Malware Analysis Report

2025-03-15 05:41

Sample ID 240510-ll1gdsfd9s
Target 2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118
SHA256 efbdd2f958d20d41ac7ad2e72b40bf10605776e7abd6a6a3998a9c5329eecabc
Tags
aspackv2 persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

efbdd2f958d20d41ac7ad2e72b40bf10605776e7abd6a6a3998a9c5329eecabc

Threat Level: Known bad

The file 2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

aspackv2 persistence ransomware

Modifies WinLogon for persistence

Renames multiple (91) files with added filename extension

Drops startup file

Executes dropped EXE

ASPack v2.12-2.42

Loads dropped DLL

Enumerates connected drives

Drops autorun.inf file

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-10 09:38

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 09:37

Reported

2024-05-10 09:40

Platform

win7-20240221-en

Max time kernel

145s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Renames multiple (91) files with added filename extension

ransomware

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

N/A

Files

memory/2172-0-0x0000000000220000-0x0000000000221000-memory.dmp

\Windows\SysWOW64\HelpMe.exe

MD5 c235b8ca817c858361159c12c42621f8
SHA1 fa2f487b7e460e56a76319aaaab7cff0f4b5cc50
SHA256 8db290255d888b0013d2dafda6a4446694a45de4db7fbba08db450552be1f954
SHA512 d17393e1c20b4cfed9dcddd1c27438a9e59b10b991d6102d690f263e23b6e01598ee2e2bd2eecc2fc8ac8969405885a94fdd982981101b4672b27ac4355ee857

memory/2724-10-0x00000000002A0000-0x00000000002A1000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini.exe

MD5 74cf5b0b91a37e71435e1dd8b1756827
SHA1 358a2a974d1c5d020fdbb8b94501e4d85b001ba1
SHA256 80499b5ce3d6bee576d6ca89c1b81528690613881a9e33da88e3e96908ad9126
SHA512 0c0a82beb6ddb40a5bc09a80d052167cfd16fbc7891b7a3f59f25f2b9330a469da96137f5073d447c511c900fb6b8a334127071f099d2c9bfca76798a9f5f850

F:\AutoRun.exe

MD5 2e7f0efe7121b4bab9a64f126a6dcf1d
SHA1 90f60ab7e0c95053b4ffa9d29b74cac39e1f3747
SHA256 efbdd2f958d20d41ac7ad2e72b40bf10605776e7abd6a6a3998a9c5329eecabc
SHA512 0596043c8d2146b5bb7155d8085101d3673ca1853c43160ed711d697193e68b5e7ef99f2e92f1afdaa555cefba2ffcb0a4484b084353ec5b101276ebb503bb80

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 243f8007627bc5b7a77b49ecf8c362da
SHA1 2ac02b56a81c3a6e05edf1d337662f9a39d810ae
SHA256 2e2e76dddac2560be4010632c1e4e7ec38c0c392e2c2b078569c9b3580f2d8aa
SHA512 57a19958ba8ad8004c7620f24d7640842b2100fa610994c25019cc725049d8b716f0f3ca10c0fbfc5454ed043d18eee8da1c76257c1a8f30ba872f067a4aa436

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 61fb239b840f8d4d3d1cc2f306e488d9
SHA1 d6ad8e6b7afdaa97b63a59419bb1f112dadd9c60
SHA256 9d382b0e3881380c11404f941d39b15decf41e66abfc82fd7335dbcd5341af07
SHA512 f5e290dc6e4b82038828e631bca50e1eaf0afd0fd505c4528fb7d45fa6c2e668db8e4b06194f7b68ecd215d3a73ac1114c6c451f79b282b21318aeed2efc8cfb

memory/2172-228-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2724-229-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2172-238-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2724-239-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2172-248-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2724-249-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2172-258-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2724-259-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2172-270-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2724-271-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2172-280-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2724-281-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2724-291-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2172-290-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2724-301-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2172-300-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2172-310-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2724-311-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2172-320-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2724-321-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2172-328-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2724-329-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2172-340-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2724-341-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2172-350-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2724-351-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2172-360-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2724-361-0x0000000000400000-0x0000000000478000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 09:37

