Malware Analysis Report

2025-03-15 05:45

Sample ID 240510-lmvmjaag39
Target 2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118
SHA256 5c07b987df179893e32a8778d4fb0e35cd57f2ab349bf85a7941e71b31fb668e
Tags
aspackv2 persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5c07b987df179893e32a8778d4fb0e35cd57f2ab349bf85a7941e71b31fb668e

Threat Level: Known bad

The file 2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

aspackv2 persistence ransomware

Modifies WinLogon for persistence

Renames multiple (91) files with added filename extension

Drops startup file

Loads dropped DLL

ASPack v2.12-2.42

Executes dropped EXE

Enumerates connected drives

Drops file in System32 directory

Drops autorun.inf file

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-10 09:39

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 09:39

Reported

2024-05-10 09:42

Platform

win7-20240215-en

Max time kernel

145s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Renames multiple (91) files with added filename extension

ransomware

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

N/A

Files

memory/764-1-0x00000000002A0000-0x00000000002A1000-memory.dmp

\Windows\SysWOW64\HelpMe.exe

MD5 5389343ca48f00a7963de07d9ad5b1f9
SHA1 63d101846fca6d17a988398fbdfee7296b1edad5
SHA256 2aed876f491f23c104fe0be43e7a61e229c58adcfb64c732a60679beeeff804a
SHA512 52b6a3f799a9bbadc39551a649b550f3aa289f305c416ec23a76d2fffac3aaea56d6bc2855709cd2766d36faabd1245c12d2a1e0c0ad1fea737a893c6e9832af

memory/2196-10-0x0000000000220000-0x0000000000221000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-2248906074-2862704502-246302768-1000\desktop.ini.exe

MD5 b033f0af2e4ffb301696b479dcb66568
SHA1 244431e1ca7ef9ea9a0815a00f9c920b3b53aedb
SHA256 424273e6b080843244c9da02c5fc9aa2811c8cd963f4933bd033e18ed428f52e
SHA512 4ef5e7de6b704735d356ec63da5b6a17af337c68d1ccea867709220998603b6bab6f9110322448cfff2c26481e14380af3574f44a2716489aae4274e7ddf38aa

F:\AutoRun.exe

MD5 2e80c5e208dd1f7438f7862c57fe22da
SHA1 68120d251dd4b1b5333f97cc08640cb1a076d9f0
SHA256 5c07b987df179893e32a8778d4fb0e35cd57f2ab349bf85a7941e71b31fb668e
SHA512 dcb28bb772c1c17a2cb07c0313249da7b8f13da5e18d1ed27c5e2b521635bf4c711b84b5bc7046bd78de9127fae58e1dec966b9b58d46bd3ea19a6d713bf4ada

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5718af8265ed60183831ee4734d83b6c
SHA1 dfe2c8fa1e7d38013a8fdffae1a6d9ff6d63fa1c
SHA256 ccf93670351e8d6d0af6d3bd34b8fe55255dc15803b97ef432df91d292f37192
SHA512 cd9204c6a057ff2f89925506df7d7a1cff6f82815a6ffbb2c7a2452dece47c7e100c25771dc76e3b1023c16cd020666ca5d44541fd2068b6c77e7e9eaf4fb113

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7fb006bf55a0544d7a49e90178cec087
SHA1 7a483c1fd1ab5358a130c31b7a8ff1ad56d47da8
SHA256 59ceda23789f14819d031efe393557e694fe4d535025d1591cf3dedb66c4eff6
SHA512 20f906fef93a17b858e5277e2352c0d0236598234ea85edb1d917d2ff0efc4ab6a5793c2471278349fd04cce61ae5a0e06e7fdc868cf0b073fd3d80dcb2f5f32

memory/2196-229-0x0000000000400000-0x0000000000478000-memory.dmp

memory/764-228-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2196-239-0x0000000000400000-0x0000000000478000-memory.dmp

memory/764-238-0x0000000000400000-0x0000000000478000-memory.dmp

memory/764-248-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2196-249-0x0000000000400000-0x0000000000478000-memory.dmp

memory/764-260-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2196-261-0x0000000000400000-0x0000000000478000-memory.dmp

memory/764-270-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2196-271-0x0000000000400000-0x0000000000478000-memory.dmp

