Malware Analysis Report

2025-03-15 05:45

Sample ID 240509-xb792aca84
Target 2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118
SHA256 adef926286b3351e3d4abc650296821f24e7bfede5832af2989a7facb57b9a0e
Tags
aspackv2 persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

adef926286b3351e3d4abc650296821f24e7bfede5832af2989a7facb57b9a0e

Threat Level: Known bad

The file 2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

aspackv2 persistence ransomware

Modifies WinLogon for persistence

Renames multiple (91) files with added filename extension

Drops startup file

Executes dropped EXE

Loads dropped DLL

ASPack v2.12-2.42

Enumerates connected drives

Drops file in System32 directory

Drops autorun.inf file

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 18:41

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 18:41

Reported

2024-05-09 18:44

Platform

win7-20240215-en

Max time kernel

145s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Renames multiple (91) files with added filename extension

ransomware

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

N/A

Files

memory/2272-0-0x0000000000230000-0x0000000000231000-memory.dmp

\Windows\SysWOW64\HelpMe.exe

MD5 60e5a7ba586b9950cacdb58316b2962e
SHA1 c02a19d08fba20c440d5a5870a067e2e523d5235
SHA256 53d572d38fd727e47d3ee99c4421ba8e3c0e91ef2d9c7d27535921bff7c146aa
SHA512 255c8242dee2c7e55d3c2ab180e0f253dc940bd3e5d7bf4cd55ebbfae9930b9aac91e4afbbe2f3e04548a813d99385a6c4839a1647ecb5a8c0788ece65b41619

memory/2256-10-0x0000000000220000-0x0000000000221000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-2248906074-2862704502-246302768-1000\desktop.ini.exe

MD5 0113a8647c7a765c1553e28d20ac6236
SHA1 3ba8f81f31178f866734a1b06385c6316258a032
SHA256 31a5f8536ec1113b4f57e796032baa2ce6d86099ad2c77964f89449e46f222ba
SHA512 c4efdb14209d1ee744bb4a158ec7de737487763b84b67eceec6d5fc54758a01bb687fbcae50855a7e79c10d495f2abc9ea7d81dcbdc78cc70d5cf4a4330a8ff1

F:\AutoRun.exe

MD5 2b5a958eb46e4773c9cf8b619780ef72
SHA1 55fd1b59bc4401a581e1cd3a8d76a0f792a4c9b7
SHA256 adef926286b3351e3d4abc650296821f24e7bfede5832af2989a7facb57b9a0e
SHA512 47607151384649e2e4689dcc7da6c265bbc36caaa9c44d54943d3cc1ec8ae280d013be65447c994f90ddb2e67a10b3f1429b717155ad088e1e024a24d3a14da6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 77960d4e634424133f2b9b5a684c53eb
SHA1 eea6cf3557538c7147a7e53b16bc4b71e7271a29
SHA256 55969bacd77c6d95d14942c6915e3a779eebcc5ce8a7ea72595a8b29548a92a6
SHA512 fe5d75aa7514328e2d3f76ebe540ec8e5acf4cfc6a035cd391aa61240ada815f3381cfc9c3badc217928ae44124c5cba9561d8daab5566cc132107d9e5f5ed61

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3e18c1c21f1adc00ac4d7369e37c7bc3
SHA1 a934a3c9b86af658112390e8e24560928e0cab86
SHA256 f1a9dbc6d622aaeeeb12a5e3db28498499b9a16d8b3897645b039e08d6e44110
SHA512 5d3e7c388de0a838eab447b01351008962339b561ee4058804cf79d76b3e98e50863e804a19e49ba1261761096104fd44093aeebae2018d67410e61b879b5ec3

memory/2272-228-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2256-229-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2272-240-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2256-239-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2272-238-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2272-249-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2256-250-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2272-261-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2256-262-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2272-271-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2256-272-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2272-281-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2256-282-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2272-291-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2256-292-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2272-301-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2256-302-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2272-311-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2256-312-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2272-321-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2256-322-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2272-327-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2256-328-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2272-341-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2256-342-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2272-351-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2256-352-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2272-361-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2256-362-0x0000000000400000-0x0000000000478000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 18:41

