Malware Analysis Report

2025-01-22 12:26

Sample ID 240516-hlg39sgf51
Target 49df499ce823e33e888b896d894fd74b_JaffaCakes118
SHA256 aa7c5e6e9e377301576f0ce37320b915d35f4c2b22eb9926f2ca5622e0fc707b
Tags
aspackv2 persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aa7c5e6e9e377301576f0ce37320b915d35f4c2b22eb9926f2ca5622e0fc707b

Threat Level: Known bad

The file 49df499ce823e33e888b896d894fd74b_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

aspackv2 persistence ransomware

Modifies WinLogon for persistence

Renames multiple (91) files with added filename extension

Loads dropped DLL

Drops startup file

Executes dropped EXE

ASPack v2.12-2.42

Enumerates connected drives

Drops autorun.inf file

Drops file in System32 directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 06:49

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 06:49

Reported

2024-05-16 06:51

Platform

win7-20240508-en

Max time kernel

145s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\49df499ce823e33e888b896d894fd74b_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\MZ N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Renames multiple (91) files with added filename extension

ransomware

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MZ N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\MZ N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened for modification C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\49df499ce823e33e888b896d894fd74b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\notepad.exe.exe C:\Users\Admin\AppData\Local\Temp\49df499ce823e33e888b896d894fd74b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\49df499ce823e33e888b896d894fd74b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe C:\Users\Admin\AppData\Local\Temp\49df499ce823e33e888b896d894fd74b_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\49df499ce823e33e888b896d894fd74b_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\49df499ce823e33e888b896d894fd74b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\49df499ce823e33e888b896d894fd74b_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

C:\Users\Admin\AppData\Local\Temp\MZ

C:\Users\Admin\AppData\Local\Temp\\MZ

Network

N/A

Files

memory/2196-0-0x0000000000320000-0x0000000000321000-memory.dmp

\Windows\SysWOW64\HelpMe.exe

MD5 1b24107c65331bd345824657e63ac30b
SHA1 9dcc11e7252488266d4e3f0a6f91b9bd5ab7f7a4
SHA256 50e25be03315cf2f0c4d7f193d092dde70128b3d2ad7dfb601357cbf1d922855
SHA512 58b11ab4ce4f7153f499e7b11530d4661f669e245c079dc8ea36268e812c933cd6020d70dce4b0b7a2e4c356fb0577cf39de848da1de6252982eaf0080ac888b

memory/2564-9-0x0000000000320000-0x0000000000321000-memory.dmp

\Users\Admin\AppData\Local\Temp\MZ

MD5 49df499ce823e33e888b896d894fd74b
SHA1 0f8b3ffc457df9f8221bdc21ba426c426bd22490
SHA256 aa7c5e6e9e377301576f0ce37320b915d35f4c2b22eb9926f2ca5622e0fc707b
SHA512 5bd721b29be5523189955bb59bb50dfd03d683dbb7eff80f0036da7e205449f164a34767841edb1140aa7eba2389ab52b913b876c527dae450a4f3b2e687371f

memory/2668-20-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2196-25-0x0000000000400000-0x0000000000478000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-268080393-3149932598-1824759070-1000\desktop.ini.exe

MD5 ef5dbcc9ebb9da8424ef8b23bc8a3833
SHA1 14e6f1f640588775850b6dfcbd5b411176d21d0c
SHA256 02e4519b9e03180a92457dac30799dbe8b856045e755667f202c71882857e79c
SHA512 236ab86cb2c6296705bbbd0379ac6dd50c1075bdc2017e839e9038e198382663c2c52384896ac5abeea4569acfa0533ce8eb9a47d1a8b58283051679e443aad7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6f7d124b2d61af58808509c41170a318
SHA1 9ae05c19fd51ebc4c43874022d4b935d407213ed
SHA256 1afd12ac2e519abb863565763a0a4b7db2728c16774b12045b69620b054d7048
SHA512 8fb8df4dea1df4294fcc59bfdeed3e9335a41a37768712cd56eb4e62b63a8496bcc4559f026d996e2239b2a7b89fce02302e0d6e0a0a1255a59a8bdc465f0ee1

memory/2564-243-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2668-244-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1693bc729747584a3b30fcf3af7862be
SHA1 b66380a52cef17bc7e547a280244562cba1634cc
SHA256 8a1ad8fe0bf6424e236f9b649d763191e483ecfea333ae83f8817756f2d7079c
SHA512 003894e0a91aecc092ae7853db1fb96f55107f40d4023ab4a77b8a336c186a5fdeeb585db3e9c3586d813e3187e378e29daa050c343b00271ccf1ebb93562c6e

memory/2564-253-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2668-254-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2564-263-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2668-264-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2564-271-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2668-274-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2564-285-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2668-286-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2564-295-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2668-296-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2564-305-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2668-306-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2564-311-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2668-316-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2564-325-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2668-326-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2564-335-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2668-336-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2564-343-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2668-344-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2564-355-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2668-356-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2564-365-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2668-366-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2564-374-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2668-375-0x0000000000400000-0x0000000000478000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 06:49