memory/764-280-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2196-281-0x0000000000400000-0x0000000000478000-memory.dmp

memory/764-290-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2196-291-0x0000000000400000-0x0000000000478000-memory.dmp

memory/764-300-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2196-301-0x0000000000400000-0x0000000000478000-memory.dmp

memory/764-310-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2196-311-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2196-321-0x0000000000400000-0x0000000000478000-memory.dmp

memory/764-320-0x0000000000400000-0x0000000000478000-memory.dmp

memory/764-326-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2196-327-0x0000000000400000-0x0000000000478000-memory.dmp

memory/764-340-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2196-341-0x0000000000400000-0x0000000000478000-memory.dmp

memory/764-350-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2196-351-0x0000000000400000-0x0000000000478000-memory.dmp

memory/764-360-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2196-361-0x0000000000400000-0x0000000000478000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 09:39

Reported

2024-05-10 09:42

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2e80c5e208dd1f7438f7862c57fe22da_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/876-1-0x00000000021E0000-0x00000000021E1000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 5389343ca48f00a7963de07d9ad5b1f9
SHA1 63d101846fca6d17a988398fbdfee7296b1edad5
SHA256 2aed876f491f23c104fe0be43e7a61e229c58adcfb64c732a60679beeeff804a
SHA512 52b6a3f799a9bbadc39551a649b550f3aa289f305c416ec23a76d2fffac3aaea56d6bc2855709cd2766d36faabd1245c12d2a1e0c0ad1fea737a893c6e9832af

memory/3012-5-0x0000000000630000-0x0000000000631000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3558294865-3673844354-2255444939-1000\desktop.ini.exe

MD5 939dcc722cf32f073f8f08bb49f338ce
SHA1 4cb19e8792076e23827d9625b5e8fd7d6b49e948
SHA256 b1e00b5d051dcadda74d828df39ce773e453f8c1c59847435fe19508b8ac5e06
SHA512 5ad21a53deb6b87ffefe49c96c47b041d85296baa43f9c1b6197275f6fa792ca0eb7fd135cbde724335bd9cbd546f9a0ba2d0f8a3c3bf0d98399fcd4d59e5805

F:\$RECYCLE.BIN\S-1-5-21-3558294865-3673844354-2255444939-1000\desktop.ini.exe

MD5 b78784673c4f611c369334128f366fba
SHA1 ed882fe77694530e901674fb9f943e7b59a31fbd
SHA256 05885780bf68e754fe8bd0a7f868872b6e4da3acb0da39007c2797562e850e13
SHA512 4f5cec915e410491b4c61a639860496e82a794edb708e86cbe4cce087a6ea8c1c0badf25fea585964f17821b28865ffec32112c36f40646b10421876fd2ae0b6

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

F:\AutoRun.exe

MD5 2e80c5e208dd1f7438f7862c57fe22da
SHA1 68120d251dd4b1b5333f97cc08640cb1a076d9f0
SHA256 5c07b987df179893e32a8778d4fb0e35cd57f2ab349bf85a7941e71b31fb668e
SHA512 dcb28bb772c1c17a2cb07c0313249da7b8f13da5e18d1ed27c5e2b521635bf4c711b84b5bc7046bd78de9127fae58e1dec966b9b58d46bd3ea19a6d713bf4ada

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4f22a1c3e954a74c1c625b5ba7969c19
SHA1 84bd5eadcc24ecad2cdb5f80570efeeafb343931
SHA256 eb166800130004b1941f78a35dcd2f6e799aab07df473a2125311d08f5062ea8
SHA512 faad467414888b2c9d6664d3e32662e465bfbcaf2621a4b71fe02d5acd188c387b156cdb12fd974e0aefd3b743a60aee6424ede9b2ed1cd5910f9be09aa7793f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d5ee7efd512d88c2ac12999db61b91b0
SHA1 bc8666b3ca41c8650d88efc26144aa5a11e24100
SHA256 0fecb87593fbffcaeae99b38037c66fdcad8a82050f02cf7d26aa9dc182775dd
SHA512 82f423dbd4fa77ede598d25242b99469c85fd147caa9a5288dbbcc21a86bbedb9f9ab27da508e949931e6227efd96445f75a664c85e591039874ac466ab6a3c9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 90217bfd0baabf9accefa3e7c76c159c
SHA1 58cfc47a888ee5f3e0ad94aa937dce3dfd0b6310
SHA256 e78f38964674ee9f9d8c6d223f6a053e9ef7c882ed120ee16475a68b140051d5
SHA512 aa57bea0a269756fe2589c3d89dba3f95c07a41b0ea4bfdbb8346a8a0d5e0471157e8eafe74dbe10e194a34550122c6d181bca8b4586b05ee60ca8baef1685e7