Reported

2024-05-09 18:44

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

93s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2b5a958eb46e4773c9cf8b619780ef72_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 88.221.83.240:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 240.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 24.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/3644-0-0x0000000002420000-0x0000000002421000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 60e5a7ba586b9950cacdb58316b2962e
SHA1 c02a19d08fba20c440d5a5870a067e2e523d5235
SHA256 53d572d38fd727e47d3ee99c4421ba8e3c0e91ef2d9c7d27535921bff7c146aa
SHA512 255c8242dee2c7e55d3c2ab180e0f253dc940bd3e5d7bf4cd55ebbfae9930b9aac91e4afbbe2f3e04548a813d99385a6c4839a1647ecb5a8c0788ece65b41619

memory/1620-5-0x0000000000630000-0x0000000000631000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini.exe

MD5 551bbc8c53bead312c82c5cc30bbd7a1
SHA1 5a4f919c03805bd67a99e04d8a2522ceb8d8251a
SHA256 906e7053f19db05de13f9f6e90276bba5ea75f9690585606745359cbc74f763c
SHA512 fe3e1c8aafeefc8336bf528fb4220209f2ebe5737816d5d07ca551c8797b60cc296905dc479c4cde321b6c0e7ade0b6646a5975ffdf18e3134e4becf68aeb612

F:\$RECYCLE.BIN\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini.exe

MD5 ea6fd93a447671726c9b61abd571141f
SHA1 6b690df6f906514cf78efc0602b7230289b04054
SHA256 1b03dccd6084c11da96e0ba5c03fc38dd472328994185f708ff524ff2f1ddcd3
SHA512 e980e85332c1f5f280105e6def7f1e3009e3a8e43700da506895c62969efd8fe2609cc2cbcd21919e988eadac69663dfbf9750d90045c1aa2aa3324e84d26315

F:\AutoRun.exe

MD5 2b5a958eb46e4773c9cf8b619780ef72
SHA1 55fd1b59bc4401a581e1cd3a8d76a0f792a4c9b7
SHA256 adef926286b3351e3d4abc650296821f24e7bfede5832af2989a7facb57b9a0e
SHA512 47607151384649e2e4689dcc7da6c265bbc36caaa9c44d54943d3cc1ec8ae280d013be65447c994f90ddb2e67a10b3f1429b717155ad088e1e024a24d3a14da6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3665c22b162b748278d522c19dcb5cc8
SHA1 c96713a52afe2c0619cec8a33ad592234d61e246
SHA256 efe3690ede12114d6c8ebff4772712eb8544c7fa808bd8e43e380bb2dcdd7367
SHA512 3349747781b340a3dd0189deef0017ef4d9626dcf215e1a29e84dfe3851b7754d899fd943627e4fb0dec323903c5e11ea17acdc1871df2f78406817b4c42c72e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d6f39fa23cc903dd98bbe63804f8aa5e
SHA1 b2413117ce10474ed0f7299773488b17ae1e53b2
SHA256 5e425bb4f2a7c470257b8688a297ea88f9619d19dab9386d037bf86e8ab3be20
SHA512 9526c158c14076a0e6536f72c6b516c6392ec117b77ad3422554aed2bdce855189c7f4a28ef65da13f192d4d4ddd14d4c25c99b2be180d88e32c0f22b615aaeb

memory/3644-48-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1620-49-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7caa3def0d215224a50737de7649c1e4
SHA1 9b964ca7c5a7620d8370a3cc142ba9aa93381b77
SHA256 ac1787800db48cef153b4a2fcb5a7176669b8276827f764c1fd57328f2d493e0
SHA512 daf7d3ca18f30d90027d72ce68ba6dc65cdcdb57ffcec40f70eb59c3041c3e6dba34502da0bb172ecee47a4e8ee1572c027a8b50511d729e24759c4a466a8f6e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a5305156f2877a9e26f47241cee23baa
SHA1 9e198e239c531c2ea94cb3818723f55fb93f741a
SHA256 7d30d103cbfea5df903e7e60ffe4775b31d62ca95eea85205ac1d8702d00a925
SHA512 52d03d171e9904620fd6e1c77948dba25f08be01e3b3f42132e2eaa14c76b7f39b3c195af10f5171509c61185e6d69b21cd30b929a0ce87ae0b7d761a9020718

