Malware Analysis Report

2025-03-15 05:45

Sample ID 240510-al2hxaff3v
Target 2c67e0256a40607c960e329e2e25bf57_JaffaCakes118
SHA256 de52402d2292c64152492994e1ee67bfb858e4f1a679f81ded53e762fa306c03
Tags
aspackv2 persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

de52402d2292c64152492994e1ee67bfb858e4f1a679f81ded53e762fa306c03

Threat Level: Known bad

The file 2c67e0256a40607c960e329e2e25bf57_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

aspackv2 persistence ransomware

Modifies WinLogon for persistence

Renames multiple (91) files with added filename extension

Loads dropped DLL

ASPack v2.12-2.42

Executes dropped EXE

Drops startup file

Enumerates connected drives

Drops autorun.inf file

Drops file in System32 directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-10 00:18

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 00:18

Reported

2024-05-10 00:21

Platform

win7-20240508-en

Max time kernel

145s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Renames multiple (91) files with added filename extension

ransomware

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File created C:\Windows\SysWOW64\notepad.exe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

N/A

Files

memory/1688-0-0x00000000002A0000-0x00000000002A1000-memory.dmp

\Windows\SysWOW64\HelpMe.exe

MD5 6c8ee97aa03e7292fab788a24e13f739
SHA1 6559278afd006a8cf4c60323ac8a3dcea8ac8111
SHA256 8e618237c89553e664ec5b9870d44407716d98bbe12b88279c9762abf283ca9b
SHA512 2c0f4d2d88d669506bd11f81a399f7ba6e9a5e5895466f70dd287f51731ffd3819f8f24cfcd4af53e1bf0ca51841012f9069c87e098744bb89e755aefd91ca4a

memory/2852-9-0x00000000003A0000-0x00000000003A1000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-268080393-3149932598-1824759070-1000\desktop.ini.exe

MD5 fd89c9e698c39b5c67af055c025a54a4
SHA1 2e2abe481d3e06ff3e705bd9f9c2a0f4435f9f7f
SHA256 9c8b51256da43a5f729d34825cfde7ddaf675683fc84d7e3b459e491c05d91f7
SHA512 912869a1fd78657eecae8a0852bdbbab7b6e4fd946b4f6cb24bc3f479ae9763c77ffdd176498e10e29c3d541a88006dbe0cdd5cbcc1bc51e685d77e0011071dc

F:\AutoRun.exe

MD5 2c67e0256a40607c960e329e2e25bf57
SHA1 4bf294ee401058e8c0fbcbbd0c1ed41059c06878
SHA256 de52402d2292c64152492994e1ee67bfb858e4f1a679f81ded53e762fa306c03
SHA512 718220b687e113e8c0d412c8bd73b7690cd6320710a39e095ce7a8b99b859e6d8baa2339840076e61a10f56b2ffac7fcda42b224ba0b711a838ad8d27e29340d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9e90558ceb0433f857332f38876d046d
SHA1 6be6dd371d27c1efcb314ae50051ddf1dc245ed2
SHA256 28bce2acf84ff1aadff84e9ebe4979ffc9f57a5529a3d7a756b98dde53b39148
SHA512 0d94ee0d4d78154e52dc4d9da945af979ebbb315c331ec21f2a426e3a89ecf51cdbac0fab4e483574e35f8af3469dd0e6839a9a33de6b73aefa565fac4ea6574

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 558d5cbb2a27c689958432a8ddfedd80
SHA1 ba7488efa5583ac1477237f7a287e106e517cbee
SHA256 501fb1a70ededca00efe23b61ee49ff54ea1020322c0880502d91afe09d88484
SHA512 5bea7c209cc9a78bb75ac4af413c2834904681916d2c1d310942e6630acc18f2c23264cb68cdddb0f09ca854f284aed7c7840655aedf49caf15903706083c1cb

memory/1688-232-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2852-233-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1688-242-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2852-243-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2852-244-0x00000000003A0000-0x00000000003A1000-memory.dmp

memory/1688-253-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2852-254-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1688-261-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2852-266-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1688-275-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2852-276-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1688-285-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2852-286-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1688-295-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2852-296-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1688-305-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2852-306-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1688-315-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2852-316-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1688-325-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2852-326-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1688-333-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2852-334-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1688-345-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2852-346-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1688-355-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2852-356-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1688-365-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2852-366-0x0000000000400000-0x0000000000478000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 00:18

