Malware Analysis Report

2025-03-15 05:45

Sample ID 240509-zf1f4agf93
Target 2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118
SHA256 4a6adc48a67b3aaf9c27458c4cf8f5a5bae71a8975758ec179fbf55558ce3d8e
Tags
aspackv2 persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4a6adc48a67b3aaf9c27458c4cf8f5a5bae71a8975758ec179fbf55558ce3d8e

Threat Level: Known bad

The file 2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

aspackv2 persistence ransomware

Modifies WinLogon for persistence

Renames multiple (91) files with added filename extension

ASPack v2.12-2.42

Drops startup file

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Drops autorun.inf file

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 20:40

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 20:40

Reported

2024-05-09 20:42

Platform

win7-20240221-en

Max time kernel

145s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Renames multiple (91) files with added filename extension

ransomware

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

N/A

Files

memory/2308-0-0x0000000000220000-0x0000000000221000-memory.dmp

\Windows\SysWOW64\HelpMe.exe

MD5 8dc7083b3835dd8e0ec84d2b42a389be
SHA1 a11ea2b54cbf1f63cbaa3f910e6393589f030ba2
SHA256 dd45f67cc2aa8f4b0c955cb7d5832ab6451124ad8fd46546a4e8bc2a6a75edd5
SHA512 4942f3fc2b2fe1b3f9244bdef066b2bf04689d0cfd1ac29ad3c896fbad9422eeb9aae0133496b45792d974ee4e45acc36f3b5e2135f9d802cd795d40c3c5d03e

memory/2356-10-0x0000000000220000-0x0000000000221000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-3452737119-3959686427-228443150-1000\desktop.ini.exe

MD5 80a06b06364a87446d382775b29f0122
SHA1 6abbce3739dd0bd06c3a30cf0953cf6fcf8f54dc
SHA256 f0f7bd44a0414a5e06d0dcf0baad3521bd9412a717136c5d7cf8fc086d4b7f45
SHA512 ea71da772f67a032e04fa3d17e3926a50ef6f77cce71c91478ae3231fa515024d6034cc75a666e8c7b3636ca4e2009e0f710785ff06ce23628715e95fb3773f4

F:\AutoRun.exe

MD5 2b9b97d66108eafc2f889d04a66ef7e1
SHA1 6d791d430544dcb32f7a113717e9686ff1eb2095
SHA256 4a6adc48a67b3aaf9c27458c4cf8f5a5bae71a8975758ec179fbf55558ce3d8e
SHA512 36a00165174632c14a01a95419d56bacc0e79dc3dfd7137b69f4c692df5d9ed2f1890dfe4346d6a1005a36088c99947504f3734c8ba96081db752d9266d039e9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7e4c777eb3370902255f732cf5523bcc
SHA1 e5209675c8bf07152a9fa6dd4854887734e30287
SHA256 1b56d380508b3567dda9665d69887309bcd3a782a459b0c53fbc3be6d4a7a6c6
SHA512 3f1f126527a459095a64263caf76b07f3ec6a1f31dabfb5b31b23402072e38a7dcc82be4371e1218a3584ce8f0145ac8f60d9e2619291de76f83708321e01ae8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 be48fb6d0afcb8cd47bafa8dcff55b20
SHA1 46ae68a623fceab5ddc992f6f8c3c384b6644429
SHA256 577e9264a15ae4f69d20f4c16c0ad600d81ba3dade83a968eec3b899a79c208d
SHA512 43c8b2436a34bf7725209ae81e3b02b2bb76d20e2f3d4183acdc2667950162cd0998d2f05bda74f83e448db699ce4ea26429f234ad82d370bbb5a8cdb3699154

memory/2308-228-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2356-229-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2356-239-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2308-240-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2308-238-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2356-250-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2308-249-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2356-262-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2308-261-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2308-271-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2356-272-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2356-282-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2308-281-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2356-292-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2308-291-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2308-301-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2356-302-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2308-311-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2356-312-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2308-321-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2356-322-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2308-327-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2356-328-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2308-341-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2356-342-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2308-351-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2356-352-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2308-361-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2356-362-0x0000000000400000-0x0000000000478000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 20:40