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 36d174bef069d774f2f50a4691057840
SHA1 c8a72e6696badd6204b16f028a399210b87d7a18
SHA256 74beb6f8220546cc52ef920b3d2921b39c8aa57a705b6603923c39e8d14d6751
SHA512 77568aaec2a833a86768f80daed022fb322fcbaaf35a8eb7aa60c5ff5da88b6148d4dd621a61f8a5fe850fe50468ca771000845f206307cf3a372038d8ce4e5d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4ca683d6914f6434e8ba7109a1ec975b
SHA1 387fcadd25cd8df15890594a972f6011d78b65ca
SHA256 ef721cf2fb47afb372fa7890e5fffe25641784b29194936b3b471b80e4140725
SHA512 eb870343fb748bc13078580aab9aa334b5fe9578cc444f0a98c23dc4ee2b94de2cf88d392ce66a5fc882e38d0ac2f004e3e156cc49f9474ad2e42bdb232f7b79

memory/3644-58-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3644-60-0x0000000002420000-0x0000000002421000-memory.dmp

memory/1620-59-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 92e4348710ce5e5233cc0cdb8b9291b0
SHA1 052d514b8fcf3dfe0b46709dce09414c6b09e94a
SHA256 5f4707fbd78bfe4b2b89e58c48471488b9049eff106e71c23ebe5857cbc87e82
SHA512 ef8bb3ff04832686430fbc74fdfefc1752207311e2d4f993448cfeff59181adb0fedad7702b95e4ccd6a6554fc06b98cf853af17bc7c547c5122e02e75949113

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 53a3fccf235d2842fbeaff08ebb2f842
SHA1 aba3ad25ccf5007e7d6e6a61a2fb23450b98c1d3
SHA256 c77dd6f83071bce1598d9ba2d599be193106850b0a1f19568bb46313e1c015e4
SHA512 4d98f79ecff65ff427e96545bf4ef306419d9014ce27b75e187f6c4fd48b244d626c167960a3266a33375953cc5ddfa10725de73bf8608da01bdb15b0509aaea

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d813863a1efa8d9d02ce9421ab6b8bdf
SHA1 8576827ca560113975db3086eff08d66e4b72e84
SHA256 8521ac71a2e4c2bd31f34cbbd39816dc65ba4f5c803951839bdcdd063a53ce5a
SHA512 6a97b8017beef82a3808faadea02e8bc8877f9b88819e0c189d8b349a504fc33c5cb1b1a2a39712988ac286ace194471ada4e534544d0d1b1949defe33fb8300

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4e132eb7f69f330e8dfd01666b27bc9c
SHA1 c4a5cef23a2518e69ba2998bc0ddac874144e731
SHA256 0703ce6545e4cf3b47bd2708b35cff7e5abcba2d1e428c9d494b32324134a839
SHA512 ca4ef57c2c03b2b3feb7b65ef185f74ed5dd73ed6beba6b0c694e12a9074266322d7a7e90a360a9c48c946669f12d91a7b42255199c06e76abf9a473da76dcf0

memory/3644-69-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1620-70-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 993b50b36da5d8c537dcc29a626235ab
SHA1 d23df43f6dc86ce86d56a3e5990fb633d9dfd928
SHA256 aeb7805ab4da5316042bbed2c6ef2a4aa3cd82fa575e5cf73d329cc81a11bfc6
SHA512 0106640973d818249138ebbdc995b3e6c214573fdfe652e3c2f50cd21a766473df784fa392faa7a82d8eba5a4f9f6fd41c7e11c9f501b6e641261c069ad3fb0e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 06168b7cd56628b4433c8db88e5ae8c6
SHA1 2085cf0e5bd0945f4a63bfa45c1e88f25396e56a
SHA256 cc99e4786267618f496451532c663fb38782152a4a84474e3af2a996033469cd
SHA512 1388546173ba61afe58fe4fd1aec6407b036997d07756844036bd947880570d65d444bf218debef53fa51450b95ab8be76f5adad4570701f8422bcaf308d111c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6bd98cab0a1e1bed193f5e3ace02c229
SHA1 657faffb89717df9a6a526149904c0f627f6a26c
SHA256 e12a460cf06af150dcc826b52cf01bba1370c18c30c3d4fa4328a76f4a1d4f0d
SHA512 9bc775ac36eb704f50ae2bd6a2205d00206bcedf6fe3054bb999b2a7be670c01ffc8f91b8fe000d4349830eed877a80bfbc1c72e3ff68be55704b624b769355c