Reported

2024-05-10 09:40

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2e7f0efe7121b4bab9a64f126a6dcf1d_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 75.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/3060-0-0x00000000020B0000-0x00000000020B1000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 c235b8ca817c858361159c12c42621f8
SHA1 fa2f487b7e460e56a76319aaaab7cff0f4b5cc50
SHA256 8db290255d888b0013d2dafda6a4446694a45de4db7fbba08db450552be1f954
SHA512 d17393e1c20b4cfed9dcddd1c27438a9e59b10b991d6102d690f263e23b6e01598ee2e2bd2eecc2fc8ac8969405885a94fdd982981101b4672b27ac4355ee857

memory/100-5-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-3558294865-3673844354-2255444939-1000\desktop.ini.exe

MD5 e4ba366542ba237019b2f5a1ab45fa10
SHA1 f71d0094396676867a56c6462b15dd903e19a7e4
SHA256 ce4bf02eec7306a4ec93ad32e0fcc535171d34d764bbecffa0f9e1424300bd84
SHA512 923813a44f902dea7f34ef4b5ce6d3fb9de1b432a5ef0745e8cd041ca7308f4b176b98d2cdbfec22f7c16f006285db979dca05d4e56542b5268b386805e294ae

F:\$RECYCLE.BIN\S-1-5-21-3558294865-3673844354-2255444939-1000\desktop.ini.exe

MD5 9ebe21e3cfe4d45c7df5b647fd8ae389
SHA1 6c9a07f94b06e62b7a8de3909c89d0181d77b702
SHA256 67c2a1db7ace6400c2c69568374c51e16fc92b32f1bdf1502181ac9c37b55a3d
SHA512 eeebaea854c31a2803023acaf1f0b8eed1901872bf01d3f37ea4ab12c783eaa087591bf9481914d4aae5e0bae82c641d65ca0291d1e6acd8cfd14fe887fae687

F:\AutoRun.exe

MD5 2e7f0efe7121b4bab9a64f126a6dcf1d
SHA1 90f60ab7e0c95053b4ffa9d29b74cac39e1f3747
SHA256 efbdd2f958d20d41ac7ad2e72b40bf10605776e7abd6a6a3998a9c5329eecabc
SHA512 0596043c8d2146b5bb7155d8085101d3673ca1853c43160ed711d697193e68b5e7ef99f2e92f1afdaa555cefba2ffcb0a4484b084353ec5b101276ebb503bb80

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bdd076dd7ec5ded0fa054ce29321cac7
SHA1 9dacf4f406dda33490da5e7dcaa72c0839e8b044
SHA256 a2e14b8601534dd2e9bb99beb581355acdd7ad01ae6152d4c4aec012a475529f
SHA512 43a118dfa704e699c8f449126d410dbe9c5cc696958f1d12478000331fefeb7e832a71ce94b2daa0fad81a332b01703a0bb00dfe5bb114d61d3e883f75782b01

memory/3060-48-0x0000000000400000-0x0000000000478000-memory.dmp

memory/100-49-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f1faee98a2b8883ed48ab36f279427b2
SHA1 d968ca7f66c40c8b5b8eab5125ef1365593d0198
SHA256 cc7cec98f1a2e0caf2ff46345e550842cddd05f98b9fd1107131e9ca31e6eabb
SHA512 b4be2b0fdf7a1f113a32055c657d095bffda505e00e853ffe006fabfe3840ef9c453a3478e26f819d3c147babcc12ac9f9ab4e8ff932dff405ca5a50b7b9787a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6e490ae27580ccf3fcc26990c886e654
SHA1 3b45a0974eb228c89f053749d3a3d7eb52da3842
SHA256 9af5208bf764fe5b472f5bfec9acf179c24346a9aa2a83cf3de791e547badae3
SHA512 f23d84536c67811114d5c2eab0e753e724a3fb11b8bae703e35172448ec0ae425a608ae97b1d47c942ebc3f4c0030548baf2aa87cfb8c1a48bf2fbde465ce547