Reported

2024-05-09 20:42

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2b9b97d66108eafc2f889d04a66ef7e1_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
BE 88.221.83.219:443 www.bing.com tcp
US 8.8.8.8:53 219.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 41.134.221.88.in-addr.arpa udp

Files

memory/3004-0-0x0000000000630000-0x0000000000631000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 8dc7083b3835dd8e0ec84d2b42a389be
SHA1 a11ea2b54cbf1f63cbaa3f910e6393589f030ba2
SHA256 dd45f67cc2aa8f4b0c955cb7d5832ab6451124ad8fd46546a4e8bc2a6a75edd5
SHA512 4942f3fc2b2fe1b3f9244bdef066b2bf04689d0cfd1ac29ad3c896fbad9422eeb9aae0133496b45792d974ee4e45acc36f3b5e2135f9d802cd795d40c3c5d03e

memory/3404-5-0x00000000020E0000-0x00000000020E1000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.exe

MD5 8d47b71dbcce001d9a1ac304f1b10e62
SHA1 609a892116428a63d0a6d1ae73f33e7bfed69a9d
SHA256 94a472b9f5b3f2e4b49a8eadc4cf6de204062648e77789ebd2584a651b48d10b
SHA512 c48ddda14f902c649b23718f9f429998624dd678eefddf2535daeae5c94b0fea4bf3b25ef9cf72d54bbe4094bca1d30b2901f9c87a4d2d8b6d4318d0c840ed25

C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.exe

MD5 c8e9b11d8faafc0dec90ab351ecc8b25
SHA1 8bae6dac86622d476876d78c5e2acc3a323ec1f8
SHA256 d632c36182a3aa4be878fe61788527cce1dfd4f786941485452c3079ae253f4f
SHA512 8d957b76d67a515f5ba25024eff8f9944a2281aeba800662e58ec6bb078b4cd5703d29586a19b7655f10c3d8227db0873f2e379788935b489ca537f6a3cb4a30

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

F:\AutoRun.exe

MD5 2b9b97d66108eafc2f889d04a66ef7e1
SHA1 6d791d430544dcb32f7a113717e9686ff1eb2095
SHA256 4a6adc48a67b3aaf9c27458c4cf8f5a5bae71a8975758ec179fbf55558ce3d8e
SHA512 36a00165174632c14a01a95419d56bacc0e79dc3dfd7137b69f4c692df5d9ed2f1890dfe4346d6a1005a36088c99947504f3734c8ba96081db752d9266d039e9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3863e7147ccc0c8f81f9106d9715ab3f
SHA1 37add8796433fee63c309d27a59b43dddc06c42b
SHA256 d84ba9da1b03cb4c1991ab7e9ad84be880b627796e07241860d46f661a61dbdb
SHA512 4351d7bf40ab3d2fddcb9d17a5b5d11eb869e280fd0857b6baf551d5aa8807e4926287f094bb42d028f05069dfee95512dfe89a4107ed11458d4b6d08b0b5c6c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4a28d59739af4b01ae702c18cddc5db9
SHA1 d48eec0468e3525ed154c01cbdd8b0a294d70336
SHA256 8db761e0a212aa540e5ea414f1f69100fdb11149277ea4242f173d720e2a989e
SHA512 b1f134b710eada2cf993a35c2e1fe468238cdeeb30000b374ab33faa93b369719183cbcdc40a47e833ff627a09abc270998ef32e94d7a36c7f65d4668f32988d