memory/3644-77-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1620-78-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7524cade08a82626da72f452f076cb5b
SHA1 f9f2c4405896f66b3be794e008fe905f8bb51c82
SHA256 aea5c3e2055c4c253ee75eb08112a6309d1fdb4276fa67b9ab0a2d7141f3856c
SHA512 9a4ac648cf0b3bdb49543d1921fad3e7b6f1979164baf74f744796078ec86e6830c99aaf898be2b67d702ca526774f6b8773652dd44109b246a72e6375ecd627

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b3c34faf170c75f24c002f172e7e7d66
SHA1 71325e4dd346c00d72b80e04c78a6e7dbb302d6b
SHA256 6da8a00e9656a89a73df7752503bcd3ca4d8995f9b8300a3d8f72e86dcf7a72d
SHA512 75066220b8fe70c8d1bd8e5557c28520ca81e38015095ca88007e76303bb39341406e3bc19c2a42185bfdb973c1274135f02d9d12335099d721200b813bff81c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1411b4c5d571052def4e9aa8df3fbe79
SHA1 0f73a47bb2b87b0d98b7f06fb965b879ded386d3
SHA256 2b898b903b681e6dcf014f8ad908817d86c517ddda4ab265527292c596d86df9
SHA512 28bbf669e6b8544ddf8a5c1d3608a0ffe2a9d5ffec61ea4beca215f6e13484dd0fe22afeabdc30dabce74719d9d69ed3ea63e14caa7c37e547ce01928963c172

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a9b86636785ebdd11a2b7f25249b3a16
SHA1 608afa719f5b5bbf1752a1dda8cece349eae2065
SHA256 4f121d2627bdc31248e3db4ea4c43b60677648067315e08363053d56bde19a1a
SHA512 09133024f6c5d8de4d8582dc7687415ab3a4feb40a190731aa46d0a6d6b71949b38feb08d88471b564c3f08454be06be6d5e45e74c39016ceff99ed9b7aa13c4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f2fe4a15c0a81de63eb29241edd2be7d
SHA1 0e6f6c9be52841f511636e0f78a1f5e149eea5fd
SHA256 b997062975d3835c09af9c5bfaaa35ac2383fe77cbe6c12228f119c67e742a00
SHA512 af70a75b4ec8f79e5844bde32f4cd675f45aa5ffba7daf5efa1e29f907d0758981738599ee6097a3178abf1e0858e3c16cad99f3a0406c05011f3b0d6628a698

memory/3644-89-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1620-90-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 76719791851825cde06a91f72c156706
SHA1 845676321babb730cedb490316078f78cb28cc11
SHA256 becc6f0cd0772b6bdfd7b94282da69bb5f67167ab012e253c152a704f28a3804
SHA512 4a7dccb8579c43ee287528c50618b6c335e968c28f06961a782d873bb632f6e7548bf2ae3604e7f73ef7256c463cf07180b6689cfb75eadf8d54fdaf0fb8eda8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4204b21ee872b5f1e2d285a04a9b004a
SHA1 8e9b1014f948c474b3f03adc18f15a772acc0fe4
SHA256 c7b9281443aa4f7fa051cc2fc8158176f23d4c8cbfb28335c405ca092f19233a
SHA512 fcc372a0b11ca786f886dfb73aed4592130e6c70a45b3f7cbd8f24415f5d28218297e46e0d0e69da5fe3122fad86f1d0fb2983a511f15179d7ea999689335714

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2a4605978804df844f999f7a4b84c5ac
SHA1 c7fc509ea8f0c90ae544eada6e92a31c2dbd6fbe
SHA256 b7b3016643f712361f7c4ae4a68deec16112fabd012c848c574f522f058a55df
SHA512 11f53fba4aefc24651d53a75dc97d69e731674fb8988722a5674a288d8eed4f5f2511fff10f8f01b4b7797e69a4a3c3606f3aa4644eab4d1cdd692a523b66309