Reported

2024-05-10 00:21

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\notepad.exe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2c67e0256a40607c960e329e2e25bf57_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.107.112:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 2.17.107.112:443 www.bing.com tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 112.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

memory/4392-0-0x0000000000560000-0x0000000000561000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 6c8ee97aa03e7292fab788a24e13f739
SHA1 6559278afd006a8cf4c60323ac8a3dcea8ac8111
SHA256 8e618237c89553e664ec5b9870d44407716d98bbe12b88279c9762abf283ca9b
SHA512 2c0f4d2d88d669506bd11f81a399f7ba6e9a5e5895466f70dd287f51731ffd3819f8f24cfcd4af53e1bf0ca51841012f9069c87e098744bb89e755aefd91ca4a

memory/2304-5-0x0000000000630000-0x0000000000631000-memory.dmp

C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe

MD5 f2d1ba2000a2361d7e2fa1f7f950f4a4
SHA1 41f77d47e550b0dacef291322c2706fb8923c082
SHA256 4df577f89b95cb2e26ed9d0734bbe515672e12c8a30fb0033b1ce1f116a02879
SHA512 eda0d3674f417b66d695ffa26f2d59181715b20e28be09b85ce0240a5f0b87ccc1068902daa56df224235cfef52eb868c67c4a021d618b1fb2b359187d0573cd

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-2804150937-2146708401-419095071-1000\desktop.ini.exe

MD5 4c31d7f743771d4b2419ffe11523f9f9
SHA1 36e943d602312e32f54880f578ac895fe1cae2d1
SHA256 ff2b05d5e686ea7bc66dcc172bf3f9063bf0d6a79ac4d7f715d4e04cea2e443f
SHA512 64f177f514813454e102bfd527dc8ff6f15433fa59c68899c46edce49ee703fe86def7b3196229d261d4ba2cfc42af63fb5c6ba2cad810da50786643c6ab71b2

F:\AutoRun.exe

MD5 2c67e0256a40607c960e329e2e25bf57
SHA1 4bf294ee401058e8c0fbcbbd0c1ed41059c06878
SHA256 de52402d2292c64152492994e1ee67bfb858e4f1a679f81ded53e762fa306c03
SHA512 718220b687e113e8c0d412c8bd73b7690cd6320710a39e095ce7a8b99b859e6d8baa2339840076e61a10f56b2ffac7fcda42b224ba0b711a838ad8d27e29340d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c954944515790172c616c6a9648207fd
SHA1 9cde2c7352b95339ba1b9a0b0cca120514e0e01d
SHA256 f92620b0cb01349409e2677e9c4748d320e66fcd9763cb027545db1e152698c0
SHA512 7b613872baf94c076903881a77582d7f6f64dc83a5fd7c036c8294dfd7100d4de65b7c292f937a8ded562a75941d1cc3cf7c030547fe863ca1a5f957337c73b6

memory/4392-51-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2304-52-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f6269d4d00bcfb82684fdaa224e3a8a4
SHA1 e287ae69e53f54dfc92119ab243459cbacacb1f7
SHA256 d0fdaa3018da8924f593cc34355df52553603abb9c2c790e1edbccae512f233e
SHA512 15cefa27b6d4cecd90603caec7f7ae0c7273ad6d9fc33a1069e9b5985eadaccb84b6aee5f21d9fc3bb16320e49d216b4f845eee814be10a30071c168835936e6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b489b00e170d2e2fbca229b30dcc2f38
SHA1 48d54a1c7287fde36a15f74191dcf34673d22d5a
SHA256 238023ffebfbe0c32d5fd3a604c72b69b1671ecd4d5a9489e767f18942539a33
SHA512 1e1bba8741615da40e70a4ed48d102c9c86f1d6306e591dcf3c0987891e23e150fe405d564238edfff836128c53bde600822b048df5c061aad47a1282b41fc8f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 caa7342f723ca05b3c704218e837ae5c
SHA1 6a71800b5a881bb8f962da6762128a4c41fb70f9
SHA256 dbf860198dde22477a907c7fa4791facb4f3d46bb12646cc8385af511408340b
SHA512 b7b9493644f6cef5f181f4a7f7969e1e2347f87010fe0cfe3cc4dc519bdbf2b9122fb9184abd97672c36a1974251845529b1acd265f56d2bffbb8f8d034ead2e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4923fae983be076dc2011f9b2ca6b5ac
SHA1 6b2b7d7a07bdd08fdcfd871852260c0de32df296
SHA256 6c21487054b86e03d25a9c00ab7eb25a392d295edf3fb32be9ebd4cdca14446f
SHA512 f07ae12884724f403d4dc4ee551a22f1b5343f4aa0d9ecf5d8e7b0daec06f171ffe52477a50e873e8b16779fe3ca52750c24e7631ea4f4700dce347d99e90891