memory/876-49-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3012-50-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0ef7a025a5a89ac469c8f690af3fe1ab
SHA1 19b6fd3f50d5469b8bac009bd072cd44eb677441
SHA256 210233ccaed50c9fd165cc4f410bbdcb5aa2169dead61ca39475293bc5c558fb
SHA512 d29d24cac224f7171a845848385aeb571049b9a4c1f47f1a13fcee03c2fc05cc544dc23122f229db1cb3bf1537e8b463149d8406cdaa59c85012a0d2955df83b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b940ae11cdeb37726b087da0355b9820
SHA1 c373bf4068502beb1e2bcb17eca5bcf71bc30f4e
SHA256 8499900700f51c59ba1e1f4abe38a43cc34329ccd986a209c0cb59f4d43125ec
SHA512 a59008af9cb4b18540b9bf782789f631c9e3d12d39bc36ffca94cdc0fec9ba9aa4fc976c2e6bf99eab818dd031624beb7841bb09a94a8a09059547b03e943341

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f9e8664ba6d2b732b912587848f9d430
SHA1 af1612419141b298cc09001b6362fbee683c15a6
SHA256 e6adc97549c67947fc94e1feb5e674da404640e22268f1e3d6e83c0586c3139f
SHA512 2c40c1f0211f373d906cf348f7060ded8830e06930188e14bba6a74026580106bfe564f0a0db5124af5ab56dedfaa5ab5b946ce29e112d77e6815289dc53b296

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a6942c31c3e3fb02f894a7fdc87fdd8d
SHA1 cb16530bd3a30803d98bf2708200b6dd842cdfed
SHA256 f8c07303043eb250a580df05ea79c804295d892291309b4de47fbcc4737252a5
SHA512 f4d25ff8ee01434f2a9c9a2bb82e4480dc726a805e3891600b196a7af42d9995ae56eb668c3a329614c0f202a9d76d9245b81c7b88bde5e6184a699b13180409

memory/876-59-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3012-60-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3012-61-0x0000000000630000-0x0000000000631000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4c1bf767d3ed4eff9733a07df64ed2b2
SHA1 749a00914a874138cc47c5092fbc7f9640213c22
SHA256 dcda85cc4ab3a7baf394c9db068b96431a496bfffd218d6b5112f8733240b954
SHA512 af700d7fea73163d363dac052b33beb93e94ff17a3b6d5180f5835390e098b886e158f0e394f5412f01031ae86294bab638bedd02ebf239474417fb96736a206

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 055b8efe6269cf07492d3c3664d29fcf
SHA1 5547907f9f7344d4abbe8521e002eecc2904c6f3
SHA256 7ceba2dc8564fe63f6294d0aa760c90b4b74bef8825ee9bc0c4b73a514fe7108
SHA512 eace313520265775c3b23f216328e4b4b179885f5a59330e1eeecfd341a96d0b55a9d3e09946cc7085d647e95232677cad6b03ba65e0af0f486058de9cee5989

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c8eb1d1500e1deb5614424bd0644e1bf
SHA1 3291d1cea52f4156a175e798fe77dfdc312dafb4
SHA256 4c3b7b720710968f37e9256e1b4b8f1a75fb3c700e22db322403940326a6f8a7
SHA512 50022ae590ce4da931201b368a6ee7b322eb97380b17b6b5c4e9d9c3d6cb191236a963753920eaeaffa33970edcd007c99abf6e5d666dfbdd30648817b70aedf