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0ddfe68d3bdbb10053fda8f87e22854a
SHA1 2bf41a9dd06aba66dfbf9927e567ecb31452c24c
SHA256 820ace84c5693f4b588633bdbd05e59eb741d0c213434c9d6884cb3f3cc70071
SHA512 d1f7c4d5117f3001f15871b66251e9d8c6b19b09cc0d24be542790a71e12e52ab212bd50ff8ed242bb49e49251b07d133b1b386826869d2d087f75a6b93fcd35

memory/3644-101-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1620-102-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 dca54eff57f39fcabf442544bc8ce689
SHA1 3dae12ac1103e5dfd78466b9b5379cadf7f7e292
SHA256 8c9484aab6c26c032bd71171426468ddfb78a41895856b94b5489d479e37c0bb
SHA512 73df873b10c0d6c4fd2a658a162eacc057f0c55c5a2c1dfbd2269b9c96988008cfd202290bb70f4e8bf370cd8b5ee52b31b8c58aaf62af2127d7bbc53954c65f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8aa62126afc07025fdc4a6c963604894
SHA1 df143d70214c19185dcc6c29aed407fb4b6813a3
SHA256 f0e6e5aa05c8e7511dace033ef313360c7b4d9b95459b19bd06f76e575e5700b
SHA512 687bb22ac9c49af25e297e1da3d67fe929782f8dc20273867ccd656d1e44b5ff18a003f79d8a75cb71aec649c7d921c8120ff5aae736adc093b3a25584b3f7ac

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e81f5de3dba8800cbf52c85def1e2c49
SHA1 288bc9880239135e9eb3217dee5df798e06c5ba2
SHA256 d93e80dd38b7da8bf9c7bd31476bb55ededf420d4eebfe974a40ce73342c0c14
SHA512 2e00e3a7489a4dbdbd2c540d25def9689825883489821366205ae7243d580f9bccb0b279cbb3a92df3d9d7be9dca915554b2a1cf86f90967e62ef71090a204ba

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 486988a2c711e307796b74e52a749b52
SHA1 f03709012ff0f6b5f4d60e511516eaaa3e30402b
SHA256 359eb3e478ae8a470ca34e87a6a60809bb6a2955f5164797ebe76e5bc92d05a3
SHA512 08ae4499726165020a633b776fd973d1598f1d95e376c68b4300a4a1c8831e3ec25513491376948aa8bb6e42f281f8c61c9fd49ff789b78ee05ca750ae77bc77

memory/3644-111-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1620-112-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6a8fc3f6d4ff03217615e693152e371a
SHA1 e5044224842b765255c32a21d19cad376b28ba93
SHA256 cde4d6ea89a00ccc30f30d73ef2dd743e39980d29cacd37c2988897596622588
SHA512 2bc787f4c442964b7eb1fb2997de3b9cff2e2eaa02b5a266edbebbab2a56d05c0cb280fbccac40bda3fe44eb98cb59f2a7cd9afe6ba580b7c8268624a10542de

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 02622cde664f9d7609540c74994cbbc7
SHA1 0ae54323254febb8af21dd884f8d56b34ad7edd2
SHA256 b39cbde2c2d0e19477d8e2a207d049c27eb4ddd998636b3dc1fbf8cb0544aaf9
SHA512 37de36ba1c748f6b227315009633a622e0c96d5302556d7c7caa16c28fab833807556e9695c620b6c7c2d3a7418213e020a3db78018aeb5710250828f1b4b67d

memory/3644-117-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 968a972de9afbd67f1ca6d20eb61a45f
SHA1 5b499da2840d96cde489b65932c518050d7e7b42
SHA256 00f22b99a073301ac8ea5ad22667b120e8685a8f79a770eddc8fa1d8427e9952
SHA512 cae9d26b68e9c0e76420a17dc993c2a54812617c915248a8c2fe6a6d743ec6fc50ea561c9c05de22a3dfbc431cf07f8db923027adc8c926313f6777b8ad9dd5f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 551187d72ddeed00f762db17c0dae54f
SHA1 acdb013bfb6fb934a008b94d357d4d8bb87d9442
SHA256 cc3b712b592e3324adc664aee33f03235dae22fde412ad61743c57f840545bac
SHA512 75fa675540f139850f3c0476bd4ddda356417817659b5cd54f932baa4c5715f51f0553ad34debf91784e63ba386f22a52154b098cc64d40b55e5ba26fee0e896