memory/3004-48-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3404-49-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0a8144ccd8c29b24c98aefec7a811689
SHA1 629da59b63b8b09527b521453eefa13f56e9fdfe
SHA256 8a9ca60a5c3220c6a4cb4a03c9626c62cd8921fbe29913cfb630f4a5a0fff7e6
SHA512 01d5a6e78b2b714d66e20e8fabe30ab848af101e51de110b350b982276cffefc79adcdafc9c0135cb7d6c8aced50fe1fa75db24c6387d4f32c3a1f84cd433df9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 08c4ff9a6d4635786c9c5b20f82cb8f0
SHA1 7816950b614fd98b479c3347d4a2ac1e74a6edb5
SHA256 dcd08b6dbd83246d9bdc98924c572630a5097498d9d7978f8cbd2005c47a04d2
SHA512 61041285ae16ac587527fd562e9c620ce1cd5a0f8e72b1ae4dc6f4502c62b73d3bc50ada58508804e86de866dbb52bdd0eb549081059648e5c983e897be942e1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ab8786d191adb68c07c6b88bd16031c2
SHA1 20514b4824958be8563a7a6402d1784844b6c43b
SHA256 d69a3512cc12403cb3078ba01b0aea4c5ca0d2f83436169b868423eda806a12d
SHA512 b0b8d52323a52ee232f4ba2534f4f7fb09b035fcfd0583ba41454ce3016d5377c6c93f4a688a67ea26b13852c49d749ab81f76bc289f1b734b772d887b2efc62

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 19a79c76d83dcd5de8564ffdac15e468
SHA1 162b520e404649bed6ac6a6f56f0ffff9abe0f23
SHA256 d967b35586f13d8ae5ac40b232a306605eac727ceaadf2d3d13f3a2f5c13658d
SHA512 2799121389021a37614514a03f7645d55af2cc53d7466c1e04ee5a4dcda637acd96fa4bf0547b8f5e0431c05a1ac5d1d0224dffd792722dfe78c2fbbdf0b7abc

memory/3004-58-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3004-60-0x0000000000630000-0x0000000000631000-memory.dmp

memory/3404-59-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7a344119c6441f35700cd2301fd5f69e
SHA1 0f8f2770709b05913f9a5ea00c89de7457020508
SHA256 5910c0163c0d8d1d2146fb1dfbb3dfa02ce240e99efc6dff3aa2c9e01c1efef8
SHA512 8e9a744ca2d5f62959e45b2695bcda32f098e4f19f44cf40ab08a22eb0eb4d80dcd2ec2433c4b5bfab1cc449d6eef4392556e8a17f199eeb6da97ac62ef016cb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6e2badac37c5ce15e5089eea98488232
SHA1 eb35aa81232bc107bb049c7d55a62ee544a61d15
SHA256 010bd19d61c1a0566622a5cd03b9fe875141437d22f62c99718279d62f53b28d
SHA512 393bfd1c54cf0ffd4e3c7e2254948fea080d7c0b294fe67f953f0a641367c9aa56f96ce5cd30f298935a2fde3638efe19af023adbaac969d1b0c370899b86541

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c84198f58c4b61abe2e62d3c36c4a688
SHA1 55599a6ca77a52e50b234b4869a155307ab02c3e
SHA256 e4e2888ac729528a5d6b7ddb7366e61d5ed6182b048da922e1ee6f8e5ca718e3
SHA512 d0b18564ba8135926879f50980326ad85812010133afca561337d73d6f1be3becb2410fa7a8b9256a0b59d103b38479f6479b7370ae1b9cbd1199397176bfb23

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1c2cc6239f94e69153826226fb4e2b45
SHA1 9c7aabe94d9b71968e41bdf518a9ca5cbde7746e
SHA256 7054a0f9719881c4c611edfa2f97afaa5dde2f147bd029cfc50caaf4ee11c315
SHA512 cfb67db7504a434049ee3cda24773afe3a7d4172e7d9cf5ca9903218c082d3365d9c3d73968aa29a354debdf9eb6a693a1d69558b8da62138c6da6ac0549f9ba

memory/3004-69-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3404-70-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d2457425b33abf7eb33bc776041d38fc
SHA1 d5a2f52531ace857e3901e2cc73e2cbfc57fd533
SHA256 fb274ca691db7377585eda8300c66fb674791a14579edfb4673802d456e0ec5e
SHA512 3316a15f2a77d09af8b70539a3dc8eafb0292d87254605de27737467a8912e5537277fa9c81d75d8cbbe2b0dab5e37ebfa5587b403c8836befe253aa13300d59

