Malware Analysis Report

2025-03-15 05:45

Sample ID 240510-fpeffafh76
Target 2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118
SHA256 1e6a73e1aac3256224eadc156e62acc8c10573d25bd93d3ed73939277c8d3028
Tags
aspackv2 persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1e6a73e1aac3256224eadc156e62acc8c10573d25bd93d3ed73939277c8d3028

Threat Level: Known bad

The file 2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

aspackv2 persistence ransomware

Modifies WinLogon for persistence

Renames multiple (91) files with added filename extension

ASPack v2.12-2.42

Drops startup file

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Drops file in System32 directory

Drops autorun.inf file

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-10 05:02

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 05:02

Reported

2024-05-10 05:05

Platform

win7-20240508-en

Max time kernel

145s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Renames multiple (91) files with added filename extension

ransomware

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

N/A

Files

memory/1084-0-0x0000000000300000-0x0000000000301000-memory.dmp

\Windows\SysWOW64\HelpMe.exe

MD5 f84c8028f2546f8c8738259df27f0def
SHA1 bd25e54c8dfcd710e8535cc27a07cb9194db224f
SHA256 b38e85b330bd9999628908c4e2239407b90ac3856e157c7884712b31fcfb9c92
SHA512 b36878c31dd3c3f948cecd815aaf34ed32e1a3c74c3244c2fdad3bda84ecdfd231a41b4d2b6cf1f916776451c8bd1aa066e22a9b193fb66a97bfa121bdca26a7

memory/2840-10-0x0000000000220000-0x0000000000221000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-3691908287-3775019229-3534252667-1000\desktop.ini.exe

MD5 fa200353f5792d70d554a62cdbc5be9a
SHA1 e1a0b774c1fff35725b0a4e3be86c49c2f0701a2
SHA256 a2fda56afce01a53578a58b976bc491874444219f984ad0ce24427c5bd5749e2
SHA512 89678479760e2c188d0c0af9fa1ab12aa83edc6e2daaa6aa0f33a03e0c2d045386f05afa489579069d49dabff0d508f36040d3a72e919956c51c7ecef75ad93e

F:\AutoRun.exe

MD5 2d7bcfb0da804d766df6340e62f2f4c8
SHA1 a09f15522f15b9345dcdbc8784cb1c1e3d293cdd
SHA256 1e6a73e1aac3256224eadc156e62acc8c10573d25bd93d3ed73939277c8d3028
SHA512 7b331d41ea947f992808669bb71ed2fb59a2c047a4dd34dc91c7b5cb08d5b588d2ef582f264093f9fa890fdbd8400cf6e5fa70500f54aa06f95d9ee2da68424a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b0a86a69157b7c7590869914f66c79bc
SHA1 dd7394d17dfb052d874a05bb5a6e018417840ae8
SHA256 33fb98e0ccc09deaf8fa057de150acdfdd4b8996788cf276c859ceef5e5646d7
SHA512 7cc11867c57367f3be47cde7bc52bd5cb979705a57fa93040f52b0121540367d77d8576eaaa80b72beb91cd33560b423b4bec753c9c37a955dc57d4b1496294a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a5b16039657744ef16264af1f4c6c30f
SHA1 5d092c3f9b16141fcf32f5a3d70999c77999d082
SHA256 c73b31939564d037b2326b71b34c532546e91451f3563aa83e9b15589dfc281a
SHA512 61f9b1cfc622ad2e6b4cc2d724fc08c7dd9f274108f661f33bfc1c316ce4d75718c550aa6425a87a571406e3de3076d5d41a1a40e5821b72a3c6239cda84eb8c

memory/1084-228-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2840-229-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1084-238-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2840-239-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1084-240-0x0000000000300000-0x0000000000301000-memory.dmp

memory/1084-249-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2840-250-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1084-257-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2840-258-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1084-271-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2840-272-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1084-281-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2840-282-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1084-291-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2840-292-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1084-301-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2840-302-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1084-311-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2840-312-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1084-321-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2840-322-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1084-329-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2840-330-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1084-341-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2840-342-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1084-351-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2840-352-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1084-361-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2840-362-0x0000000000400000-0x0000000000478000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 05:02