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8f9c2e66a169ec6e4c26a27e5550d02d
SHA1 3dac6eb53db50c8e623165182afb677974616e72
SHA256 19ab99edb7cfd52f077675dbe48e7601af3b70d6610562a4a63e4a3b5f348024
SHA512 86aaab54163a3263e666094fe264979d8e0617ad4dd450c14f5e78dfcf8d76965e099b27cdc2028f79cd3e9c1f9c26026693a6c8adab66539caf72cba23624e5

memory/3060-58-0x0000000000400000-0x0000000000478000-memory.dmp

memory/100-59-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 38286a424cbfd7b66d6bd22182ab8589
SHA1 9a8f854562a559e06b2bade9d83a76d7f1615f82
SHA256 949e7b78e33fc9f40347d688000610825b0cc1c2a0c93b92fa1b0358b508a4ae
SHA512 a1870e64cfeb838695a4777d1009eeb756bda23096798a09fef4fb04472419f347b465a6a38d6cb8a0b993757417c8b898721909dda3c36cc9dc839849a235a7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d9fe95219ad9a49aead2bd3b3f8d4060
SHA1 3b5d65470a4e94356727dd401ef33ca1315c1f7d
SHA256 043a70ec10e8688e1c721efdf1bf27c2f61c99f4d77178494c35f3b7af855d22
SHA512 11e81662b0a573cc6b86ca19d197a153a5413f99b397ec8666eb824ae96cd095aaaccc4a8c66de916deb738be1b63a1adcdb52e7fc1f28c1392b30736d83338f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2375cbe8437d2ff00f4f4efc1de3b957
SHA1 7a906496a92e002fb1fbd27e2a60125339d6a64b
SHA256 c9b79ab16570747c1d98ef89a7d0537418a09dc97db64cd2a5d9431b3302b006
SHA512 e6e946ae93bf8af754419edded7330b725c27aca78925368620f22b4e427d32423d351cda5a38eacd392d952a4c954bbb7e8fe9b15e0ee9735a0445a91a66af0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d0073a57eda2ee8b4a01ebda5b29c54a
SHA1 313c3127cf6ddbceef817fd8547ee7134d2059d1
SHA256 1f02de4a2eddbe973310a1adc1006a1eb8b45065e1f79e74074531ae32aca2ea
SHA512 baf3b92c81001c8e10e703bb0b0f73978570bc3ad92b5ec1fd467d92344002130c45f9e89139d5b8e014567ee2546b9871e4212d516cd1daf43b4ef809d19719

memory/3060-68-0x0000000000400000-0x0000000000478000-memory.dmp

memory/100-69-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ab3694884adb7d1b6c20c340c1b94c91
SHA1 41d3cec9e641bf97ce696e98004fd81d6c991232
SHA256 d19399661940034a9de825cb6df2f6bcb80d77f76e9342fe3689b29b18159eac
SHA512 ab102e3bac9df40d5aeb78cbaa0fd1f0f5fa8460f436c7d69415a3436bf2608a7a2b7ef2095e0c96af37ec39beb0de33a1a5d115e371c793a3099c0ef8fcbfe2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3e04ebe11136758645ceea99c0ef30b5
SHA1 48a92b1c36846f27cb1ee1e2643d710912427382
SHA256 31643f9c3f3e51b7d80f41737196252d766dc57d634884e56e22062f6ef02159
SHA512 dad293353b88d24e562490df4a1a4029900722636cd0cb5555c35ec7911ce5453cb525bf4dce4520ee88f2abdab71f8cd5f36773bb7a409d50ab7649530d9216