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 918cb268c1ee39045fc6e6bec3b9d912
SHA1 78e5137e3e76e25ef499feb0ba340fadf6744e3d
SHA256 51e225fa256544e326f706ebbe1e9d135bbe722dea26ccb3aa48c899ac9718b8
SHA512 accb57d59321755bd6b27e2d99009c6c25a388ee0112fc4f05927c64178c13e4dda1cd0a6e5c84d84cd0907dd40ac38900188f5e871d20021a53f716bc8a206e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4577921c3533c4e69d79d7bfb8bcc913
SHA1 4715899191a76a9aad089d72362d8580094eb78b
SHA256 552b7b03d4b4811bd8a5207dfab328855c9eff01bc62b382e22236c9cbb03495
SHA512 dac23219973a9c07c021ed2cdd07f50db9023e5dead674e6a95486a89cac0d21bab4eecf968ae4eb175e687ae184ed8f6202d21b25282b53b316be3cd6b22955

memory/3004-77-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3404-78-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2e1aae42f3140409dd322a5da485d08f
SHA1 9b29c2d7aa955e71277286caff00d38cb5e262d6
SHA256 f9879bdd0520006dee1ab2f98e4a8555cddba40f291c7c3a83fde0df1ff1337e
SHA512 ffec525905443af44025cee7949ced212fd19529b9118fa1e81c83391a63a110cd17d070fc88902035759d0feb4989c8a51ab05da841c83599c9c96027456668

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7b4c4a9da51ed361cdf4cc3128f70b8a
SHA1 2f16c4d1b63376c2ea0d43e7c5d19872260916c4
SHA256 6a726350e16cfc75f7b81f52de0254b119fa3c2ced5021eb62e4c9261c43820c
SHA512 15fd289af8bbe4907651252b08467eb86e200a540977e507f2d32117cdbf49cc13858f8de54a41f11624b37704c61fdf2a1871f75974ee1cceaed669f788efa0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9b20462402c06d1cee6bfbe525783408
SHA1 b945065bf77916d8e7d98201f3646e6732b29fa1
SHA256 89f1a33f3ec9305279e6f162f60716f26b3f793051a29277558f9eab3c60daa2
SHA512 2116ead4d0d54d0c914e1ebb005c67caa1bfaef022a820901c295c9db8f1fc46d053bf69aa54ef390fb1b38714d3e60151d089ba437d3d23d4b4b5fc8bc2c489

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 966c0a61a39a123452451f63322b0b02
SHA1 1685047c268b719d64ef0d562f78dbb4046a0a53
SHA256 b1489b0336cf3edc3b12cd63b1f95a31adec89cf4e23ed46017c2f844bef99b9
SHA512 eb1fbb7741698bc4c6737f48dcc21f4dafaf9f33f91a5f01323a7e251f7b1746c8b78fd4c59640dc0d6420e647a4fc97c9ba7e61b2911619295c5185c86909f2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4f559496939699307eda192bbb44dafd
SHA1 518f1c1af98ecef75e5aaa6d4fc6f79ee693f075
SHA256 aa75eef1ebe32eed218b74136dc2f74f85c97c2fe0a1be27bb547d7c89783940
SHA512 393b2db3e7e96bbaf52ba92b087689088b12340eb955bd4246297d32a3b5195efaa5a50f720258873ee93d25beea0548b6643b7c5401d8958e474b68d584dd7a

memory/3004-89-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3404-90-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c5167c705579f66f5e60887efb1a26f2
SHA1 db2e4077ecade987dc383d523b1ffd0cdad4eccc
SHA256 dac132b2be59fe5c78ae224cafb018bf32f462d9db2818b74734b4f588483812
SHA512 e4f4614f971948732e160631601edfeca3bae5ed0597b64addc9533fc5a92a1da332dae83efbafb186a7ca5f1cbab0a31a60a8efa8ee49706a66df4e6b09d5ba

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9325f11d93f79e96840e63a30466477d
SHA1 95c431e5459ab423bfc413764e7e33e070160b78
SHA256 ab63fc11d24775d1d52f45567252f81ca47bbed128840b1df607f72c07122844
SHA512 83a4764c2a8ca35d534d601596e24f56c99154d299768cbe9604879cff67d1434f9765b99d328936513814f028fedaeef6d01d5c793323bdcfe2a5f1b25fbbe4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 94097159a49ee9af0c162446fed8ebcd
SHA1 64c56959264c0e9a01f55e1e482ea3b8b82cc93d
SHA256 d8a818b3438dee9f689a3c9ab38e57cd18c7062e452e131a3b2bfbe97f8db05a
SHA512 ad286153836e503c96cf293be12a4ca2ee7511d9e67f90b30fecf4a08fe682369d43f4af436e419fb607fcc25db2b62281111f3c8e31a2686603717c344c6a70