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3c27e05bb8e75a0fe926ec1ef17e8abe
SHA1 5d8db91efb5a15d3300c19036e6b5fcc6325e13e
SHA256 6d7a198704ecf3cfa888a85f5a57b8565369e58ae5cd82acff43bdf2e46bbe48
SHA512 4f5cf394b810ae2be13d54994f22a92aff95cead21faad0aa56702d7d1e1190d71bb7e01829e087a1546878ff31aa57e12c9fabafedd6c5053f05a0afd270a4d

memory/876-70-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3012-71-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e5470caf68c88598082f5cfffb18bbd0
SHA1 1063512b6ac5a3d6f2b493d034be666d21e102f5
SHA256 afcae6ff12af84eef896f8b82c17e90e3ea03662fa36f572042929c2534de016
SHA512 b7af3f821635e9c07a38b29320d8460234c5f069f7b9bfd1b3c36f9798c47cbaca4c913e89587e5bcb54803708b372db7c41fe65e216b4976013438d8065f66b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e18c7dbe4d976dab80af7cc75568699d
SHA1 1c3ea5c53f372eb2d2cc68a123ce7d9b8a97256f
SHA256 1324df1648299a7e13b854e4d7f17aa65dbe550c68c8e0c3a717100323ca448a
SHA512 305c18d790f9edda80c3880d4bc62f58b9e2caf69dc467826a8c10eb0fe3e5141347a9ad5ff0f1e27463ee9f99cadd2d0e0ba593e90d0fd948deb8bd9c45bd91

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f31e57bd66f90fcef6ab7a8cfff6047b
SHA1 653982f6fbadd2bb45dffc528629c0f0c527098d
SHA256 2f760887a3bab9f44466bc8a80b9b342a4c294ae817bdde0be7af120f8f6455d
SHA512 4042963142fc09b99da37921cccee2c18114102fd0731127fa71d09f09fae8bf6dda8475f33a2f233662f38278ea414ca17fbbe9a133051ce2f5d4ad07963072

memory/876-78-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3012-79-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6a3738b56f16f8db3bdb131557a68ce4
SHA1 e6781f16f551a5b58ffe4edf0d41b3ba67b7e5a2
SHA256 11c12fc4d70f061c0c8260a6aea2272a48a34f433b4e0ae5a0ddcf4faf059862
SHA512 439c85551e67a407374e19ccec6c916d357641cc89b40775ae2606a84bdc1684de8bb1edbf4ff7661db483191cb8275224e8fcebd6b9dc5e7039e33212b4a85d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 db97d16e09ddaf3ddb65644bb532bdda
SHA1 5cd424915836fd60900c3e423d4c0cc065b33a67
SHA256 8e3a00a8f215a2f10109801d3ee8a1cde2300dba677f4ad08591de45ef7258d7
SHA512 95f34789210886a916da4ed7c00348f85c317068ad146ac34dc6b79d10af12bfdc1323dcd42fac600784e2269aa42d102e73da6a07ea925803e9b48241a60b3a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9f3894c97a8022ed1f27db3744f9410b
SHA1 8d1509681cec834f03441759839ac15657ecdb89
SHA256 44bc1d146d2b8f3dd604a985a65d16049af4ae7d3d37c743380ada4e3277f380
SHA512 e42773d051256dd2eec869e9925a3b26f1d22ca919c649c9ae664a294c07289c342964d44ae73be69dfe228184c371f58b340f9ec00e6225b81fb26e39964d47

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 aa2fe24db4ed69848204a350298306a6
SHA1 410569f38f8b4424c6dfd2566a5502365ad706de
SHA256 97b92a6c3f707f82c6af7fd0cb25ca9a527a16a28551996aaeed3104274c2e89
SHA512 db92d0e71cb11332d870a737ce17a339118ccc5f51d7f77ac6628ea846a24c7ca023bb9d7c716ea010739c4ddba4e2bc794a46b20b98bc48d5bf527ebd543488

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 66bce7ba37c9007724f849040a9b1a0c
SHA1 0ababbfc00cbf5211cb9bec217ff29fd507a163e
SHA256 fdc0557682bf613c69415fb52b53ce958e2d4d1d9ac7a0e14ba37c219b20d053
SHA512 a76ea112f302a67879f175415336389c88a94ecac80ffeae99e52298ff562b75082ead774fb4c34fbdbe047126ece816df18bd1c9a1ae4066d1b0a65bf2ccd2b

memory/876-90-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3012-91-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fc8e052a645e997d69312bc4e31f6eb9
SHA1 6e6167fd2d337873a8caca7036a483b5ee8ef10b
SHA256 1a5bdb34191828dde0b9447471267a6f073d2e7bdc56819785e7f9ee4036387d
SHA512 a90c3b4a312df697cea15295043715539b0d787ab847d186fff1460aaeffe84c4175a2426d7e25720cb44396f7427b11d78b698eeab2a5546df90f6eec44fa50