Reported

2024-05-16 06:51

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\49df499ce823e33e888b896d894fd74b_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\MZ N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MZ N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\MZ N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\MZ N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened for modification C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\49df499ce823e33e888b896d894fd74b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\notepad.exe.exe C:\Users\Admin\AppData\Local\Temp\49df499ce823e33e888b896d894fd74b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\49df499ce823e33e888b896d894fd74b_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe C:\Users\Admin\AppData\Local\Temp\49df499ce823e33e888b896d894fd74b_JaffaCakes118.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\49df499ce823e33e888b896d894fd74b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\49df499ce823e33e888b896d894fd74b_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

C:\Users\Admin\AppData\Local\Temp\MZ

C:\Users\Admin\AppData\Local\Temp\\MZ

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4040,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4104 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 3.166.122.92.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp

Files

memory/632-0-0x0000000000740000-0x0000000000741000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 1b24107c65331bd345824657e63ac30b
SHA1 9dcc11e7252488266d4e3f0a6f91b9bd5ab7f7a4
SHA256 50e25be03315cf2f0c4d7f193d092dde70128b3d2ad7dfb601357cbf1d922855
SHA512 58b11ab4ce4f7153f499e7b11530d4661f669e245c079dc8ea36268e812c933cd6020d70dce4b0b7a2e4c356fb0577cf39de848da1de6252982eaf0080ac888b

memory/4236-5-0x0000000000630000-0x0000000000631000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MZ

MD5 49df499ce823e33e888b896d894fd74b
SHA1 0f8b3ffc457df9f8221bdc21ba426c426bd22490
SHA256 aa7c5e6e9e377301576f0ce37320b915d35f4c2b22eb9926f2ca5622e0fc707b
SHA512 5bd721b29be5523189955bb59bb50dfd03d683dbb7eff80f0036da7e205449f164a34767841edb1140aa7eba2389ab52b913b876c527dae450a4f3b2e687371f

memory/4164-10-0x0000000001F70000-0x0000000001F71000-memory.dmp

C:\Windows\SysWOW64\notepad.exe.exe

MD5 509dec8196a1f6573477e32e0285e27a
SHA1 6127ba46b976cac8b9b5a12153eb52ac4c9d25e7
SHA256 f6755f93c92b203a3636f474857f9e582e38304761f1cea56a26ddae0b9d8aed
SHA512 0b05b1a5e025fa960f9e9c4c625cb6a05a3adc704d9bfc30861e78fbb03436ecf725d8a92305964988cf8a8b5a0ee0d72d893db695aca08c074fabe2780e3598

memory/632-15-0x0000000000400000-0x0000000000478000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-1181767204-2009306918-3718769404-1000\desktop.ini.exe

MD5 60dfffd3ac510ebab4ed1fba33fd91f9
SHA1 4b50eb04c477eb8ba9065df574c54560e5e09240
SHA256 900c612a2e270d8c2c415825806c716a0b0a83dbc8e0e153baea3133e6712ba7
SHA512 e1d0447ebe886fc5cb07d35d5c466bc19d3f55035a1aa5140f3a31abbefd617158364df40133e0301c328d822f46057d87febde59ddf6b94a67c25b47d44ec48

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0c49188cbe0a2e65fd583f5fe104e030
SHA1 86c0e5847dd362c7255ed2415e28f2fd5c615b8c
SHA256 d65e3c610cce7d51bf731b7ba0fdc85f8f5db932e8c24843d22a4ecb34af1414
SHA512 664c123066fe074bc6359d5b55d053805086e9836380538f47297cedb41ddd7cef7fe5f857e34e29c404bbdf3d04db1dbd2a9b49604f332c2d2c83be64650e6d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 eb1749f43727090ade0dcac4bd7e6ac3
SHA1 3310f572ad54f6f3b6c6d6cbdc0ecdd7d9b00557
SHA256 2eec07faa711ab47a5d4733bdf57730771045d3b3fac191857771d2512606f67
SHA512 5e6b1f5da75f900eda0813cb584a959c0f7095c1fe3a8c82edeb88fe03c0b29b029152c42cf138b470c5a0dd97a257338286c972a0368afeb5a7a18b2c6fea74