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 eefdadda3fddb8be727129e35e4c6ef5
SHA1 e8a47d73cb4d996bd606d6d72ae1cd59e46cdc23
SHA256 9ce30b31814dc195826f95bbb5676bdb4258b2ed9c39d47842b946c396428523
SHA512 07593ded3c5fe84f82f9bee7c2a1ac97f977027adf8434b35ea47cef9a6f2248d17a21b9cee0e73feb9bddfe134683bf539c2e553164b123065c7a8a32b5e2ce

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8461afda794ac28eafe28ea0af6eb912
SHA1 22c89a6c26d1ec20d2cfaed8462036317716ada4
SHA256 1867049e8fd1a20eace44bafbdb256a9d8e6d984dfca179738f9843d8d58b7d3
SHA512 53c9d96bdbcf95e18e9c48e6ff801c648037369dbb116d6bbc98fb34d03bcdd291032b38b32aa8e84bddf5bb25c35c2811fa2652562361cd3c89a664f8b31b01

memory/3060-78-0x0000000000400000-0x0000000000478000-memory.dmp

memory/100-79-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1bc49f456e5478a6a27c10ac55a3d96d
SHA1 70f67c9c06d0634584783f37be166a86678c8c9f
SHA256 914e9ff3ef05ea77dd4fecfab02f997eacd47487bdcd72ac5b37c21e14e70cb4
SHA512 ce4665d66a67c9e602161bcbbe17b0c08936d5fa4241c60ca2e1bd4d9c48d722e802d0ebdc7629be9ef15464eab449217a4f84de37e689b0c205446dc79c024c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 01d655143159510a7c345ef301424858
SHA1 838f23859ed236eb50caab9a703bbc41f70c45dd
SHA256 9cc3cae6f719e017030225099b594888246143ec9744963d3fde534da629e6dc
SHA512 81b088626b7feadf2bae5640dcb28d0d18f93bf1a1e4d5e38d872730a1816c2e8de091e405deb39ad7dd7d32edea2da9dc30acdf916b172f518d7bcd05694d33

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 80069dc8b3930ca9e4220f53785df120
SHA1 5fc1844d7c016f4cfe39a628ebfd71181484f551
SHA256 b3ba258492ca5b43c2ee6af16050498ac4befefb2aa354a3e4b25a08f79e1198
SHA512 6a83edc25750a7c923a9c6fc3d72b83fec1c0078e384da5c71f003c7a61466fe06b73cdc67a38edfd0124ed5a52ddef80b07ee4853929c24e238808e33e74327

memory/3060-88-0x0000000000400000-0x0000000000478000-memory.dmp

memory/100-89-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 cc5565f7cf39b44b511c864fe23afb21
SHA1 dd0bd6cbda26b97636f3d4f88a1c9c74e38ae847
SHA256 7f5802dc762c62088c4278fe15ec901dc39d025fe28e02fee55b873a51d9b8ac
SHA512 47b8f4538756a52866069e6a4396ed37e55e210ebf5948db87220db6267c809afb55ccb4a8374bc479de7ce81eb61b0d1ff26a15b6b6c77fc998e8cd59c34fa4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9362faf5024f50d22dfad1bb2dafdda8
SHA1 e2020c4d98ac4fb0014c59971c3b1f2eea7467a1
SHA256 0f29dc6b4fa41776ddfd12e96e54082f9662464f63684914606af37c161abc97
SHA512 178674512f609c0949625e3b9795644dc27de73d2ffe6dfd04622e15f86185d54f2a4f9a7540e558a66ae1b612488acd288b1e723e848e1c18df03475cc7246d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 175436d217f175adcb0a90dd87ada1b3
SHA1 bff881529c725b47ab596c6ba555de3e9f428459
SHA256 9724488397f74483eee665db2fb669cb33863513d286aedec15fca4f52eb26f1
SHA512 9c475e2d7c4e52e3175f9ea0ef03d1797ad86f15e4d5fa6d579320d11fbf23908db38adf51d6339637eb1c53a4d86662066c4e4b8f7cc65e64b73b56ca7cbcd2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bd8bc720e15126ab40fbca12c318fb0a
SHA1 add0d0bc032ab0606a37cfd0fc2282f19e611593
SHA256 360dcb00896c9e33477189aa668208b2115213ec91ba6fb93d352325efdaa108
SHA512 92f2d3c93dbc773914f9104ebafd53a7acc938a728552228b749dd449944221df9498938e2846d20c91f95a64761272a61df3e00d29c53be30b60e3d59aef5e0