Reported

2024-05-10 05:05

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2d7bcfb0da804d766df6340e62f2f4c8_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/1176-0-0x0000000000740000-0x0000000000741000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 f84c8028f2546f8c8738259df27f0def
SHA1 bd25e54c8dfcd710e8535cc27a07cb9194db224f
SHA256 b38e85b330bd9999628908c4e2239407b90ac3856e157c7884712b31fcfb9c92
SHA512 b36878c31dd3c3f948cecd815aaf34ed32e1a3c74c3244c2fdad3bda84ecdfd231a41b4d2b6cf1f916776451c8bd1aa066e22a9b193fb66a97bfa121bdca26a7

memory/4344-5-0x0000000000740000-0x0000000000741000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-540404634-651139247-2967210625-1000\desktop.ini.exe

MD5 132cd85dc360a9cb41216e8a41659baa
SHA1 a8734657d955941cb0d1f6192dbb7657af68d401
SHA256 0f3d89bb14781ef212c3442aca758ad1c7618cd87eaa20f89332a25a08d36ae8
SHA512 0650efc970d587a5ea125001e604d24e0cbd578e4ee10e424177111a076b00ee87dbe2cf2bd3f45d5130d7025d5e2b9c7f1bd24e18fac01a730dcac14073d0a9

F:\$RECYCLE.BIN\S-1-5-21-540404634-651139247-2967210625-1000\desktop.ini.exe

MD5 b34202f621e5056fb97033df6b1b12f6
SHA1 e3e38022ad528c5bea0c847f73312ccdb69a6f01
SHA256 6a95ec368116002b5db8bd89117a0cd8700da6408e19f08b9a18a9fb8c868d74
SHA512 30cd7f7a3bff2cd8f5cf50d8834caae263544859db6f7403e569fac6b21f1a8000d042d9d792ab8925daf45c7bc6bdb3a54bdcab6aac0159a0fc66a61371d4fe

F:\AutoRun.exe

MD5 2d7bcfb0da804d766df6340e62f2f4c8
SHA1 a09f15522f15b9345dcdbc8784cb1c1e3d293cdd
SHA256 1e6a73e1aac3256224eadc156e62acc8c10573d25bd93d3ed73939277c8d3028
SHA512 7b331d41ea947f992808669bb71ed2fb59a2c047a4dd34dc91c7b5cb08d5b588d2ef582f264093f9fa890fdbd8400cf6e5fa70500f54aa06f95d9ee2da68424a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fe36711d628c8def9d782721a3469e4b
SHA1 ef19c3e42faa9c79e4c082c9e4083181fec9d8d8
SHA256 bfab4cf2ac1fbcfe1aa8c1736610e382a79440ebf231b8440bd1aaaf311a9a51
SHA512 b42ba79d9c88d6cfc977b76cbf5949bafe9676846f34a817da4dc9a3051de8ec3549cb01c21873540c44b3e04106f0e3d6f023c3be7905a87c48294aca47f57d

memory/4344-48-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1176-47-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 21cf772a8d8f33a6d4d5c5d5a69b9195
SHA1 be39bbb51b3b606e68ab983a89bc9e7748601405
SHA256 9e2aa501de05cfe85c0747df53122372d6de9e65485d11d44564efb25d3c614a
SHA512 99b2562f7d4d41f29d691c4b4d2467d232aa80ce2b02c7849b010299bb3c9f869c3bbdb3694ad3bca672cf143c10c61d9bb54e7ff9707dc22b0d85b894334c41

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e5b2c78c5cb71364a6c170f70b352d28
SHA1 188dcf095fd3b951e56382e1acfcb89f7b784b4c
SHA256 289dd3ab82b4422ac6099f5bb3574b72a6272a3caa1a2e6a71a447de70753120
SHA512 f165aefed1bd72c72818865df1a4a277d1816f1a6d5648c281d89696675017f63d203b5212fa6dc5bb0cca45855d8ddb3492d38dcfad23f860db12dc702b3935

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 889b7d8c79f091387db9d618c724a7dd
SHA1 80fb45ba8700d646325109e2e272897a65143550
SHA256 3f310a33d3da3582f33449c4dee563c61815e4580411e7599b476417f80e5055
SHA512 c37fa4fd5564246e2d6ca3a9ff7010345948508ec5064996f0d6088b1c528e3a089b72a810d6fcc07a7cb8a2853331bb8f2cd97e041cb732606682ee5e724846