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1d3985e0589b98933039394b91daa7c7
SHA1 16f4bf8cb6828e2bcdd359ba3a402fd86f41512a
SHA256 557b3b9dd401da8530c1541642f6658aa8d8d0a8cf525920b8712abf478eee02
SHA512 3d134dd4bf9f0a888e14cd0d04938573108770fbc23cf4a06f01658f455d5d0e13bf8fee66550c4ebf4d91bd60d97496a81648539b2472f51e7e25b86596d427

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fce53795ce9cdb5a18c49738b96f0478
SHA1 70210d627f941a910ae2e973ce7a25fe2fd4eede
SHA256 1d0afa4b4f95329b2b6bae5c107e7d49b89d7eaca241ca9395436e2c167e9c80
SHA512 2a62588e80d7dba701a48855a1539dee63cdd3edbae2c06ad07de8935cd2266598bfe2db1696ffb073e585acca71dff488919cf70d30a8e6d96f77496c624d57

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f2708070d744a73c64b812b815a5ea35
SHA1 7eb1a812529951d9cf732ba359be9b8207f6d0a3
SHA256 01ab21620b73d766a96d2883961f046e878a3c61621a3bd4cf769edecf678be0
SHA512 35c658383e2499a40b4812e6faf8d244549f64b7c2849a6a4dddcb41c02b63bed931dc470948051c7d9b802a6fab67cc3ff8a0c85bfd7fed0c93ff7ae4ae712c

memory/876-102-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3012-103-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 727aaef290528ecac1c90b4c37224d8e
SHA1 9441c0bfad8b8296713c1548b8e2c1206d9be66b
SHA256 d4968cd743e1c79a96318000bb0c70edc37a6a21f569ae56caeb1bf93ab95e1c
SHA512 30b277322d8dd6c75e0997c59506fbac37709073a63a496e4d69f28374399cf0a651844baa0d1ed4ff9b53f5de60745fcb9180b3209b7f2393e61f1c57ea0f1c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ac9b38170b9d8411b29f9b2a48bf8592
SHA1 a1a83ba004152b2e8b4d6f0cdc9ff39a5ed582ca
SHA256 1fd1d46e184443978176da506e75a1f0f908bae308f13effc6cd75e29abde32c
SHA512 56a3c62b819cc8f381067a5e44d75da1d9f1b52d85d26af32355ab720db9c79a8219fb08b58757dec63c558e4a3bbd489b4ee9f08d1fbcbadfe1735d9290f113

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 aa5a6a4969d505f740785c662c34c056
SHA1 f2e900780fe20308680401cbcbf94c9649464720
SHA256 0a5ad1204ddcfe131c7f5906dc7c6142b2c52975ee65e76af7cb12eb62d3ca1c
SHA512 b36703b00aed0040c616e61487f93eb693c7a752b642561a195171d97e9b64b977268d20db2b534cc61ecdb3d5da3c31855157d429291dded2b3ee52fb7594fd

memory/876-112-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3012-113-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 20d89b26b886a559b9179f8048bdf3ae
SHA1 8f3b5418435fdbc7f319c9b8d15dbd44a6aef71c
SHA256 eb5e0d36a29bab43b863a0055f2d87485b6b2f5fff179e1b309d85dbeffa8f0d
SHA512 6c6d9d28db5736c244b70f197b5cbdc183b9a52f7b857a8f6f75423ec338720ecbb0064b623805f9857c663b4484b8565621f4aa0d23317d40e120e5ec9d597f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fce5b9a76624b174ae367a0343f94011
SHA1 b8b7793a03cfcedebb799008111275596db9452c
SHA256 9c60b63218a29aa97ce1ea7b40ac26ec9462304e19aaa5fc77d9e30926771944
SHA512 f3efe8a2faace7e8135a2b767bf4114ee8d30c808aad97acc53f369a77e40079e8c2efe0b1472a938063ce8efdb5e350167b611588c7262e39c8c2d61c35f32d

memory/876-118-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 dffe7b6c83802491cf11e7c97716d539
SHA1 d1bd9635b0a70a8587a0553d71255199c687649e
SHA256 1b7cd3804afb61c20032a95ed593b4591d72d7f709f936bec80c9315bc54fe52
SHA512 d0369e52dc8e6f10746f5fe51b10bf72baeb7dd504cc087adf466929350b69ddb54e445a0c8d18204200bf15ee5192ebbf5a41944fc3c1d7a4ba5d5b41277a48