memory/4392-61-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4392-63-0x0000000000560000-0x0000000000561000-memory.dmp

memory/2304-62-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2304-64-0x0000000000630000-0x0000000000631000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 224472fa4cb80df72aecdf2c201677a7
SHA1 c86d2676e761f11ec6ecb79138ff85542d3c3eec
SHA256 536495819a49c3ba018473373740ccceb1cb034599176ecb59c2929f234639dd
SHA512 5d216eea6f9285d3b7baa9971fcce217e867cd00f3a7920bf9915a8dbed5fd9c709a7fcd737a840139e8ff29f97224327088d67c5b94e08b43900ed0c2c75a9a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ca9eca637b8948c9a50952a9d113c01c
SHA1 36440473ff544c7a3211e19cf6178d7df9d8c413
SHA256 c4986a13d8d46cac9be99d2a53b4dfe827b0e59b693cdabd73605f1d75f3cc64
SHA512 baf02e95c3a6d5854ac2a384281ca16aa3027f780f6bee11f341704e005737dfa0222fb84c362631f77b0b0b06a091b7d56664d879bacc71a0f13b35c9c5fdf0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 478b0a702519a4d9a90bb4da48642783
SHA1 9b0348156dc9d225403f7dcf529799d4a3b063fd
SHA256 e916c761b79b20436e98f235a2219f3606ddd8c612c9cd81701061ed122387e6
SHA512 c6d929248c9c6eb5aae2c3dd9e8455c4f09d36e567b641a8e81a521d07d7042c4e6bd8976968265f602fb198ad0b84500136754a174f7a213668c60bd3002c9a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 dd07563168390f19d356a1527366dfc0
SHA1 6528e924551f29a062ec3a702920a355c7b77405
SHA256 f1b184cedb190d4c894e7be7deb89c63a227d6749044318622b778d889a55222
SHA512 bd3a1ec578ac8d3552c95b8076b37374a581e6661b76639e2afb67c914b0da288f950874fd8a3906cc50537bc3a62a0dc359c36c29b82c47d2794377602c66d0

memory/4392-73-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2304-74-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f2f47d672e508a3b2c3c5d51b579796d
SHA1 1980b927d876212d4d326862a864942a6116fd50
SHA256 a7611dff575aa1e23cf9f95cf3e30d2d538b4156bb2863e092b6d4a72bb83503
SHA512 6d1700111ec3414be4d7b4bd1e93f0c8c19960fe9d9202fb0dbc3993119dc00fcc137cbd9ee0ecc91e4bfe52d947928d0fbcfbfb112ff7567b04288f75fbc388

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0290bb74ab1b87d130a4fda7c51471a4
SHA1 395a953b9ea13bd9f575d078d7305e52bd86deec
SHA256 71851d3b7fc793f599fc78b5ce6c24d9568e863464c025ded98ea293112e8916
SHA512 4c8630023536a3c3f8e0a5879ecb2ac0af6db06b655e9794b6e76d6bfc8ec3064c2f3208d5bfe1f6ce682d11b9d8e888fe850a25817a4490ff980f64ab1d9cc2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bc0e461f14262b4a795cc557aa577b80
SHA1 29885690e7ca930bac8e89736a2de75dc847fad8
SHA256 eb35d95d530916d10f29d92ff4a4402d5a03b5ca3acd86d2914440c0e4b97b67
SHA512 6ca380a1133e13bf73c4a7ebd3b188a9027bdd7753f8ebe70b675e472a22ed32ba6e3d8b5872141fff06e04333140acd345d01b5f08c66ec6b0a6f98cb1b8770