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1176-57-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4344-58-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1176-59-0x0000000000740000-0x0000000000741000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f431970e9e13a3a49d1d439e7d65493d
SHA1 c033181e22f48b3d2c1ecf4d458312095dace939
SHA256 904d923d8c90fe6f51c9494a8b13dcc4502ff1ac29b203ca3efc21b1a1d63a30
SHA512 b8f4b2259fc546501bb055a4dde3b709caf2f9221d879ef22042a359475594142726ef48036d32a6c352676772aaaaf8c69d3ca3aefcc688f9c44eb68ad34739

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d3b78db4ebc5396584ee02edbbb76486
SHA1 c2fb81296357ccaf04d4df7c975bc0cbccc0afd0
SHA256 cda5d793a18e831761d0c11e2ab8d9178ee06430d1fb11cacba329cef858617a
SHA512 3f1da835322a1a146480bc40f75a109799f606c0f75037c7898aa44dd20858c0e77e436b271d4ebecd73e31dcdb213cac9fd4246f3be9a0692b0957646b915e3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 76a9135fe86fddce95905db7212c275e
SHA1 5488d3878a1272851b65c3b29924eaf428aea93e
SHA256 8ec8807670609e73ad417f6154ba180509ceb2a3f4a453ac635b8cf71e832071
SHA512 b43df6da5364cff554a3b9ccfd94b078588c5673a1a04105c20ca8c3652d4c8f6a0cbd2d1732ee137907dfa535a8d32618ec5a3b2b92d02b77cf03dbaea87ec8

memory/1176-68-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4344-69-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e1749aff91ff9b33276d1fd3cb4e9c6d
SHA1 944f3d19b8fb8d024f5ec5704375a531f5907cd1
SHA256 16f4456248bd89ec8329dee8f8c3f34c776595c089d09f5594ec33aac6aeb7c2
SHA512 181011b88fac5c1f2c697dfaea944e51005f6a9b1a79d00b3ce3d93c05bf52fcea2759c7641c869045f55d6c116ca9e54174bf76836f92c8c88a530503be9fd3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d5dfd323f219a437ff17c44b8c09f100
SHA1 e228c7368e97b509fff4e96dd9c6fa2441bd1968
SHA256 16d0b23b41ca60da9f48e7ee7fc62b57a92080c4752bb95117bae1754f510017
SHA512 508d9905c9b137ee0af9223426cfeb8fbed481199107237e6d46d4b4f28e2a3b30e26840e697d3336181c6c14067d670fb133886ea63edfe05a5520716fe762e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e125cd362a8cf34ddc695dff3d48492c
SHA1 1f7e2370a5a10108a7df22dce5b36a7616d466e2
SHA256 2c586828a804a0975a310747685433bfa8c8a6fd792bdc98bba34833743dc33d
SHA512 9a7239aeda1da02de5a7c8b74d26a4180d3bf6b24f71463ea3eb8e146822304be929738a7d8d474776062fa68de795b968970422826c7a36918ff202e385c31f

memory/1176-76-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4344-77-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 07f0e128fa7158954267a63a499a626e
SHA1 3b16e2d9fb5480ef79797562383e143348dc7922
SHA256 bd41507ee3373b916fad15ba0a0206ca6d8236ed3bea3149b49957a962e73110
SHA512 8edbc51ced76d5d96ad40701debf71d6d892a710f93bd625f596cc889a2d474022ca9d63a1b0ff6e0c534e8d40e0b4bf149608c955e32c4c9bc28eec1cf497be

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a445106ec14dcf1c2d4aa1ebea8de998
SHA1 2993f3dd8fa04840fcc4df3663360e6ba7824c2e
SHA256 6e47b4abce900029476b97c9f95426994fcca9f1a958b84ece6e894448e5c0fc
SHA512 31c99ce0c5a04056092508e716f196d36beff5c3811c7d194add66015b6928cb66a5e73ff3d677ed6166ab3a1c4c5e330377693168ea25e333652f4f3acf3a82

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4aa44f88fed42943c971fa9707bfc682
SHA1 b84b46f2c8527f980121721f07f2fd3a5cb1e88f
SHA256 0d5cdd7cc42fb7131166f704d530e15c14dcd8fc4a9b44dded09fbf49c046658
SHA512 c326601a71061d354ebd8d09d49f9a1af699ed6ee4757103c6c2d20aecf22917a71cee5154307a2f714372387d4d22def412baaf42acd17d2c6b1edeb609e820

