256 7bff2448dbd1e0ae3013480a8694f8e7ecf3dd2a677b127a92844e46c4dcd545
SHA512 691b49da8376d39147faf45c57ea8ee865363d1c00588a5c121b7374f8566a4c6972dcace170da1a963a128e1a4f4006bedee9fb6cd37c63040db2c1aa77eab6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 dc62c736ef134455eaf08f37150c8fef
SHA1 f54d7a456e81917176f89a410a86e4e22e342396
SHA256 32bb738f1b3fda5f3987401971e5ff7ee02960819f956905ce2b10bd0418c55b
SHA512 fe865cadb30f3d41e1b6197d81ed299f0a7c1fd4b54de6a6e52b25153090267a7e3679bee21514abb3298a8cc22c0de634e0fa3227f417bb95e07332763957d1

memory/4540-171-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2528-172-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 49d7cb258309044da87777cc23bcf162
SHA1 9099d3e5fd37a2d25215d11c23de929826898b7c
SHA256 a9a3baaee61502e5282cc3a6f791af69f1a7fdd838285dfa3f047584a0d89312
SHA512 ededf90929b10c8a988f66d678a7e1d3b1142544a443b6270fcf47a0c90e3798c02919019457ba4538c421e156338fc7a4aeb7cd622f8ff72d8a41a22d17d069

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6fe9d9b4c5a5bdc985d4551301c59d5c
SHA1 be6da0c813b5b7bca8ca58bf67472943a140c23a
SHA256 33a3ee3e349ee62ac88c9e95edbcbdb85db941f0c6ec4e80bfa5901cd21937c3
SHA512 e5f6c3d7dd98600c0629178f3174c5aeca72b6405b43e7a95a320108408fd52cdfd14ac3e09175d38649b18264ded2fd489b3ff942ab6b1d1241b0e493911e06

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 89934841f13ff4829aac1c1a0018b5be
SHA1 f1d247b458e9f2a28b4b109410a01bf7339c425a
SHA256 cef3c2dc8aa6eb301bb4ac8869c9a677097522f385098eeaca179e2a3196d67a
SHA512 680a6ac8db9678151dbdd8b80e4c42716a7e8a64ed2d135ec9b2a33766de17642e51243c20a8a038ff5c350ffba55c4ef2955933eaf7b98e984e6d6867e98795

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 718200dcf51d947d8a342761e4226d5e
SHA1 d839a3a524a6f2a55abc95d18e3785b9230eb962
SHA256 8189ef4ec00a85b2f5f4dc378939a73dd1e387d169fc0752752aade049a9a950
SHA512 5f54d84543458e7cdfceb8d9f0e8c5b836480fd70dd91a75e0cdfb65ee73cb28c7276cb36dc14e4f5d89b0095272b873463e5947bfce6fa84d70818633575286

memory/4540-181-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2528-182-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 af4f21e657721048ada43a00c08b5632
SHA1 e79979b767c124364199a114ecc53d893f70598f
SHA256 357a60a71f67bf24c2a0ebbd5ef774d79f4ace617d853e84725e863ea2e4747e
SHA512 0a604d783365a4871f5544888baa4af62fe53fe221cdb1bb10852fa67e0f2c337188f31c04b3c217c8d02cea971931d921637991cc6bb7f33480e89590afa221

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0c088498d0ad9fafd3e622dce8d933aa
SHA1 e75791c52169527c70a7858371477f0e5393c300
SHA256 0cf73346416a5d0734dd5a26f2f5dcf256ac81f0230b8c6746241a293a113784
SHA512 e1687cdb122cc1b0e90ab364000ff61961cef8f25c28b91d675550b8eb2bb5f717c71f75ab433def431afe74ecbc655fc248432cb3c02435c6532d7b9e9f5ec8