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 90c313fc39aa537830cf2e056f05af68
SHA1 30eca3f1f0e8ec6210097687c91b861f38aacebc
SHA256 d56d358d37efc447db8e8ad128926793922282366db0ac8d4a8aec77c483d295
SHA512 27dce322e53abd40bd0b1472cbfa57b4306c54e1057d110a670449d9f4c2ea180665dfa75b85e1076c054d920162a7e2ecef4d0fa34cdeb76b392c2c54635e46

memory/3012-123-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1357b8a5cff0f64f88ff44e35d8056fe
SHA1 b82cea3b4ab9b8e9653402c70432b6c9aa1a7dd5
SHA256 82595b752a919208e1276023b6432b29514ab8c9ab83b677bd0f781887511c84
SHA512 bf9a6fac68f882cfd18312ceab5ff89902fda6b185ac959cef034720a0fc8ae77fad7a697ef21bf6dab131ce35733eba3190bfc30f57f4145a1cd338b54cef12

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d86277e064e44e9903c071758e1a6016
SHA1 02097235ebed5255363279cfa8d9621c0a74b7b6
SHA256 39da01ba7b7f2ab34048636c80a9b4d1afe017cadabb18d311b9d30de9885280
SHA512 7da1db41ea2bc32ddbcc716be396779d7fd95b4c169bb175d3936554f4d2ffb0f666b55eac87c612f9ca1869c2d8c046b5cb1c739fb5a7e339fa7ac387fbdd88

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ab02db9549d52993650ab4029e38e5dd
SHA1 d8c4f0d882a4549f2ea76166b0f8ef4b167ef6ff
SHA256 66183931f1a2e2a09bad98f040527b0734b98d6ee874713070daa9f441d69c38
SHA512 df81139c5d8a031b350bf10e0c352f5c856cfd57a6059b8deaafbba3ecb430bf1d8ead70b95c31f022071e9b5adab6a36226f825a1c854b2fbec8fd1252776ac

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8c84f44d1d0b9a59c08d5a941d4b5b71
SHA1 1e3b265e5bd472989e4186bb8a92dc0e594becbf
SHA256 fb3381c31fcfd18d3d01fb0fa93b5c64ec9535bb11b12be4733b6d8c59ff3f37
SHA512 8044cb7811b0a76f4dfc7fd989a89663be5843c171b6752c8f141904d5110faf82da662c9f5886cbc03f5762278eb6f7ce8310408e2de1b2bcc8706e9fa240c1

memory/876-132-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3012-133-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5c2e5827fd9267ecf5f60e6b9cd78eac
SHA1 1398eb6fdb6f3fc4806099fafb13410097b3742f
SHA256 3a968435ebc9f4535a6cb8a5d9c5b364cd7c623bda8e17ef79cb60716fe11bd7
SHA512 cede5c9dea8646a000cb4edc0e69df7c3d0f9a201e6394d6a93faafafe5288a16281ad62282bbd9ad832576564184749509efcb1cfa969183ad5cf30fe851d97

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2a07f1730b0ab3f60a63cf12ace7b089
SHA1 0e85b205689b100e02b2920b1d6936268855fe23
SHA256 90a4a53c0a402ac7e66ada945bad207553189959b6edcf5c6eaeda841d9a7e91
SHA512 00191b8b950a150533017d656cc0837ab173dace6956084aea66e1eaaa282d5a4b7e43cb1b99b7750ef32bc026a2bd30ef3e3ad77402308c6f04f07bff68048e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 09f12affb4b35ed92c0125bfed4125b8
SHA1 288ec46fd631502e2c6649fd7b5ba83e3e1f5e6a
SHA256 6db307deb5c105d670d39ec7758fdcdb5cf4032ab233804f761d72b6da892a60
SHA512 eaf5387dd4ef9560f4689497b18d47797efd4502d9f6ada5f2e386224c5f872c32c9a8e0add9fcdd9e21015f74e7230920631e25682978abce460d6a6df1829a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 417d5ddfe30189723718357e7bb0263e
SHA1 07c7835265ad16266ea6b849a5baecfbc1a670ac
SHA256 bdeb62366ab29fca7fe987db551bd9c72189b0fd537bdff477de5046ebc417c7
SHA512 8b53777f659d9740e1a486cb166f7d765aae080feff552537c44f49276a269a8deda2cf0be5f58f84f69b7680d341e04c0aeb68c77c8b9d16950c181fcda31e0