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3004-101-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3404-102-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f9317304a3ad9eef6a48e611674c66bd
SHA1 b4c142d828cf95987646cd48a614aa4b6908a9e2
SHA256 ca69ac2b79034a49f89b0ff0430d043c79ec8f94fc7a6431fa90531fba1c5019
SHA512 d2659c66504817f200c22e9c56c247a80badfb44bd8a5dd449e8b19c424b5cfe3c141098f5bae88764a851296e912cd7ceaf534627755916b567a291137e8cee

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f2796020eb46da06138482fd623fc887
SHA1 9c37d2e255eb26ae23ae8315645a466400ac4d0b
SHA256 5f6d0e05119398a8aac3a621dde5c60d4ccf94b734ab33c084e90e50e961d623
SHA512 33738983c629b1b556bb6fcae1b37cc0bfa56b6e83a2ae7b3f7c66af008c49fe899aa4dda6939f80767ecef8e5adff619d6876b41fc9a4197a11a9799070e400

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 54fe49ed25c5fe92a79135a3ca58f3ff
SHA1 bb081bc444e61afe9c2503d0c8081ffd80a78ee0
SHA256 8564b7a2b7e655b860abf0d0b8ac61c67e6f815fd0f9b47e0890902ebf4c0cfc
SHA512 3d5dc3642ffc23c3d2fec3c0c6e989216e681ccf1a8dcf30a745bacd672e68b81c3f7e966cf72f3448933141b9fa2ec501dc61607105aabc4df4cf58a15f0210

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 945ce8c37e945c4d39e596b8fbe58dac
SHA1 919297c8e6b5a4054cf18317c4a25b9d47978af8
SHA256 08c29befb86bcfbd4556908fcf006eb86b413ffb8b8a3ec0ad83951daedf8f3b
SHA512 b5b51acdd99ff48ac8d3640cdd34d3f6461491e45c2e574250871f7d0adcfabda61b9eaa380b7c9906e147c1bc9505fb98e854ab73f4f557fc65cfbc9c3f4f5a

memory/3004-111-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3404-112-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 de1803b4a26fede47f5ae2ab3d0e7dcf
SHA1 3a12e88314fc5c6a327dad135a8a572ba2be7d3c
SHA256 7750275bfd397ecd694a3b42fbde8e8ab90b043400cd814c125ffca112468810
SHA512 0f37c2ba7a1f863a5fd1878afbab9bc89b60c2c7fb7664cda4d34bf91cd6e63b17870f7637791baa5fb3335b75439f85992161cb8430e371359cb8450ca3c1ec

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 24434f9bf5d6ef89a1ff0b42a01709e3
SHA1 f0743666ee5331ee2fadf1c268933b987860dabd
SHA256 aa10755736ede1605423e70cced99da2e70240f193e1d63f50a745eb017f37fe
SHA512 45dde1a36880121a1757e4da16ea0e38d5bc4c643545f93638958a99cd833fcb429046838849bffc13d69695a3af5f877a38da75ea9e125034243a1f8486f15a

memory/3004-117-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c2e509bf8e335e5549ae33f43d581404
SHA1 6410454f9fdaf3d0245a4142e385de75e1db285c
SHA256 1ac21c4c51f16fa9bd08809dc76b16925db6ee972f633e94c92e6469c9d0f39a
SHA512 4d85fecafb540aa50df321afaa48d0d08ee6230c60c803b72ac78b3cbe39b0e87fe4b49258d47dc39e5d83e7cce90fa9e34fb4f64ea9a7f6a99bdff557dffcd0