memory/3060-100-0x0000000000400000-0x0000000000478000-memory.dmp

memory/100-101-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 eff528aa59fb8e5370b1782b9737f627
SHA1 006e0ab273efe1d90857a9c2e88983c445380805
SHA256 5c929979dec47abe775be43e3a8bb713ce7c064eb2c7496c303bed06ba41d691
SHA512 a8dbc07f9d927847697258e3e8f3c3f338131844d791b71313f6956a648f24f30c6027724122eae6c1dd4a214986698ce57a40b5c55343ccbb68a8569a8bad22

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e8d90a47b9aa6ee005bc631af55f0790
SHA1 537fdf35d796ef2f83cfdbdbaa2a7345be0dfd73
SHA256 01954ad71324245292f41427bfe2e6036e7dfdb1c0d39dad96b50e33a037e0c6
SHA512 cff35330124f2e524beabe9826359653ee3e92b1017af8755814e3cec04866944e7da24ee16be2e51eae36d10468df09c0e7b9657e76951d7386ed91fcbee803

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0de20e815b78f722afd77b468ed64f80
SHA1 26318b0fc9cafdbf61cb804c05298e659ba14033
SHA256 1beee0f81d7764885e4d22e7924ed9ac305bb13dc5f9ebd6085e2f5c3e221552
SHA512 cd48c270e9eb70107aa8f2703e7e0e911356c2516338ee88130507f484047a8ec6c98475dca027aae97e6c06c2fb5b1437a8004c63e1625ec7433b53f276921a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d57b7c05fc79545757db8cc501106499
SHA1 d75830ab64cf6cf5c4c14c182a154141c2f3ed4d
SHA256 841f15f61d736136cfc3300a94bc6cf3beaba6c3e53373cb0a9477c2307d55c3
SHA512 9d470f9cb3001e32e1f663c19e29f4df05a7a51c22b2710d9bcd1f6549ab6faeee83dd61b6ebc523e71ed70fdb74b5adb9b9e4bcc65858647119b63f3aec5abf

memory/3060-110-0x0000000000400000-0x0000000000478000-memory.dmp

memory/100-111-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9125533ca0771eadcfbfb38c3afcf21a
SHA1 e990d8b05f0035d803b9eccfa9eae2b2d3b24b6f
SHA256 b12d951696e033a992aab3032b230a172a73cd594a7cc82d59a93cb338446585
SHA512 1538b0c2a235d20ccf5b114678ae1c5ff4b6ba884ec2f489acfbbf13b1a36d26a7db862ee8ea6e797c149b13a32bcf9b2fd3e11cc6e2ce0f042849074de695ae

memory/3060-116-0x0000000000400000-0x0000000000478000-memory.dmp

memory/100-117-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 78af5b8e5c24edd6749020a8afc76cc4
SHA1 e2bf006099451695aab2ded24e37f10bef1cf79d
SHA256 a672bbdd59b01396cc46f5725491fa9df6cb5a0ccf6d00b65e27de2cac3dfa7c
SHA512 1911948545be0e63682c677b9aded490a1a6458c3b3a2daa9c4188078b8f0e3937ab52fe96aa96c969823b984fe0946a35b4b9b0cef8d299d016a8b61a2c9327