memory/4392-79-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 95c9586964a5faaeca650ea290f43bf6
SHA1 322ea6a2b9a5a2b4d2fb88ffe37b2b6651efd6b2
SHA256 ee3d3387bbd5876732f5b2d8858699e46b81d066a13b4493ab0c0e3f6ddbfae0
SHA512 0270370c27bad5f7b502bdfdfeb9f6b61982acae3a91592d9111c62a0939e130d8160510b5a56f449d3d0f9d98d5e79590ddb119618399fbcd775065e19f5164

memory/2304-84-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fcd59822f470ae78262fdfe1975765fb
SHA1 98ef29d00df5e7b929f31ec3c11c91c49b5e404e
SHA256 5c2fcc201f175f5491647aa9810ef77832a51c704370bc2b1dcfc710eab96df5
SHA512 2e3112114dc437bcd156ba240f5e8c7d9ee6f1791bd69b35503fe90aada8d2de07c3fcd479c2249e9f84d1fcf3c69b49fa19cd9ab955422ae1b83705a431acdf

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0bcf931abfc956e773cae5ba04f9ae04
SHA1 2e99cc47578c32103fbd579c536b3042280e5c1e
SHA256 9ef1566e45624d0b4d9d197ae85e78a361338bdf0acd70782ef55106933f6aec
SHA512 f6ace80b54d9d49b0bb6cfbda172cd940c28bebcb5071c2fe83171aadbbc80f5e5104a0a11abed63f7ffa92f6183181c2386a88f27c8502b73756ead8bd789ef

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 88ca5a33690895a7f0d37d3dd6ce9e8b
SHA1 8f8ae72e3f4aed7d836ff7fea945563006ec2dbc
SHA256 4b98d2dd6e095cd95367eb83e1c0257db9382eddefb6fc70117a53050ccd0f8f
SHA512 fb82a79dbe88eab03b9001a79d4d0e5559c65dc098192e4357284247eb3f59f8d8ab86921d272efb0195403b8e0b0aa105608d2dfeeaabbcaa53ee2d3703c3ad

memory/4392-93-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2304-94-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 83187fcb42ad723998c071998f41df80
SHA1 c8ca0c4332963bebdcb63a201c3cff1bb85c18c8
SHA256 d7f739b4c5aa135e19b3c2358bb89d81dac58829eefd5d4a1ceff1b33486b12c
SHA512 ebcf6bfafe78f44c1965e1aa86abc128afeb191bf44ba974bd69de4dc6f5d2351ca0bfc2fefc3a3816fb7269848ee73a245d316c930968099dc9a6c743b0a7cc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 acd60f285c0439f348f2fdf02e837fd0
SHA1 6a1187f11542c28c3261d9109bed79e8b29c7650
SHA256 d3d79d402bb6e7bb24c70233325da82d9468f261c80b936566fecb20e07c1454
SHA512 8dcc1c3d1741416e24d8ee6bfa2fe2780186b569b6a66295e1b8a0d5481a733fbb67f348b64c691770c4b119e1e8e44b41baa546fc4c44e57f06217aec8036c9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d8295aa300f99ea7b4bcf4e1d180c522
SHA1 5a3979ee49ff0cd7440a5ef71c3e9a38f2501951
SHA256 f56935201c11f5486f250eff413a3eb870a3e226bba9c9214d8855f70ae50f38
SHA512 fb81de5ef770222b5f25e36b8ae0f83785602bbbbce56ff4cf02712d5f842908640ea5ecdbe1c1df0452f6bca7e1950fabc7b39cff695a7d81f27b8e3b5a6a2e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3c08d7c7baabb3117895ed67ceb7ebc7
SHA1 6922e81da646c11e4871048831dd5345de18b5e4
SHA256 f8a069ce4e4f5b51bc8a70f7d52cdb0e1f9e2ceaf3662b8607ebf0a6cf7081bf
SHA512 f660798635a2699f50022eb664d9559f8d3363b69a547725bce42184d4508f86558d5dc7b4bd598d6a5ee646152d510e88269285268285f10e41e321611ad6e2

memory/4392-104-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2304-105-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e70a06547f430c4815e3ef4c362bf75b
SHA1 a61aa0f84269c23244fab56e7509e476eb55b1d5
SHA256 586d012a13474d2f4da2da1ca6ed8de2923d4f6fda58c1d66d668793f2f0e35d
SHA512 0f83c16d0995e827dd22e1e9c80d7ea95087c7e3c41ef8901de97c70c78c7f73b43bad59acce9841904a0f92fa0ae56da360d17efee2fc3be990ad539552c678