memory/876-142-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3012-143-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 976bece7da3c73475e4dd2745a04cda3
SHA1 cde2c291d82bba1e9b4eeb47d798b378ce084534
SHA256 4999688508a90abb911ad4eaa4b90aeda582236ac4766616f70fae75a4caa203
SHA512 bca216814b0ff4f35349bcc129a625ea6ab2998aaa62a90f0cd82aec804c5427975b939838857da52ffb6139b61c57592c276d0e7f02d9265e0aeb2ae4c0ae20

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 10a12f867a39282a434e52f5915fa42c
SHA1 538556a01fa9c65b8f9a3582d69718dd3745ca1b
SHA256 a8769f812ea112fc6d0cf90a9ac7746a3d3d983358c2c41329c47ce9f672dac9
SHA512 6ed9854ae7463be13c936be6c45ca267f9a8a6ed8d30e9910a5938603a6b573af8f3cba8c2f8a4ad26ca5b67d53f4d7660abf852e7b10b51d40f4f5654354dfb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 955beddfd836a093a465e5d91c8825ed
SHA1 9ade3af2e98f536c1fa6d98775cf46f5aa7b83fe
SHA256 8af338d63bba613ebdd7b25afd8fc1b2fe7c6e654278591efe5a8f5c4bdcb213
SHA512 ee01a120c2e2529a4e1921ad1382ac3aee6ab6fff7720d7d2066aec6530db9caa59864f875a7aa1b852e8967605db05869d8877c5d70c48c44a835a4266fef01

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8a80a9c3916367ee207eb2cda4f47c14
SHA1 9b325e3d4dd2ef16c035d3a1095622841764e74f
SHA256 5caccdf15f457463f28149b8364f6b103023c9925f88383006450e72f0ba9499
SHA512 da4a0855bde183b5e7ab8eb4cf279750bda6d8b1ce5ae46e43985188f2252d6169ba7f3ac5cec8fe562166b4ef58d03546715071f1a597e0052fd524fffe2b59

memory/876-152-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3012-153-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 35257d3d8a7b13c528d868a085b95db6
SHA1 00a39085a6fcb4feecdc738c197ac6d438473226
SHA256 f9bff56845805379176cae57347c6460d064da6661998bd9bf7375af4de5beff
SHA512 9d882c8c0d75191af600ca78a7e93e701abdda1e90b1f1dd9114a09b64e17794a8b8c6b2ca8fcb5a9bc7396a4925dde773bbc69ec93e4cd87ec9f021ffd6ea06

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 564ddb530a03f3ee7bea20390f24953e
SHA1 74614ec3694b5e3f3b2ce38ed7d3eec3f65d4775
SHA256 064133d3b30c752c60b085ff62581d716fcac25b517cbe20698a683870a0d840
SHA512 5757ae2c0985c4b103fc435e994382b76e05f208cd6e2caf0bd2505b17eea5add0e5c447cb5efad0c8ce62eb4f9bdcd6305d691d65e8e18b54458be275abe326

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 35a9379ba99ab7c1f6be159e075c9cbb
SHA1 e6b54fbd56496d58521d5070492cd2793f1f9ba1
SHA256 2a1966d9d3b307d2f7ed7da0bf91cd988cea57bd9d1959995c5a2b2a298d86e0
SHA512 d5e66848fcce0f6792a6a0a6c6e96b223ef6acbcc946142cb5e448cdaa8232b6aecb040c6c58363a8a16abd1de8fd9eccd7d15f44362443080393fc1d269332d