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 43f66ea397d48ff45c5417eb862a2360
SHA1 5563c4c1164d1524bb7c7f0f4d31be28cf1e05a9
SHA256 d868d287a4a11c3fbac20f272eda60f84bc0357b330fd50ca5b62cc9393426fd
SHA512 23cf300d81dcf426ddbb9abeae62e544088f5fc75f6a18d28307c2ab92bdf788379749124a0f090a54210500d8d8e158019ec7942c057c5e16be0b27b8832ee6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 90fb358fa6c627fb2b29076f281d4848
SHA1 96d0dbba41d5ffbbdf7a9cc23116669245ddd7b4
SHA256 c63889afdf12faa05a1d4ac72cd96fcfcaa3df513ef4fd379bd347f92689557e
SHA512 7c3e5ac512709a3ddbbcb2c82d8123fbdb2140db28b53e6b9738fec6e4c2794e4f50264752a8e03267238f92a10b79a3a6f8821019db7238a4e12559cb87e009

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 235e8e15d87fc752aa87695296add78c
SHA1 1b2b5f6508462ff411eacc1d9df86831e603ee82
SHA256 8ae4b2c841ca9a7de0c8f3783fbf8f144c98b0e334e83b61e67d5f13acc4a77b
SHA512 e7a60b1f97f608614940be99f97ff74ef55f9f0f77ff66ed96716935192ee765ce3e2173511251da8ccb845903806fa65f5c9d2b4d5c04c7b077c5fa35383a9e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f2e50e2a08f1033d3f68f589488f992a
SHA1 8345f2479619ab8304958869484cc2cb7a643a73
SHA256 31ec7c161041e93d5c5e136db9fbfaefbc4c29b1b1209674ad58527881d2c93d
SHA512 ee59325f7d6cd3e1e5ffd75bfdf0d81cbbcaea7e748c0071343b0bc221d9864655288461c0349083b3a999207317b188e40574f5e0a98e484de37f7e9af67cda

memory/3060-130-0x0000000000400000-0x0000000000478000-memory.dmp

memory/100-131-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c0430617c8bd89474e329e7c0d9627e4
SHA1 986133458dd2dd9c83521f0546aab1d9bc68c8ce
SHA256 9b94111a503334782587683bb2d7a3e4e17c4e1ab8a37a32b686027f8a35cc0a
SHA512 eaca0e28d7a1e7639720e9b47cc3e4345b101d239345e5f3e7cf968cf7be9a7048b7cdce7fc382b6c35dc77b2c8b4dac79634dcc4eccef79bbf772e646ba1bb2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6664e136bc5c9402027c39904390f310
SHA1 a30a6b36450d8d2e4776f792cf15b76946b75054
SHA256 86e128f4f74a586054a65c611e18d3dadd566c4c532312b35d79c9db07c27a0a
SHA512 571013416ca00fe9b8eef843322457793f39a2ac72dd5a3e1a0ae6fb67cd7f2488ec6b20b06ed778a7e9af5cac55b1d2d3394f2b1eadf2956cf9cc11922187a8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8c39a0d85556b16309f38663bce9fbf8
SHA1 302b6c01d013454a6419502ccc204c4d691bb7f7
SHA256 e6d693cb55706bbb05bdde7212b1d160eff26fdc406ce97e7f38c49a363c66cc
SHA512 cfc66e51173f4a34d9cbc1e85d8c463e72ef4f8baa6825ca1c4a1f8c64b53ac0f6ebcbfd0ab68578db82bd888a88aab6f67f6839b9f0bbd471b80fefb2e5efe8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1ff41d73eda68a84c0d15381819c1bbc
SHA1 0bf680b0a53b46c9edc78d19667254c3342d67eb
SHA256 8e8c3b0dd03664036620ca278be477491510c0d5c85132b4d1435f2016650cee
SHA512 5255185666ed032fcd924ab258998228081cd7dddf0ff38889b853737a87b0a5f8cce92549c8e6c17827f94c99a81c2d975d1bbc6a452480ab82c7a4a360e3f6