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4043a5a298235a71e72f2a33b3c1fe9a
SHA1 41d65a393ccfe7658c94f892dc66bc0cad1e7ca3
SHA256 e0daa34d31fcb0146b08e9ab3b6340ec3c4898fd5ce903c74124e941148cf605
SHA512 cea30847d8744afb2cd3b6575270d330dee3975bc7dcc1329e54a014631906c5f2e69d52ac8caac02d63ac8b63c70de64a3fb0441209fbee71a83a1e5ea415af

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 203aa1517352edef5612f88ea8d1cf56
SHA1 1dafeee8735a9a3cff3b9f0c432c1a21bdeb3e69
SHA256 58842a508631c01b4ce57174e76a6742934cf90be273406679988ea88e16c94e
SHA512 726fa355fe0739978d2946577c25e11ba766af77c394e88e9fc53bfee98861563fe700c5c64abca962114370bd951e4c13ceba1bef0d13899c13695c8754bbae

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7e3b027ee4aa1fb479a856f9002db648
SHA1 fe83fb1b04ef3cc56453f27f0ffb80c94f3e97f4
SHA256 61f62b6011efd6c72533e716343ba38324b67ded88979b1c02214c80127dc432
SHA512 119ec1f08428bab1ce1c92f78b91bd7f061300677377b6f79c652a61c8d8a1ffbf3003cd6ea65de50d680ad47b6335f6c08c9dc2a150d0c5899497ae879e5735

memory/4392-115-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2304-116-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 cb27122e05a122bf8c09c5250b909d0f
SHA1 d785d5036d58d1b0787ce9a869cfb08a4f01b200
SHA256 ed3f6ddca4df63bf334eb47e9fe02d14d636d4e647bf61075132fbc61f08d7bc
SHA512 ce77d341e7500ac0ff5af762fa2981810da5ee8c5c9c26e401def1d07c2b63bb45ef034a1667c0d508f21dddf08cce7c0a1541739d011524990ea1ca8cb793da

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b47248f788813f3f0be1ab681561f2bb
SHA1 7c84f1605befd9242a2ae04233e2b7af89d6aee4
SHA256 58c9be55f3024e3fa1a5800f3e799a5654cddf685fe07fed39a530d5a86a76e2
SHA512 aafa6d5f0b604413700ab39cc1ceae3d75f9b57a1cfdfc5060698f01e23e56d515104a5bfa582c38ea8b0836298d7cbf46dfd40c25f4baca30b9969ce38f781f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8492c42831eae9eafe15ec5c60bef286
SHA1 69ad3f46f99f52f8c6f48d6d3a15c59fff8cc680
SHA256 6f933858120938393d02ab12599c05f7619a20a5100de4e5f39e3f2eb98450d3
SHA512 5143cd6ff2ef720962fc8613803ee45b9d1b2a98afb6e2c8d66b51dad015e38ba267692e426ccb6fb59dcf28ca426e5f838796ec4a26d1f52ceb73c10b4573db

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8b89b217611c81f3829de65256837404
SHA1 efc3907b48eb96e05e68bd6b6421d7c3c7cfe993
SHA256 b2145e33cfd55b32be40c279fae61b9248de62bfde1efcc67cdbbcb82b505e8e
SHA512 fa8a58268885dea5194f2da1ba9682ecb69a707eec05726292c2b40f3369b1bf140c28d180a45da87ab5191b4fb73a13c2cdd38656b54295bd39778073f38d96