memory/876-162-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3012-163-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b5113dba43d9b42d36243c27e609fca1
SHA1 33cf5aa2431c8d1cff73939d6acc47e2fb17e4ff
SHA256 48516c1ccb0bd8caad5c0f73544dc6cb7382b6e30f0f589eea8dd7b8c6c9ae9e
SHA512 b263f3838972aa7d06d351fb5fda4a65511bd1314ca220da14c85b2f7fb3f59432379379a120972052f5832f11cc3b0fc5a855a3b36541bf5d85c830f253cdcb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 77ba9cf135041e66a8374c83d3103e25
SHA1 c42e8df8ca7b4519735070fecab7fc26be169b30
SHA256 4034bd7ed4b083d1bd5aaa40bfefeed72e715ea9d4f1d060edf918c6bfcc221f
SHA512 2549cb3198a6791c0c591420684f28b5ec271eae6cdcfaf03539c218af6d5cd3fe563d70a3b3675a5a5e17776f105aa302498ac3c48a2ab8ae08337b61ed21f3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8c817d0ea313bb4da0219418cbda058c
SHA1 49d7b0d1750f6e6d8dc06dddffb0a013ec33c0f4
SHA256 f8ec9f96171909e8e239b5f10d8ee9a87dd3763bcc98e2c09d4ac95a8f0bb58b
SHA512 60894b668d00fd389b18adde80b7a7f0cd1105511123d3b797c192ff721bc7c0d517b8ce7f38ce50c0292206b277fccc9d82e62b83b0b99db2afac4a701f2145

memory/876-172-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3012-173-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3efc14eb0422469f3aae01254d4bed6d
SHA1 d7e74c5345a3319d3fedc07ca825f20045849a22
SHA256 954d07936c21a582fff402f9fdb7228c88f87d76a4509a88caadc379961ecc0a
SHA512 6b47478cf8bfa0bbbe4fdc83a744c6633dd13453f7be89675a7d4b29186a6d856db731fc04961c17f3f1960920164a6def1c945341b29340af668950571034f3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 561fe2a503b2e006fbaa7186d2275f02
SHA1 f75db6b7c7c86d7aa836f0953504ffa81b7c1bbe
SHA256 ba11618134042de4b78cf20fada7537e66ac882c6ff5fcb1af85bf49fb09d15f
SHA512 0bc65dc11b97bdb7833ec38432a0a921dd98df4944980be0c0b1c8fbf640fb01d429b7f6a1d315a0cbfd896e12860d26871fce663eebc79a504bdabcb07ec5e7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 65e4bf19657e690f34a95f551ee4547e
SHA1 9f1d024c5ca1149d2b8464c7c78f0418ab5d6d3d
SHA256 9941db5234d4cf65ad9072586e78ab4f4e90f10aec4dcf5a1b5a2b75b91c19d8
SHA512 f3c18dcdf9d01721bce59dc03f4bd6d6b1dfacc868c64ef1838be658f98808ea7c78d2a65bc81118ab49bf339fc0ea2f6b2fdd199e36632932bee259773b7fb5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bbf9cf0f2abf7e2e407b46ef3f690834
SHA1 034b89c9b6725e53eb23205ff7e2bedbd4d7bb07
SHA256 c51a22acefaf74d7a04032965c56bab860dd7631ad443a9190eff44d26edfa00
SHA512 55910d5120a7799eed50a607b47674de5dd5aa346226dcbf09f348df294db40a59bef52ff3c8cfc9377bfbc6dc7c9f1e920daeb119633d1346443e5ae5373eb3

memory/876-182-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3012-183-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 80217220f29cd7c5a562886b19db30b3
SHA1 41f2ae5a006c16cb8e16b56017736cd2c34c557d
SHA256 3e34e6f74faa5db4c50ccd5a404bb409c01cf240883763b781de58edf321e2f3
SHA512 7d12e86bc84fda6f7edc4135d7835de23e0c131216238af4a6c8663dd9d018aab5c5f735da9b8351be7a315295c3581b74db0badf20fee8b2cddfca9aa2fbe6e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 19f3a58dba4b3fcdac4fdf4d59218953
SHA1 ae30865dea8986c406a9131dab9dda106e49d1ea
SHA256 b47157c2cd8e7f1b215aab2acc65d61c138d4061535290c12c8bd2ec4adeba79
SHA512 2ef5ddf2ae39ae29a397c16b1ea13a1223c79e07cf04fcee9bc8463ad5cf835b96825e1ad034a46b9c423a2b5c259e90ae86ac95f580124552d305ac7383bdb1