memory/1620-122-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f9586064ce89e5d39380dc8eda258128
SHA1 6ea1b6406c30b883a9bc93f8cb72a5bd5bef0311
SHA256 6fa3255b283c45ca5bb96fa9317fab5f5071a0007d0c815c4a3ccfb0c6d56f18
SHA512 08f89cd22f967449241ca4691e4ff7fd2a4d8318ffca8cc65819a8d2d660938f70a3b1dc899b71e16542847e31c450e9eb4cfd89e14e4c5d198b9f4932d34222

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b301665431eb8afd31188fc544f330db
SHA1 08274703e72db8d2af04324cee5640aad537c25f
SHA256 4c97cbdbc5cc49a156fad871dccfa3be3bc2e911fc1decfa614d7771b259cd49
SHA512 56cbe67160e42783f94ed5844d8aaa4bc5e34935eae4892abcfab01a1c639161ffd9de06d0e28d2202e1a6ae380ae9b9f4ab9f6f9de5d914591ee85bbbf7c29c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 53b292e3006f4f0d9ac0fd0a841dde4f
SHA1 497a957bebc437cfc7e44dde53a33ed15ecbcf85
SHA256 64de7bcef585ab3abb7d01e06c6e80cd703f58696a054081eda1159426e88cce
SHA512 961ecf6a797838e9842c3cee38982d6080164b3e48749d156e967e4a724120b2c31cb73c4bd8e13b08fda7861bfc385c40fc480a0ebfd027d7876a9aca730fe1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3644-131-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1620-132-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 66ab08f2d2afa7117a3d441baed47aa5
SHA1 426ba141094cb5f8b0a8f1e517ed03a51eb8449b
SHA256 bc298c97a592040c2a2bf5a30463d90aa1b53d7d4b9de83e5a3299ff3048b93a
SHA512 0cd9f7d13fcf8f4051815ba6c59b542d4ba63e946f6f4b39cb0cfd9472e8ab0956cb29e462f6f881ecf40784916b76f853347148b526f3c8d18ac44815d5ee17

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 53510a63a63d7f57c78641fa95bc9cdf
SHA1 a252e7333f3a5799c3821f9160d8993d856b4b6a
SHA256 e8c873b64e025e8267943cc5bfcb20bd282100fa7ca35ac125f2cc1c022221f5
SHA512 e6d50deab903854a843334da9633ec2c543e4a40b7e5e00d8a00db424f8824eab3481b967baa4be42f18dd866497e9046da8f741a7883b44ec762138e1a441f9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 707e4d00cf2828d0790b896b01639ee6
SHA1 85147353f76b3fe1201f131efc6856bf836aa933
SHA256 9a81fd4c06e03eca7af0ba835ca3450c45de5bcc6cb4fb5a8152b64d95ef5bdf
SHA512 d375a349a8491116a9806e87628320f0f2140fec4969eae05f48d0d5ae102678a57e53aa5c7d29fed17ac74927d1614168ed4fec4c54e21d915978bd240f54d9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b5ecc9ee6949fb589e592bf5cc2bd314
SHA1 6506c718c1f58437f200d3d7339ee1cfd1a3cc24
SHA256 9a45f8bec23d143c32acac09ae0d8d9dfc87babae62d5149aca8a3187798e293
SHA512 1d5d03a99fe019ede1812acb76abe7a264e1ea0559f30e30d0bbac920ae64ee5aa8d26356136eb1844ae892b9a9a1b75be19fa1573d60df3cfec3e34683ea8a6

memory/3644-141-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1620-142-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2e433b73bf3e5c7ae2bc5dd97f6ed4a0
SHA1 8fa17a754d0cae89991ebe5c2b209c3535215fdb
SHA256 7565bf95f0cf4ed8f8e649eb1bb6360c831f475d60143d0ba31dae04f383bf33
SHA512 78e2dfd5a56f9a8c4830def8d24830ba3035d965c6e73c348dc70487d932d6c55c4016bba229d892977d8a5ac7ef501ba75dfc17658d3d520db1d49f465ca41c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a3fd832458fa1daec7ff3701f347b719
SHA1 87d479f17ae9ff0e9cc82413cc1466154a966deb
SHA256 9a83ccddddea907ef134e4b00ef7772a9a0108d655e6c880df31aa5050690b1e
SHA512 0dc1203389ea58872e688a349974be0e5d572627745abaaea2b60c0392f1a2ff4e2ec501206db12510d1f587f2257285e6170a59d6162f33a27ffa905783a773