memory/4392-125-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2304-126-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c2c907c19cd97e81b07910c0d4b3c119
SHA1 2c0e2e27a34f04cdab641b17fcea5e896426c9a1
SHA256 e41c05dd377725ba08ba37f15f611430fe575635b6730a60beafcc5de6992625
SHA512 9183feb28f7cf1fb59cde89f68ce9059314b6108224ccdef2d08abf0ba651bf0003bf3340a9e7c0a0704ef9b9efd832f4fbe09a3bd5edde0089fae7a6883e11b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 36b28920d70a27a7c3f1273955aaee37
SHA1 f52d4bc10f7bfe08e9cf81d1781a88c4a3855c83
SHA256 cc12746a4c9a589a7faa1ab5dbaab4e1eb830839bb3676e611873f29b4033ccb
SHA512 432b74c52b788805049981f450e8707eb98f7f2f95a615cf79ffc54b705a8e82bbe8bbcf0907e2d5fbe434197167b2aea7714f02771f7a7a435087c0b9e12f05

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e3e53e8d982a94313f91b5b2fdb9e5b8
SHA1 36bc4d85fe5af151fb19b32540c6d559784635de
SHA256 b8f2abf3a155e2e1bf1d2ee772121fd1417d7006f9d21a065baaeac33a887e22
SHA512 2e8685f837e9898e3546efcf20c2391029226a113a0c1a1c37f4c0705e87b1cb17502aba9e5969e591d8ab79d8e7552c37662fcd78b06a1a229eab7161d41d27

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 092549224cdca73b9518a6fcb4bf71d6
SHA1 a39246b2c1272f644bd728d657a2a2e6d19dfc41
SHA256 a1414b5afc1fe56434a71e600dea946ec394d91529c5e5194dacd2c8caa16f4a
SHA512 e347896691045064d7532d3a10d9ab1f5e34fb52f67e1da5d84665ea51ff65008b085e11516fda1ec8a39632c05d37669747e64b9d73e61a58288cfb44de3931

memory/4392-135-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2304-136-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 98303f81f9dc446c6d833006871f35f6
SHA1 7977e84101379a57aad1f538fac13abd91f81759
SHA256 275f79ca11d73a05dd53f4fdc86b244bf7117d73d5adabe6084704dcdfd6f8b8
SHA512 bbef01d1fe63a53159b881d6d25d855ebee5d4672ae04eb53492c86d0487e32b145fb37eeba39d5932f091b763bfa5a6c44f42af7f561ed1f1bcdf201b997bc9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 685b43f193734bf06f82ac5bcd9f0b1c
SHA1 49c30d7a4a574cfb8bfaf77891e0d28d547c0285
SHA256 70de16ab165e59b7b5dfa7eb5f41c72f59b61d3987327f19bdb0f46c815d622b
SHA512 5dbaccc506fe960188992b098d6144e44164a475a95cc1891ba6beb1326b385ab021ec130a4f69b86f1551dd8f5e71d12613609ec1806df627a4cce50519badd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7e81c3cf6f132ef76ac8878615b740af
SHA1 1397c5c71f1503e2afce03079b1c77c8a4532414
SHA256 80f6cbf674392aa4e3f8cc85a53bafffda65e61cc697fd4857444d3d4fc88328
SHA512 bbff538248207ac2cdcf413455defa76b3b8a47496e28cfbb0955496d64c0a8a8254d93bece501c25f7a32dccc111ba4f9f351a2453164bfee4b3906c395400a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e2e61122235fa25f8a695ed6d6ca89cb
SHA1 b598fb842e04e1fbf0551980a2b6b41cf891299a
SHA256 94fd44b633c5b9c6ac44b5ab5344d8a72e921e46f7aea9c53a2a3e75089a629c
SHA512 d9ac447d70fca1309a50d6e5193159859ff6e9f0d05d1daae2b1c15a3693e1a5ad3246b80c56fed95808dabb5897088c23f4181eee1625df9aca29203dd731b7

memory/4392-145-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2304-146-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7112e66a14f6bf6d803e5f18e36450df
SHA1 7d8040ea84d4a3973c46403c50015b83c83e5553
SHA256 7c402dfe2aa20fbe30c01f954c9395d0173dbaf9ac144a21e3090985b818aba6
SHA512 0bbadffde318724a3680ebf63ef0badcf75c0f29e746e88a06baabf19455966d0505f3952c7812434763f58be66e35bdee77b89d7ff394bce571af5789b59953