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2a429c68104fbe53e13ee0ce3a099c0a
SHA1 fae931ed8a120de367c2ecb6064895e3037b2e5e
SHA256 63dc6bd355416cbafd3bc83c3241a4d927163262813ef1ef1f2d81bec77dbeda
SHA512 0a421da8784872d0a9bf03aa8f8ebe2e2f70690c15725daa2f42c60cbba9e7a3c83cfbf9fab4c99b0e946fe8af860d61d61f54f6d3d22ee8efb8efa489d72aa5

memory/1176-88-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4344-89-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5698d9e7e5b3c96560ba6119b030d318
SHA1 42275cac79c40096425241746dfc3c3f072e8709
SHA256 e8806fbc0d5d4047066f7faa8bbd4de908c769c1b207fb776ec88579186e74b0
SHA512 7edd564b5f7cdef0ffc63b0f1a52beedae9d12762718e3916531ae3f47a4797773c4d0ed8214ada64d030f88326820e4f522f0441ccae84dd87cae529e8b811c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ec85a09c40b7e2a33f41b567a5fab886
SHA1 9de63011204fa980b0ebfe2c4451a83c1ce175c3
SHA256 fbaddb535873e4f8838078f03dcc7bbaafb9d1da202202f7700a5a7303db2d17
SHA512 d3299ab9a495252d9bec92525fddb73e41d0726fa28b10680318ccc6c116b81ee12490bb1075003ee07088400ad2938296d0681f14bdb470b58e605b2abe5230

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5296c52c180e329cdbc4b83835095b3c
SHA1 c27552754cf6630ccc500f4023e0aa9efa627d92
SHA256 048dfdd5cbd9f416a022dbb57812cdf3f9c205ba6321a9d77426c152d56ab664
SHA512 efcd8ab605c1ca66acec03d4c923608fe2ecfa148123d6ce25a8ea59b572bc70a036cf4145fa95efdff794e422b934e5eb46d625c2bbd4e866096830bb8914c2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 22fc5f5db459044b0a690b154cd8777c
SHA1 9475c55c40ecbc39ffa28f963fa40175464467b0
SHA256 ce165010458e22f599358351fe1e51651eba6964fce1a191715844dabf39a1e4
SHA512 c6d588e31f4e35537b8f09ac02e00f438d6af1413c6563f815d050c11b55ce120c8f7ebdc8f49d2cd7e00a4aad3bdf1b66b92a6cc985222bc4efd95f9c486eb7

memory/1176-100-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4344-101-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 de7aa9697b96b7b1456ef74210834fd1
SHA1 e0d57986b3ae9e512b9bbd2910e4aeedf426d591
SHA256 e375ddafad5602a7bc8b58451d0811e0497ff483c227f66c2131682754e049f9
SHA512 d3f697b815b848cddd87ca1a7a2e74ffb35007463954f06983a76b4c6eaa5ee5c54f3032e8d43bf6685971208d8440433904f578f86d4fd60989767975565547

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c4603fa95d05e305b9e4b85cca260e62
SHA1 14c2c81ad6f838635efcba2376b1ce996b3e1944
SHA256 add727dedeb612dc7346d3e14295100639c58ce2671e97b61593f9cc511bbeb3
SHA512 b8300894623422a1c01d7442de1a557172091debd3756948a9c26e73dc76c0714b725e2609ac8ad66c93abe5bcc042f8d43fffbef39c9628b67d87451a81304d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8dedd67b5fbbcbc1fec7c3d0b139892f
SHA1 e1583b25407f1bd7f59c401a954a31dbd2d2441f
SHA256 d3a382563edd972d5744160d1e4dd868c9b12b448af296417bca551835b82f3b
SHA512 d1b4e5df42680d614942391609ac436392023034c88b80c43febf3a7ec048237a719d902de1fb2b4f26ec4ab24d642cfd27f8f2039786675980ea7ff8cbfcc09