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f8789bc455d19f6442811c8e6268f7c1
SHA1 fd7b2c4963a0ac9f3e1dbf315699418780aced8c
SHA256 3a3aa767d5fe7d363e6132736c0b1bc07201feac6da44fd90fb95bda09e6a5f0
SHA512 f4374d0e05a5cc89e3ab8f9c6d2ac91bd53789971508657ffa98b179bb1487febee3eb98593162b0c52ba99dd21a72e0b7d7f04fd1a073df148154e3c6fcd1d6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e852ec9c20d0d7c277831ad93c8e3fc7
SHA1 e65d8510aedef3d3eec64a42e39031945ff616e8
SHA256 84edf30593bf23e583c1e16b577f587bb4968c6e56f8f291548e8c9bfca2004b
SHA512 1e31a9a29995ef65643e0b2f062a3ce28016d642a1d48e7c0c1bb7554ce8275acb15edb184fd0ef64218c3a77326a100a44244145577467d91313f02a5bb1935

memory/3644-151-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1620-152-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2b4d6fdcca5d6d17a3fe2b1dde79340f
SHA1 27ec1347094177a93cafc1cbc67e0d2176532900
SHA256 142a3a849b10c21559f47e0dc913fabddf25a3b62f4173a67e4e7a0b2edf78e8
SHA512 331f1140b3838e7e2090f9d0567ea4e5bef5fe604a9590ee481167041b4f6834d54b242b8438d6cce783dc3307c5301059dba85da0aa6b772e38bb9b3f45281c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b3da5eb1653979ff23f97bf9da8bc457
SHA1 2df3a22018c4a800a8a0e46e22c94806c4c8b5b9
SHA256 62c3f0fbf6c267640b6ddd54b92d888214642b98ea8fb3fdb2af6739a058539b
SHA512 282b61954cba115959e6202d5b7db0ece2a7cb6a16ab462c545bd0e0cd84befc6551c54fde17ebaf8197eb33a5e69c9a6f1d79c60a07c1d2195fdbff3a07c065

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 62797ec3688fadd856f92bb2b9a42227
SHA1 471f27fdc1819979c4b0c2197c873a614cf56d21
SHA256 16d537fa2c7d6ef21838b28eef383164608abf2e2732645ddca3760ca5943a87
SHA512 c8585e3e64454261da39964809bb905a9fdf0850418e928cd30ca6b6edda3cffd20c618033890140a8cca8cea9236659b18cd2ae5356d888b98aa2a2390a31e7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 98a4e848353dc77744910504591c7e9e
SHA1 e68842ed046de15356922484c9861b440e4a0831
SHA256 0f855e6417dca9522ee10eb3c66784df5da2f63ba80762f9f2570614ef77f5c6
SHA512 cd9dc5e0ac8f4722d9f4868bf27bdc000304e0cf239cfcd41e89c9a98e5958449e50867bb5d06977ff41e48a1c7791602eb66a5bb2344d9a384ee9f9bc619726