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e49b6723f4e664c0be037b7463b808a1
SHA1 954f91c99b86f1319407c06343a889f5a8a6f164
SHA256 2924f7ffdf26a43197f9974dd08aa8b5fca12a125e3d71c2ea2468a432d9940a
SHA512 45bc4db25ed39b0668d352bb66713aaca931405bf238871c5ffbeac8906f98aa6d8cabe1bb3a58c72415ae2804747a28d48af47bb0b1bfe42a80cd1403a181de

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a814a1a9cb87672003b6f338339b0b35
SHA1 0fc485b81ce120a572d118e1260c6b3263e0e02a
SHA256 622f5cac342d45df2136e453dbf84b99ed9a5657c0ee60956eb86fc573eee0eb
SHA512 e1bab9d798ec42b0cc7f4d5c3dc7af17ff4174ea83891460afe43dc4f63715c203e99c58c99d5d28c48580c64fef6d7066e326f5b78c0dcea1323507b0180e8f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 902bb0338b1b82593e3cb1939b6219bd
SHA1 157cd75d33c7f6730c2cb5b3c7f04f33f97a2bed
SHA256 8a3da85c162ab8c867b73682cd11cba2475b1df682418834cbeebe12287426a0
SHA512 b9ec68ba66411fce9fd6d65bb084cba51acc476b7f18cf4cb698627927a4579ef5c4c0141fe328ecfc586468fef8e6bb09f77ba8491b6b2e2e18c4e7a4714a3a

memory/4392-155-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2304-156-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8753184bdb95c8dee6d8cc719fdf2a59
SHA1 911b5fbbaa3328b65240979540708665bc60302f
SHA256 5ddb6e3938a4175849e7caa71b97b4402cc7e4f98418af4b9b1e6057f4d7f2de
SHA512 77cafff413383db9d8c40aed06fabd7475c203ffce42ab472fa2ffcfe922810ba085823aecde2b9c7ef26ec95c6689d7224705d6950a1d5d0396a40c013051fe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d2d0b2e41831142b70c6c9e4a0acf4ff
SHA1 c7955eedd49daa3634dd42b9ca7e2fcb17ded9f3
SHA256 a12b866977fe5718d1f82bcc87a137390cd58bc64c8442822b1af003b5fda194
SHA512 490c1300b92f74b232d8335d4524e2e5012376febf542eb895b9e71bf17f5a65e774d34e2dc65f4bef314a81bb1187324ef23ac20a7c29025161f84c8f62c229

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6c462fcd0ad5d0792aff136a20e315e1
SHA1 3e6b31f8b61c9129c9ad20e0d1df5b693986285c
SHA256 568d947d31b78ebbc0724071edebe663dcaf0480250da07e5e6e19ae000991ad
SHA512 4946cb875c19308a47e54d5478d352d5c5b86940779200da4c9038f5fe642b0c7f3e5fd0eb4f5b2112ace9cc6b3827075a246783112186221be422b9eb887b29

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d3326a8d1d8b9159b9e3aa6f08cc3ca2
SHA1 4e63b5cc6d629918a657adf673e2a7a7d749e892
SHA256 1f41f98196f628a9345d7215c15a2934c8715fb865f3d16df713e08f6155ab66
SHA512 a7af490aafe9b6de1f075ff3166335aa62605ee2b910b8bdacb43214c437d002b2e28fa3a9acb98fa5116e0a6dbbb7fa08571860df6992ce03c49bc77a5143bf

memory/4392-165-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2304-166-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ad2b4315d669c0363f096835d06c54c0
SHA1 ef75d7d948266f532107494867dd72ff643b4dd0
SHA256 011d0e9d6b3ecf3f146abc71f1a8b6353007aa50f98e3671581fc3943878cc23
SHA512 2facda2cd6b987e5b4d757dcb6fe94c3b068a268715617795ecf2268fe384520a98acb31467e82f0acedc423b7fd175c2979a7f39f2124f8b3c38a86ad0ab3a5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a43c0c97eaf645ecf9d50883e0d35f08
SHA1 2e410aa62df66381af35e8bd3f039328fe43366c
SHA256 a8119e10ea09c067c2dd317f47919de3edbede4fc4029981037401fffbc2fb24
SHA512 8328522b85167fc33bca28449f1ea7a9ea54ab2328c6431715aec26e1b7730fdaefe361cf77cf5ea98866d914780a2276b638e401ff4b64896f6f23da1d04039