memory/3404-122-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 321cf0dc70d1ac0cd183433364e044e4
SHA1 5483db31cf543640da47e6288635e48d82903844
SHA256 7d56b0a55106cdf58a535b3fd585d0b8e73b385facab49416309ae204ea61542
SHA512 b4af2b334d97330ef1fec6453c31fab8b0b5229dc1d0e4a3d7d4b1a286f1cdac278ffba3be0ae17502652fc1982d3610eaeeb23677e7b2dc459a6d05d0d932c1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9f8f83e82b43dec0b3cf4ac47e83f88d
SHA1 0eafa099f1498d1400ea6396886175e1c4fc578e
SHA256 964a17382a476646ed51a3c5ae3bcca59d10562dcf31afba46e4050be9a7d755
SHA512 92e6baefe89afc9e8e173c9f0b740947601f36040a7398a76dd945bf6fbe7093dfff67d49682368b3ecbe766b50ff831298459fa9063016a549d438aa4f001c3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c69223f47055b86ce9c137ce96796857
SHA1 57079decee8993049a91c143233ffff3850326ae
SHA256 c0407796dddb17b30ce4a84b730fd75ef4865a6469b8163b41e2bae8dc84b470
SHA512 f21ca4ce83cac1fb9ad1936d59f4189b712f24af9a46aea53c0d6e134f3362323c8653952ccbd91aada698a40e323b3121415cf14e4262dde288f88989654f1c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0caba12b30ecd616414a43184a877388
SHA1 4a21b087b8b5e2e554734630bc6d8eeb1147b694
SHA256 5b8706960cbbcf5331ce771e6b4c5d1ce917440971c751ecc1efd385d4a187a3
SHA512 8ded5aa1d099f455d0da7a9d76d7dd8a00b945091785a0b8d08bcd1bd2870dea51371e0382a626d2c18ac6991ca776695e971cb7ccdf21d633cd326d7c0713e7

memory/3004-131-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3404-132-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 01555dff18d585e99696ad535e473320
SHA1 aee8f47bd57855a11b06fdb4596a59999d058403
SHA256 7aa05a5e03a910a5aa9b9796bc947c0bb90162b9c2f81b45d6f779d66b3283ec
SHA512 fdb582ba021fd4d680db5ecc37a36bbf7f401da56d2a77be672cee5ed703d654ba27c3d7800579ffc844406e5e5622b029fe295fc262acfb803cdee752796272

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b1de4e737c3ad4b22fbe275d2d826420
SHA1 588628faf75ac4d042176cc6d7aa3f3716f1a52b
SHA256 8de5d49f38dc3550d9dd9a07e1bdd5d8abd3612d6f4b61cbed2ccd58cb2890aa
SHA512 6d6477be9dff1a7447b19f290500db208567ce50bfe248209e3ecd1f3e52725209cdc5d277a3cf5349d19d5f6c2b85d69a2ebddb8b4a359f32a7f67e61c2d91b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d783cdd7aab9b5ef7641a41f4294bbd6
SHA1 723d4afa0b90459513299366670f04202ca6a89c
SHA256 a95b5b84b229c458d67c9e4b4933d16dbd572faeb2e37bea1b15fd04b2c22f15
SHA512 05d4c18aae13b5a5056bd5e25d259e26b6abdc11965737fe3d407fbbba6b88f18d2625d2bce6f5ba1997f150da5ae73120274e8c59875c26dc6df98c025357a3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4b8f15335b2bbe8eabaec25d5cd99dc9
SHA1 1ba83f1f20707c0997910c75983aacf84bd57c9a
SHA256 878a048f03eeff82b5b775cb3e64e5fd59b711c0caf0c068c60ca4735a07698f
SHA512 d2d1b3405ec03f13af1c62f380efbe703319770098877fcbe6954337643e0f2affbf813544b888af40b69d04c4cf8faa5d628585109ed68528699e795ba346e3

memory/3004-141-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3404-142-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0c4521035c437dd71c5231667a765ca2
SHA1 11e104457d8aeba8842b8029c15269ead1168160
SHA256 a1eac31905363aac6a5f7760bb9265682f6fba0f85c6fe5bc159f827ff7ab2d7
SHA512 4261fcb722d569d08088dacd3f38193a9ee01572be383e80d3b9ac2f561db60d7489314a4ded1425cb23d185a635741779230e24691c55d06196d9f0c1806d24