memory/3644-161-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1620-162-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7d21561a6b07ed3609ff67082706b510
SHA1 22619bdad47f5b8ce35d3a9c02730d33028a8cd8
SHA256 ddb4b68857db3ea5b872221cb7321bfc7634f9002d24c407ffaa20da9c1f3f63
SHA512 bf45809f7a8afce7629cc4989dfeb1cc9865a702cb6c58d430ad71cab60ad0f5d074a33076e92c42ddb3106328898404a061da4084ba965713a61ce2df86915c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 121b044d561e87c0d4a3580035e791c9
SHA1 042d4a3d36a0e90e64c78cfa7cd998941f5d37d1
SHA256 6a9c6d086c336d2607925cf4a3699cbbe6e149b37a8dd3cd96b616723141ce17
SHA512 15db3c3224902b9583e7b853f02137665ecfa9584708841b0a2a5e3a644c955bb46096657f2f22dd9a620d4057c1cbe2c9668ad90cb8412ebfa8411a405c8b2a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0ca5828c5b65b51326d9ee3031b074aa
SHA1 454fc5d9132cf2ca5bf6589cbf44ba16551f467f
SHA256 7479fb184a63541e88b87630f43057127bcc4461737e996b4897cbde9ebd2eec
SHA512 c92dada2be1be2af3e9120f05aa4c1cb559259c1cfc7e069dd22de1d4b7833354c685ae6727a295a9d42d224473c03080141aa9293b29c2041d60bb99f5f0817

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 433d5c24ecc0c03f66dc20a3f319d40e
SHA1 f6b502687584f837b9be4411234d212d66127751
SHA256 5475bf375017737c8c8269bc4b4767e9877c5c7d6e4f62365ba1555c8608bd25
SHA512 6413874efc7cf77531d3d16a7c206f589d227aeed5b0cb96604cd9eb72f65323b365d6d89d982104b2d78ee26466450b7fff236fd829a70d8ed21f6b51eed732

memory/3644-171-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1620-172-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0ce814601701db9596c61ee7672b22c4
SHA1 704889c8f9b86841d35a2dce042e7fe51c489d6d
SHA256 cef8f7b730bc734c7af4aab2f8523bf27688c0be5e5bd500dac7f9dad51cf563
SHA512 70781b9d557f73656c5927fddbc9c900056b38573b1f040b923b4c565655fd8f11e3ec1f4bfef74a4e02fa5aa62a80738f26acc80b036d305e870ade3c1dbc33

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 94e2357ba0e23b1496a3b135eb65a3cb
SHA1 4fa8cbacd26c9baa5f0ab2a663f4e9b400aee337
SHA256 fe37678bb1d69d86d3c02ccacc5859a8ab28947295cd801c59c93e7ef1246027
SHA512 b3cf8e5dc804e17d742a6329d04cf50744ab618836974c9721099507b591b7d3981ac2e24fa1f555b0cdb133273b638ce3d86c35ed422aeb890b48bc836f65d0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 33e39913cb80c75bdfa636a8b2802662
SHA1 da8350fd7e372e125cc92760070c891e6e414d2d
SHA256 f0b1ed39b7811cfbd07d5c27808ca71a2cca37192a8c0375611a3abcc675414c
SHA512 70d1b358df67bb9311e2a7c78a292028a53dedb668a34c4c1897327a8c007e4762baaef48fb6b952adbd2ca29e04388dc2aa7308df8dfe416e5e9c746f0abecf

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 86194362556e4e197764de44aea58ae8
SHA1 42a1ceae9c7ade5d03575211880427ac2b430d97
SHA256 dc04d7c673355f13bc427f7a00e82d4c5cb3a6c28e660a27b7227684954a7ea4
SHA512 adb00f578cfe4e5ab6d1b15016db71cc5e11835f103977810ddf7bc49c25eebfb5499ad7638369d3b3f9e5e3459d02934077e3c2938b6dbc194c9979b0b76101

memory/3644-181-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1620-182-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bc5e7e2b315530a586d014b249b73e7c
SHA1 8715c413111c048c8b31ad1bcc0762f96528f915
SHA256 e7b4251b387b23eceb67cb352bb434b70e483cd5900be25f3fe76a768d1e24a1
SHA512 fec34a90efedea5c800c3744666d36627776f2c259c763ab1a07e76bb4d69b051778905690b41395e27592de64b88032faf2ab2380fe5256a330c961b30d6ebd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bee4926312c0b2d3d012b26d0307c948
SHA1 7025a7fb941f847071b82803312c49cc6b0b4a98
SHA256 1501203c9597f22bad1a3ac0877ba13e7f1fb078f64eb305f05903f90ad6e409
SHA512 6acff3956df39cf7d88d6bf1e7c089ea124ee16b14d39f4a6223ed7bddcf4d880f070b75172e56f9eab363abf9f3125e932501eb5891cf386d8b40662cc625e2