memory/4236-59-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4164-60-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5cd1e5a245bfa2b0445956f4b37af769
SHA1 33e8721ab00b932b4923a5affeb4c9e24fb7e5bb
SHA256 cc89134f39e0224978b9a7f66e352748e27b4cfcadbf8eb99b1d2a87f7c996a5
SHA512 df95f149f28585ab4461b6bb4cc945d0eeee7dc8bb08fb179c9322a5a899ea221c9857c9007f9e470d296109933d0e12efa9bd7f2b1ea2e845b5044aabb0c1ab

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 da6709318d200bd124fc8afe6bed08fa
SHA1 0c177ab98c87085fba066cff35bc560f2a09f026
SHA256 39fb5088a985437e813b8bc5b208189207c56e757e750f4e870525c5969c5d0e
SHA512 a7c3c5c9326b101ec27cbf09ddc13a25a3bee826546f454d4c02f1d97642c2b699d5a5e5babe5ac7679dc6e697193cbe65852634c9b36079e269a5a867f2c554

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d1d71a959cb8a0e39c0059a8a4f8259a
SHA1 b5066363a6d4fbbf1e7cb2992ec21c4027313823
SHA256 fb2fd7a0d35633854568351edfd70362f30bac6fe4f51031cd9126e57f9fb4bc
SHA512 a3cdc10c5f7ebe8cde99d83fd168c4631f6431c909b22a2d0cf7bece8ea40973cb7986ef2e8110bb6e35be10349da8db6956ba5c9e6fc57b5dc4ffae0c4ed0d2

memory/4236-69-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4236-71-0x0000000000630000-0x0000000000631000-memory.dmp

memory/4164-70-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4164-72-0x0000000001F70000-0x0000000001F71000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9651f27c94448b0d879807021ee61299
SHA1 b32a5fe97b31fcdb9226d93096d2ae2830b76598
SHA256 897f5f1a017744e6ed49e5840e37774e1c603c767f37064975ac180c18b7d8ca
SHA512 a818913b0384e35b1585cb8ed62609413d7b23c055e801cb751cfbe1171ef9d11d3fa1e7541f971ee849630c587d068fc85ad90fde3f4a52c86caba444b9e204

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7966da41cb2d43bb4f1fd72eb6d484d1
SHA1 a1a4d7436d1165fe53d927a73457a5d00d15caf2
SHA256 42ec5257f352c1eecebef9b4cb038a2e56061f6db363511194cec1be30d59e18
SHA512 b80cee309c3aaca447d27a07ededd0d30804d2f8d4f2016a275e924008aa574ba70c1ae83638df52ea64682add9a821b9ccb3fdd45c2df6b12763780942fbf73

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 627fb85b4d8d00bc5d5de35d2632a835
SHA1 56bf1af1652a4959be31cc0cbfc53bd8349faca7
SHA256 4001d55ab1c6300b664215a882725afe5e41ab91119a2987ae83c6b1cfe73e1e
SHA512 a450848a4194d0de96aa05280dbb596edbdd139171370af0d172bb0e0cc7d5169438d558efa4a71524836f1b44231859220d6628736acb394b46f9ede0270cb9

memory/4236-81-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4164-82-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 69d11eabc0499803239821591e3e1bb8
SHA1 40c4da3b9057e90fab060dd9015d06f461ecceda
SHA256 5c4a84e1110686c41addf8abc7c1be3851918a3cf23d314f5a56cd04075ab577
SHA512 a3486b455acd04c8cb90a21e7991e1ee589a436dbfad819ab468d0e31c28c4c9a727f56658b1072af6395b01a8fa2c0c57643b96a493a6764b066832dcba3032

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c90be9f81e42ae9657485f77a0ebc72a
SHA1 dfa0005fe995ce152410c523d1247269752f633e
SHA256 0ca1fd0830f931e1a86351f65a391fb32aba53bf7de5f11de7b37b64425835ae
SHA512 e29c10f877870c9167da1bf5c459269b4a0b7fa1a5a42776af14a0ad2329b6b62eca6942144a62842c7871c53166d7305921a4325faf90367abafdab44b3d870