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7bbe87b3b5d02573c2a5271912159aac
SHA1 30f6ffef44d346545cc21cc6217311facffa59f2
SHA256 4103214e558bf80fbe87b3f7c13afa6c59a1c3b7067e7f4441f9b05937d2437b
SHA512 fa2b1015a3595982988ab00bbd45c808dc611dbefd6e8533679a9672e2ab02f5ffafbf9fad1d966a164c8acc7153370494156e474e1781307a1b65453c7060ff

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6fb34c7a9fe868aa51ed7aee26f979ce
SHA1 89743d59410032fc996b5b58723f623c82260d76
SHA256 8bb3444dcd5c82345de644a5004e6912e8498a23e56690bb9b2cad1cad474752
SHA512 431145c857eed821ee2b1e69949c81863b2b0376a50493326f89a084d913f9a9c3fd5dda7ee2cd00d368dd8471184354f6c14fb20d2819dbb48ea19b8fb3fa61

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 593e5b6aa0df013ae1d815a7540bb366
SHA1 2a80910e09c38affd36e8823f675db3a821f84b4
SHA256 7bf08510a791e7895652592f7fb29971e3c5525d473a14d8c78d6488839a3102
SHA512 89edd1bb834756889ebc627e926b73bfb387d21a2f9e979885508ba4585d67a8201174f2d5402b29380cd7737aedcd704078dfbe25d46741dc296319ba31453f

memory/3004-151-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3404-152-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0c73140404fb5815b6a1f4f4f371524f
SHA1 8f58235eba6dc9845c2ef7e0ea15ea717bdb3252
SHA256 8ea78835b742b81ecc64ed156f706977f59b72a037133487f2a00e52f6bc6936
SHA512 7d8d39508979b267140cdb1aef6dcff331fb0f4fb4b3caa5a553338588d1fbda4742fdff4d01402ca87cbe36f15904ebf132574e7d50491fef0c11abf22d4d29

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1fee03379189a5f771319b0955669635
SHA1 a515188df659c937342b858342d7198a73b4ce6f
SHA256 ec71c8c0b9c1347d82326467e812bad42e7a7fed32f76c8000f574309886031e
SHA512 176315b024867ceef53748737695a2e9ff95b4b8f5b7de9bc65dea847602c567f6e5b74e4ec0a8fe7116b2bce2ab971df895e355ee5ca879ab223c6c45332b8f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e9db2b4f39ad0f5991504b7c1c5856ec
SHA1 1736b6ec96b12e31dd625e92c6db552fb60b7c32
SHA256 9d40bc83701d49b6b43e6a67cceff7c4d709efba666af74b491fd0c6cdcc5c8e
SHA512 e8a542c492330edaa4686533a690cfa4ba42c58dcd43186c0862d9a6346ce9c20468cf81edf893d1ec8c694e1a8dfb3476a5c9c8760ed1983d1800fbeb9a7e4f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a065511a6bde64d458eeb85eaafbeaf2
SHA1 fc89c34dc485556b05f161a847e67f2ccd9d91df
SHA256 dbef44bc1298a715b4191b26c7f6ebdd89397978affba8418ecae846f2d8b198
SHA512 d4def15392a8b8f3e6f5b059af203b5247009b085cfa2fb0ff6cd9882d557ea63b9a278b4894ca636808562238932d9cfb226ca09b551b1bf907230184f3ed01

memory/3004-161-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3404-162-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6d4743e329e5394e332a5161cc6d30f9
SHA1 ce35b2810d8a17abcd9dcb00911bd1f3a0737554
SHA256 b2427df3dfba3538326ce2ef6db870a2db17b5228148da902d2e32ad8c109d08
SHA512 3685274eeb50808c79c46030cd41eb44cb5df8d9cb198c1c37daeffd7e42ba63a613f461614e5891d053e270256f9018443f93eb87339e2ef09164b59d0a3ece