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 986ac874c71f74d4c9d6d8c6fb9458d3
SHA1 31fd32f476a445a30089902e7bd9fabe8188d75f
SHA256 3d5ea353390b50385367afb859274ac85b151637ae853df78c09316a9d7cb869
SHA512 207b141b933791650b80c38adadc4fd0fb226e288439a5d34a02589f15ee6b137de71bdc34146321a6694104817ced140696efd6e0f1ec7f28f3b5598d5fb62d

memory/4344-111-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1176-110-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3402d80b518252963b03f0acea7aed1c
SHA1 197a88425392cae6fbfd1d6096e761dd469c1bd5
SHA256 093a890aa3412fdd5d3f3719a2aedcc8ae898b93a413c1f89556866848a468c2
SHA512 8eb553cc9eb142ba0f70c8e171e8829ffa4212a5f227372a51f3efebf60324778b069faa582431462249a6bd90b33fd288ba84d029c45853703354ad9b5d318b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 52e1c502a55f98bac87c54311f723dcb
SHA1 4ec8f49dc43bb22fe0597c22a215c0047bb6f965
SHA256 85a4baf77f451e32adabdc04cdfaf35bf89bbb34f1336590dcb04bfa251119a2
SHA512 907ff5f0d1d78ae84e95343d8ddf121f0571501231759a0f9bab68e77868ee8970ba2e97f10484d8c407d2f82b34605f6ce6f9ee7c795580a38670c7e38f1ae4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 675b49d38685c3a39be5f61630cfcff4
SHA1 0772bfd93ca58362d6059472fdc61b438d5510dc
SHA256 e13435c41d310f3aec817e3c353c6f8ef238d0ece09a381138585aaebd503250
SHA512 c52d968f929935bc0b262a93785bd603059f391ff8a39a4329f8ac992b9abca87783ecefb902558f3deeec47a29e5cfbdb71e9206741970063ec3a896e2a94e2

memory/1176-118-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4344-119-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 203ffab70bb7b6460fcbc7887f9a2daa
SHA1 f15a61b3b6a1bceb86878d74c2ef1c144e715bef
SHA256 0771fa588267e4a6b66f07aae2bae5ff64d4c4ed3741f33b992a41d6265a803a
SHA512 aa59dc2b80f5115a3ec7a952dbf9dc43648f0de70da77e71aa612168da46001505df390eaa7977f8b76d3183cb276653f46144409f0f684a67f1367161b89e5f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ce0fb7ff9116d4897cde9aabd1ca0932
SHA1 c2b064dc502e5487f3ecec9aa0ed5808230222d5
SHA256 90f358507502c80e105a16ebcfe8fcff12c028200cf109750216a5b395896673
SHA512 5c04e6a4c644ac57fdce1f2ff2f12cdb0ecb3e4060a61b58b1f08e46b54af3fa6c79e0f82a20acbb664c871f566551d1a48164b28298ff50aa4331b3a88e2205

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ba4ea92efebc492f5f0acaf69d28b966
SHA1 fe2ee210aac90141a52d547dd6ff9eb570a8cd84
SHA256 592285a9c429cfbb9c027f666fa6b24fadd8f49a7f74fa282a69d92b212b6ddc
SHA512 1a8ce5e92dc66d205a98f8df49a94c870e6fdf4a705c5d93810a9a4488655be9583bccdfa4caff5408e34d36b44a39443dd1598bd74caeb08bd22fa8093aadc8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0f7fdb1b3ec66ce2592f0b28e44a6e75
SHA1 72053b1a6924684fbeb43bb5448e5771220002b9
SHA256 ec4620f26f35d2a68b5b08e2183132e1d6068dbde020b4f21399e32dfee84494
SHA512 fc20cd74fd47b526c15f8496fc229189ef4eeb591b0f4f366edc7055dbbdeaf8ba05a485beac6772af2a594ac5784b6d28850dcc111367304220c604526bbe9a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5ec829e149ef8f494716d58e2bdb9d9a
SHA1 8cda0eaf5612e35232e1c6b8c4364a845a536222
SHA256 9c002c3f592f92f6e9f566a0afc56dc0e59a7e96220ade34419109999d49fc2f
SHA512 dd033c1ebdd63b83cddcd3d29e1c98136bacbd8744231cdad6abb5246d0d2f0e7b93fe287baaa7ebf431bb2ac4e929be59617f023f8a585a423a47d7ce3275f8

memory/1176-130-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4344-131-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ccd807f4573fc47faef20626bec14670
SHA1 be7c0efd7db3388ef0fa8e61c0b5a8e7e0068aa7
SHA256 835fa8af2f99be2738754ac2790355737461fe52ca3b9696d5619cbf358e8147
SHA512 57df861b7b0b25f89cb93f06b0526fd830c08b782809f8f41098c1c7c7c07372e86a72a381d400131cd318356c613382ebd5baf4923daab8a3a2ab4573d94d82