memory/3060-140-0x0000000000400000-0x0000000000478000-memory.dmp

memory/100-141-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9bee2e6391582c1b6580a978894ad044
SHA1 fd4e407240bb1c02911e530154f3e2c8236d2cc1
SHA256 e5cfc812180c1ae3c33eaa2136b957809917ccee3c9441352452e7cbb173d97e
SHA512 c1dd1ab206bcc84c74a9039d4db408fa3c6658ba91fa20823c8555ea2a65f18354001412415bc3574d6574c16add9b207298f73acd82e2e25db5ef4b2ea04ca3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f417157f06478a003deacaa6a01c1a6c
SHA1 d0d339384950a2ea119528c19fe8632f8ea7ba90
SHA256 1f906a9a85724c7eeadeb955b754fbe2e9c9fb965b3a7e7f2293e56fcb40ade4
SHA512 59efe4633b9abe8200ddd81496eb49e660bfbef5e18c039f9cbeb8f596b5a9a937e59466c9cfde0f7ef5ac6b76072220923bac73a24b53acb883dd0b9f923a2c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 caa74c633d5a61a9540ae13fa0a5043d
SHA1 81853e894c448bba030bb26387a36e11960b0cb0
SHA256 0653547d763a9699ac9b5c3af57d82c225fa585a44f93e80fdde84a990d505d6
SHA512 a588172713e5d7a75a7e2ab478015ae84b7194dee4200abbe2167395d5290465f60169599bfedf3737b18b1d8a590b84c45d62d4996aafd47bbf96f8d9cfadd1

memory/3060-150-0x0000000000400000-0x0000000000478000-memory.dmp

memory/100-151-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8a2356b43e0070b346afcdb0b200ed53
SHA1 0ab030c2c7784a7081d531b6b43a0e350560bd4f
SHA256 35d02fe7abda12bfa2fea455a5267b818d73dfb7babfabec1cbd8768b79f1b44
SHA512 3ecd75a1f01a0cc137be96f1f08365f5b529ef59a6536bc93cec76cf231d14c978b0d4a131eb036444cd2082f3a529d698fc64d25ff62cacd34512b120427725

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8d0bd2b6d235206d4ea3e519497c3bb5
SHA1 3d17f06cecfe0d6a3b55b399cfc9ccd8c908ff4f
SHA256 1e3d28f9c3c6395087fd88757838d327f29697ebc88bf77be9f2cbd8df4b95f1
SHA512 d01b537dc8d027fe6d21924ff8cbe60807c6a87856e9073a087af3ebef54e1ccfee3c96e64a702903adbb2d00947e76c99b527277d5e4a088cdcedd4594e67e7

memory/3060-156-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 489cc40bb45ea4cf0b701a825f913d99
SHA1 c392a93043286b1dfdb285814d7dd6f9c82f46a3
SHA256 139af61e74cc618884bd417458603e09ccd690a4625ec119e13b55f588fc5b3f
SHA512 5d30e637b3230fa9c336dcde41400b8f62371e31d93d6d5fcfc67f90ab0bd687cb1d3668d9a02cbe828204ecb564ff69a3d597d9c0171fb5ebf73f75c349df75

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a14dfdec323a5819cd317f03ed7a1dc5
SHA1 6cca81bf1f58a193d95b362fafe0a08a2edf0031
SHA256 33acf89efb55d942cfe46a219e2cc81d7500351de4e17bd1f5c7260e267899fa
SHA512 6f0b28a0827770f7591a94694df946b761d665c27cc3698a2730aab2faf29d1c3ed8fd9f44e71f0e39109e57ec55a7f21cc0752275289a9ffea368449b3470b9