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4cf554f847e947e93e77e6fd55f405d2
SHA1 b3c21ee18740ec1305a84e3899c27d5d8d26e74d
SHA256 5e5223368c8bf155cfb2b896e87c906fa10543ed14a8a459aed9a17c84978648
SHA512 6baed8a98c3d61862e8c21d27cbf0ae524c7752907f12fce0a455b8aecab266b0edcbfd293101cd096086cd0d13ea2a3f44770824be4fbeccc6cf8a9920fd313

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b955be4dde2a45442dfd094771b27b13
SHA1 a7967caa324a2a383bda6bbb74945b7984df6dd9
SHA256 714ceaf25590b406d0868c4d761cfc5a9c31b73f1fbdffa72437fc39da6f7c7d
SHA512 cde53e75573544c47d742fef9a48352f9018d7d1037b166dd30e04e22ac00c6182407c0992b9bf2a7d3818a4071aef2acaa225aef075e6707e6ad4e08d8b484a

memory/4392-175-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2304-176-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 633421b76552e4f78e00b55eab60c18c
SHA1 77b7bbdaee198639ce6e8458f3b4b82c95177889
SHA256 d17160729f540ef510cfb6ea1e3d0f811d7655ac189b9243782712d79bc0d6c7
SHA512 7b3b452b508f4cb8dcf98f6fb09ea5b5404ce4616ff2718ceb2aa205b8d7f018b90a3e90fa2d7e848dbcc24ec8f1af53119db7b9b1de0e093757ee34cdb6315b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 02055133f5319b8ca8d45b4b25e5f5c9
SHA1 e619a3aaa7a122807bacb3423326d4b6c5f0ff34
SHA256 34c1b95229d4adec058f2c05e35e5df6f053110bf4e420c0a31bd79c56d94c61
SHA512 17f76774df1fa6d2a911fbdf4f64f446f6b6f3a3c9b3ef820dea40cef4b001fc3fff1f8c0e79db2474332da28b51a6928fe24455d80f1965106b08bd5b0958be

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 545eb8e9465712a350ac97a689d90816
SHA1 a57d8e851bf7598922929b141c7b7e81f19d5665
SHA256 d2298c4f80079d3062be3488d0ead8733d7619cac515815ad235d461fe0b2d25
SHA512 38689cd7f862f74f67fba7b3053bb71a10fd3e86fdc3655643bbf322b181bb405a904046e57d3a5c27068011601298147676c127d74efced78511f591bb1b2f3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e3d262b94d9e434b80a0935071d59cc1
SHA1 06f5e9c49868729ba3f58504e9ed99c1903ae173
SHA256 d68f4fe9a8e025700ab08a28a685fc7630f26829a594a325ee55b30f7fcdc547
SHA512 8c4aabcb738ed8c8d1576cd7aad5c72b10765cab0e4f6e37f6c98a7c646e6095c861feb3fdfc36e701ee2e3545f615b43508c7f4e5d2621783720c11480cf342

memory/4392-185-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2304-186-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1ed5c5ec0fad844f2b68a09ae5f7646d
SHA1 25714b9ca0603833de98249fd5eaddb7aa94a7d4
SHA256 15bb91c5c077dcbe380074c46359ce60a3163045bafd93e01a7b54d81b2772c3
SHA512 db89ce601c1841c7421783034d76f823b9e22d50a45e8a97011ff85f575f525bcffeddf543eded6610b42f51362410447b85c2509b22fa8da8a623f357cda18a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 670c64d51522401b8e2581eb8e6df4f9
SHA1 892afba746965b71393648bd8b759e6d1412c53e
SHA256 a1062b8a38f49eaa72b929f44c3ecd854cc283ddcb632e51a662b2c1a77805c7
SHA512 4d3ece255f03065300d97799461473f72f18f2381f4020a89d883ed63e538417c1d897232d1a8e55c4afa1ca9fbca3263cc5b2915cf68490018ac832d72faacf