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 11c9a44fe047e23d71b2c534776f4ab4
SHA1 5733a2b955e554a41c0ed8ef2875595588b82a2e
SHA256 b57fb3a5707285e0d7444463d5a0568a84deaa0b1f3ddbe78c5acd7b5186a72a
SHA512 6946183aa1f98a6ba08ed82705d20b3a41636583ff0de40dd955094c92c3967308572c0887279551b0c2c3d30bae446b1f72748911ee33004071eca3af2d025f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3dcd064fe5837e23f28e37726b98d65a
SHA1 4753b2e81f60a848349096d595b8c181ea12510b
SHA256 c34a9958f632ddbc39f1c501751843d2cdb8d4d8dad04781af3dc1dc831309a3
SHA512 f3796cc6e5f577a4da1b995a4d2bd2806e0394ab6b41775c56200c89cfaa0a1665680667355c858a6b5ec0f0a86e04b34857bcd99d8eabc00eab06467e681b3b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3f40102f92a583cb89eb255898fb487d
SHA1 54eac14001a4123e6dead06203f98b6b125a9614
SHA256 8bac0f2fb34b5d46ef0966702636c92aa7f158db3a5f76aa18b6f9d59dd1d248
SHA512 d37f527ecdc833d2283b82594968869284b5d15572b04885fe29b9f8eb6bddbe45938c3cc93cff742de4af71a0c4933a53867b3c1d4093670d1d573d6839333e

memory/1176-140-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4344-141-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f24a712e323e8574311e84f314f6d3c1
SHA1 bde0300b8a3f22047f12c45e0a11cd5b30c01ce5
SHA256 8a6a11fc0f81927aa6eb7dc9bb45f52fb81aaaf47cc55abd6d7ac0b81363d3d1
SHA512 373845ad9c1ece4f168221520a2c5c578e909070143b17e9e97d405972bc1852a3794be9ab7716126090b4dfa7373f1007c5e38a618740b091e9d066e9890add

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 43da921f313f53006042fd487a4a790e
SHA1 d9f8d2e15e44e712f3f84c0628b3d933b693a73f
SHA256 a2088875eaeb1ccb2610b5d4c5e0376f6c03c96ba9cc3ffa09d04569b4d22ddc
SHA512 96e0842c55b19ced05a667ae3d385fef67144c27bd05ceaa04c1e9a269baa75ba6c44177ba14f834e806a64299016693304d46ea83329d5e187541c2f2064655

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 af7d425d7cc49db5b51caddb46165e66
SHA1 b0976dc9feaa69f73fd65f7cfb77b0fad72d25b7
SHA256 a58d7450c2552d1faa3294c81ca19868471e5ea5fa0fe41db7b1cfff9b27ed04
SHA512 bc9ee01554a06bb6e9ce6b71b3d70a09d3abe5165ab33f56b6a80a201f4e18f6bec3953611b7ec236eeee31f401ec92f15a474251b5ef4485f1bc53d447b9554

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ccbcf9943045e25f88e8032160667207
SHA1 483d247a57389098b4d7d344a22e71dda571c335
SHA256 dd9f351328de4f434f8e8c4a74eb5dbc25dd3425233c1f38e2723673d8aff4ee
SHA512 f78a4aff6b1f0399cfb1dfbd4b338553fdfd592ab0f1e8a128af01a5d23b22850f8278d2cdc320969ebbf639399a6f568da7faf6b93e9fd179a2226dc8e32e2d

memory/1176-150-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4344-151-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0b61f784d6990e1fe5f806705f90cc72
SHA1 4a2938f69aeada8295620d2b94cc0be48869592f
SHA256 8b58c220fd37591c9791d79782b41f5a89527bdce8bf3ba1913bb8e072c959c7
SHA512 566a070a591aeeba5c808dae8225d02b2c1eaafe76701c5bdf9899d20cc1a23168c039ea8c141999fd3039e9d0feeb04d8a744659dadc7681f399c48b0aebf01