memory/100-161-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1af2d06d0202080b3181e514d2f49ccd
SHA1 58b1d98047a1f37c19baac51c82e74513c9c3637
SHA256 541443e3145d1f57c87ea0f9a2eb9b730a9cbd071601b26a3b3462b30350ba61
SHA512 105664e8c49e06bf3b9c1c30db256be4fc548b8be849dab87140c491b048ce3f832fd98b2573e886cf38a2f296023f2fe66c95d97f43077e49540b292287765f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 388866cd084c151ef34d4b3a7f386d36
SHA1 0744e659cffa245d0129e6b283a25dca3b0a8904
SHA256 ee11391700cbf2864f1031163f1e0542fe0413c55fe161fbebf8e27569cd027c
SHA512 ed0b184e8f8751c59c7a940f2fdc8e14b310cefe7834dc0c26bda68c81f05251f30f9f2bdfcc92f907235bcd5e96e268b597ff3d43443709530670b2ff837b5a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 50f06aad3ea9098854ab73aacc60eaa6
SHA1 e6fa8f17cf452ae61d787c3dd076917ec1ffb666
SHA256 01a98e90bac128f0f5aabf5c6186b9fbe4f4789d08c8c2e87301dda48daf0906
SHA512 d673d7b6f43dfb3fce81a4529a1d1f86db068b5bcf465ec6f1bdd930601333ffeac7763bfc17eb63cc10fd4faa1cf0844d0ccc30459e8a331ba14edab0bcf2ec

memory/3060-170-0x0000000000400000-0x0000000000478000-memory.dmp

memory/100-171-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ce728789c018c0fe20f7d4d7797525d9
SHA1 3f4379b998e3d7d28cc537605e596f359477f38c
SHA256 e75f17ab2b2c64557c78dd26e6499b02947a14459fc8e3c5923c54936a3aee1a
SHA512 bbb292baac346d89784e9fcaeb622ac88bc384701ba49e00cf22d439e5d280c4221056c20460c0a06f95555974f9c0a16d739d83c7474bc60f66b2b6bf574259

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 09a45d8468d51b33391a0d36a0a8c62c
SHA1 196bf1889fa397f9861a4b9656a03502f8a9ae6c
SHA256 3a2bc45d5c2348b64b1ea9bfc5e5e6a6c1ebbcae712648746bb20e0a76dc68de
SHA512 d84d603e10664a909a670a2164978c16313eb5d84dff5c2ca3c2466ff86fc4a9c7550f760fea556d659ccf639808aa4b75d2a43242d22f488bca5946ab335972

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2adb57343367d758ee1caf4a87f731b1
SHA1 e8d3b29cde5ddb367c392d82228db8e66eae88c5
SHA256 4b6e6d05fa9807d180c082d0be820148d4d0e6b15591d4c8ceb34d5bc816e109
SHA512 ceade6489777d23e81f9a38c1d77aa5a9aa252dcc74c03253969bdd899810cbbbd3a18c8996c98e42796bb2b05d428a082a1bebbe29e7d04e52c4cd344470311

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2696f2e069948b0dca9c47207277d36d
SHA1 0b66b6124ed640183bbdb88c5f9854747a8558a8
SHA256 f596bd95b5d329d1501de3eba015631e58cab5eb0147c1a8e26b7f6fadf70602
SHA512 498e80c2db25aac613e7f5a2b51896bedf0e1fddc65513c4f2a7c15451066f19bf8a436624df35f852f6f7664a383c5127427e7f9748916f5647785d20016c0b

memory/3060-180-0x0000000000400000-0x0000000000478000-memory.dmp

memory/100-181-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 437e19da27dd2651ea5f55f6e5e2d438
SHA1 30a9634a8d4575a7e39c365337483499f1a5bcba
SHA256 bb1d7d5782f32fd9698c147468a2f7ca07bb6996c2b818e8ec0f71049ee8806f
SHA512 fe2cc41823b60e6df28a188049053c6f3824b58689cdfa4964a7185b8beeeb170cf3ff4dd6c7d439464ccce47b37c113fdeb09c40b9d01d8a5a26ed0127619c6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6952e2087c0175100a802fa2393f6a29
SHA1 7856c5dce168a5da99f9aba12dfd96acee6cb402
SHA256 002b1819f675b17211aef378f37ec243b8c0a84368c05bf866a7e688a366c5bc
SHA512 4fdad15a04bc71b133b455d59b0a1fc629437154f5096fc51968864088712d1bcb5dded93ff7dba88376f31ae1247cba22ba4b328d13a2167d96a704040cb04b