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2e06896f7322c1d36861835cbfd515aa
SHA1 1272a273f2f70d15f29166c73414acb11b479c9f
SHA256 9743888b3ee86c537f64c6463fde2c205f2431413fe0e284df353f1d8acb26a6
SHA512 515df45fdefd18d2c363641396d0010bb5bb9b75f6d8be1a87a1c453e20ae8c982eea7c541906ac9aa8a059e2013fa520efee326811be1c9e43b32818a5258a7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 25bf790ab335c24c7c020620e4635f60
SHA1 39c35df9a7f03090f42c602d1058fc3f0a1a9203
SHA256 8a090cc6b07022cd11f5cce53746c0906e24a460f587ae0baba6a6ce6e91c99a
SHA512 dea75307c524618f523e4abf9de1ed6b37f3f11ea4c0f26832bda51f1e3471dcda7794973b1dc5fa72a86420e71f16c7bb628bb803bbf49c7fb344ac454b4a42

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c8b62031337b451f03c037cd723737dd
SHA1 35a927123ee45e1ffb092b4e9c7111fddbe5c0b8
SHA256 c8828dd7aabe636182a4aecf6c6b170472e2dd0b26fa0798df0f0830a54ec190
SHA512 9fdfe0cc7ffcfdbcb596c190503ce6a79ba3add0dfdad53df46da65505d81095e1eb533e2b459711890db768412394b4369414cf3ee1dd63bb99b713ef3e2a04

memory/3004-171-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3404-172-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 881b15ecbbe1ed2fb658d594ca32d16d
SHA1 007a280e1bc803af0ce1b23ceddf2830c571a813
SHA256 03dec23a17ac8d9f7a675000e843d53ceec6af95a27fd9b4e3513b3ab994d3b5
SHA512 b94441fac8c46aa0a50ed9fb7cf77db354eac54f530b56564a58ba03b2f9db47dd0bfd5ee6518496db772c19bdbc054cc1891ab3572d24ad888a11e1928a4010

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b1a06ec48dce6844893622b88cbb9d45
SHA1 d78c2674c2ecb2bd0058a81323789780cc5aa526
SHA256 ab363cf440d105334559a847ed3bc925070089868813b8b59275aa5679fcea6e
SHA512 9ba0099c61dfa30b735f47ae9eb9814047659c8f1eaa1f2a2af6b518aace5686bc515e6747378458b35a416f20517b087e20b34868c4a419e6a346876afb2735

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ad428f0a2d22e466d2de147b905a30dd
SHA1 153baffa2368f251d7fe5818f7b120f31d2b929a
SHA256 b71dfe0e86b14632a553971ef9de69a043d7edd7d4bea43bd4bf5f79253cd53a
SHA512 3b554513f5ef9f3385e43ef8c58703bd2fb5ed5689175afad4605d0d225d3d06d597a0cd9876da0b9e6a05580f2234838eec2a19da710ab1672b0ea24da40017

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f1773a98e99fa2644e4e202905fd849d
SHA1 c8168d9a4bb6e9b4681e6120c084f8cede82f2fd
SHA256 0dafde6c020750ab61e8496cae4de7d303e2de7974e708948b3b0f794e097fb0
SHA512 465db2ea8a34d3448774a40f955d64e291ab1dd988acbc2d1bd18983a2bfb1796a82a49fefd03a929a9e8e32d24d6d82443f509aa3916a8ea1d7454fc4996848

memory/3004-181-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3404-182-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a6da26c2a57cc1e8d8bb87df4553673f
SHA1 669c61189127063bfe69407e1695e0a946ea3437
SHA256 7fb2edb152c6a4da471f02dc3300df749d6cf26e0193b5df52776c1b4ff1349b
SHA512 7751fd54a2406b2d88dd7e70d160bf473007e5aeb39d12e239bc843b99e2116277e94279544ed35cb511c680c65f20204e043dc802f9545d00b52ae9145204d3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1da5b4049a7d80a9d58df2e43105de00
SHA1 e7939831007b324b9aad99b8a82a992fafdec988
SHA256 c7c2a0fa432867a51a926428df00d336d173d5150877dece3311ce21156a06d8
SHA512 2b8bfb8a8553384c796ad104623aed848c26b5d660a0cd822a6c45791c57d099ebcdc50404ec9d47a8a97eb37caf5a1b6da8f2e0a1a464005e756cd3c9ee9832