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d84f601def47f308772025b14b21ae09
SHA1 5bd6f7850292ccbf0d188a13ec3aa51cf87b5097
SHA256 c274bc9b4eac3df206971fef41d991bd329d64ca31c5b6377937a95011ce7fad
SHA512 b759b201c7863d9f9e0f4449c41f8a2e8ac291cf686b6fbf720240a18db43ac6c770c8ada131f1663a4b5aefb8879e69c1e16c6dc1183320e738ce3540c4064d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e53c50ac42b22bc79edd135d9f6df325
SHA1 bbbdf5f630726947a80ba4b4282d41f3f7d4f972
SHA256 00cc03e33c17d82b07d000b4a3330f9065e379579006530c755d18b2340f59d2
SHA512 efd00d8a9af49be48dd05cd2c0b3d39b8e97acdf559bfcd1351807b821a879440adfcbbc309c707fd68067212dfd2c2cec2f205402facee4612be7b495e13aa7

memory/1176-160-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4344-161-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5ae30a614527ad7c8091149a3982335f
SHA1 2b90a3600bc39a2f66328076b3644f14b4350246
SHA256 fe166072b5ef640c3ad9903d94285cb1ebc526ce1c50f57459adfa38b0fb0601
SHA512 4847b181574bc4343ba30feaf78e5e078602c2422c66cdbf19c54f5b081309533e5d233f336b3e994bc03ac3e312c7f0ff068efafebadfc8af7ba195d26d7bae

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7efec68ce13824bdfa1c61f7a5d5fa04
SHA1 422987f7bcc3308a248ca2939d0007705b6f6724
SHA256 6c72dbe605d83c33150db484cf5f8986524012f98d0f9dba9e82fe6f5f1e7883
SHA512 0ff0b90f0c8014eac660b8bf16c0ce5c8ad872ae6877754dd234dce3fc3242eb836b6f53e4f841d4b65c11527c901cf8eaf91fe1ae3c90500cb9f164cbf75ab4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 87adf9d11815caa34785eb04932afbe2
SHA1 c2314a8f8cee15c77bb35d2e4fa32f1c9b10253e
SHA256 a6f37debc44b77c90f8034bc66c989f5f260554aacb9c09cbb3711401eb370c3
SHA512 8ec1d049fa99bb6622eb101720fbf33958730c0e0604b99ff6dd01f72d8b4676dd82957736c8b8e6aa90b3068d07f6a492b657cc22c90f5bfa9b3d999d81a192

memory/1176-170-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4344-171-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4f7fc2b4714c7b6589c94b6912f818ed
SHA1 885594b4f85f5c7d6b0016c9be182b7c73d1207e
SHA256 6e566f7734c725315d3c05533ffaa5207db56ba128b2f32a16535ee3e3d96fd2
SHA512 313afe171353f4b0c905155f028a2c81784cd3592f5565288bbc4a26172271a8ddbf94a558acde21c392cf48936db1a4ea83d9d12a8008acd5735e28bb2be619

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7e5081caf0d8515969424f87ffaf3982
SHA1 98f0c51443df46c095e2f3e84217d72051fdecf1
SHA256 548cce4841a682e76df84685df1c35eca442baf204f7a28ebdb628a939c81ac0
SHA512 834da2dc522e0c3069c311f7e0f016eae5d2452a104594021a22d03fe770b7968a547952dafb86a52fa531150622d5f5b82d510012c6fc0b56b9c181e5d0d060

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4c87918f05d00b04c63db37ce25e182b
SHA1 2fd85fefb365ffb1085d3aabdf11728843344437
SHA256 6dc838ed8e12fb5d077b2d653e287c4eab7ad713ee019d8550cc1e047f3fc7f3
SHA512 d4afae1698c823757558768cb91214b70ee3d099cde075c016cff74e8eb22333433378fce5458ad4d618484b9376730f1fb84a2ace861619334e14be03b6e02a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 54bd84a4e3e63987cf16622a3a56b422
SHA1 190fea8071ce24cd4d0efa2e97cfd6b52d6e3bab
SHA256 357963de0ed2ed336b0b7e223f6481a945a5bfa12bd116b471e8b5e2c5f8ddcb
SHA512 9eabb6b60d72c482a30bdd24e21abc004c25d723db33a1a5d046aa52787b1cbcfb966bd777d4ad55dcb0f7d869538782a85a4d989567a2ab5faafcd710808df7

memory/1176-180-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4344-181-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9544adb32f4f1a1320ce1dccfabbf6b9
SHA1 ac40bc63d80ed64ec59f4eb534e7fca7a91f0b88
SHA256 023960d30d07384d68ac8ba1182dec443d61ee9f6ebd941385f35c5554cae68c
SHA512 b56b7226b1f89c8c63b895d687bde34edf375a3372276fe6fbe65f76d16c731ae83909f5ccffdfe827bac3da44228ac741eed11587d09f9de0c3f4784a6b7d0e