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 885e4879ba98aa1f6cd87b989ce23a52
SHA1 f1928c037aa94cc45bf212edb0360f9b1ec57cb5
SHA256 48115c96b50599a38db15f9aadb555264ac4b130b7e4f0ba13ee470b75616a51
SHA512 a2c6e97eb4162556b9abdce229e6416fa4510c33ca70a123afd64b8259d2bc7a57eea565669ae0d340f87ebe08755076a1016aecfdd260a4b258610354c4b33f

memory/4164-90-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4236-89-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ef15bd010b1cc47ad06e2a54459b0ccd
SHA1 ee99e297cc301667b1d959d885ee35f9cdf93d80
SHA256 1ba3b14a326dff55f3c7032da4c46fbf1fc11e1b647c307c9b7869150e9e6c95
SHA512 e5e518c9412867016292e2cfe6249ac75a0812a08963987bc3b9a7c7fc57492e9e6f418fb588b010529ea79059a5c95a55aac1bd5d212bae158d729f512cf87c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 08511588c764846c174a1d943a8a2b85
SHA1 e92d8c22d384968ff8667daddbb56775129727ba
SHA256 8ab748c96db0c20841dd6f5f55d00f7ec00c99a9fe40708d61eacdf76a6784f2
SHA512 cc8c510f28d1b7ff3a16b4574c8b0b85b4081b68f698901c683f6a8641b1bc7446f77b0649fd999475ad09f1856ed581eca7e70cd32306b5cf50657f5428f935

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c3d18788876f25d20b38c68bfe769c7a
SHA1 825f7e45408bec2382c12532df82f7b54db42069
SHA256 88493f0e2bd69b4749349a36571cbe7b1731374ca390ec086d76eb6d38d93cd2
SHA512 ba862cddd7097fa3629e9dcfd8849b95b22f5b642ccd585271726a8ee6a546fd38b273104490b642bc079aff649a2dfa20b405e0ebcd85a655a1b4abc836a0e1

memory/4236-101-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4164-102-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 18e0e48c118a249e4785b506a2e1822a
SHA1 fa9018bc15c0ba52afae372adec30a759cf5746b
SHA256 0d5af068af7467ee7a0131f9731d2e7818f03da4f5fd0eef966372f71e21c68f
SHA512 b48a46e6880e4609091ded5474422f2f417e00005adc693e70ebc4176e45be76933b0c034c1decfc7ea18ef02840239de19d0bc871ce717552735d8f5f21f941

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 437efb14d33db04b9d3e8055a7653225
SHA1 6eccc51927d2500c62f633d0efe1afadd077f27a
SHA256 5e52fc8336fc991dcd748d9b4bed767286f3ccf1cfc4a2ae96a06f6d74442a8b
SHA512 e85d3fe841724d29759d285b720986a398a709686fedfc32677a0521343b9ec7f1ba2c0b1c4e1c67b06f75cf1bddfffbcc7157e9fe4ff78b0641f6d80fd26d0b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 137b3eb7c1e105d258a19f67feb557b4
SHA1 18f4944a2c2898b10c5123e6e9ba3e8cad0a83da
SHA256 cbd84397fb77e8777ce8b4a8f91f0d83d26aad297a1f3646723e9bf66a59d772
SHA512 aed6bc0e06a27abd560056076dcc05077f16c370d50802f0a1f9dba2667b31bb1e81cc0168943eaf7b0125027313d54911969ba7fe8ed8f68b5d5027e1106599

memory/4236-113-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4164-114-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c046689f64497aa523276ae6c4ddb31d
SHA1 662f0628721ae9c4857dd0b8d1eed8800ac36ad1
SHA256 daeff2bb49b0be07b79cb1617c31501438a7ab6524863bb1219cd87f5599c011
SHA512 e651ac73e7647bdec7a12e29fc18b3ee47dfb619c0999f0c40b2b5d73b3e7c1253a9b073b00bc1445ffb17d10751cbdfa8376f131e27e8188dd013e057e187f4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6e682c37ab38a183f855c460277d13b2
SHA1 f69bf414a009f480e836b4e5104903de094e7219
SHA256 bbd4ad46b20e7ccb78f81009faeda713f412e792b45115337f3335d586eb6d70
SHA512 d79b993777f86ba6526cef407f92f8f0094959e61d135a14650744078677242aeb4038bb6690de52974621efe9b437820a896019afc2e2c19037198e599dbbfd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0ea737513c17f5e7c577885a77ca15f1
SHA1 423a488654ca1e23d79b642c83cc4d648cb58951
SHA256 9042c32e75d198316e3b3bc4117f146bb42817cd7d5eccd30765b7ba517632f3
SHA512 056ae97c78a2df7160b94d5017fb81279ead71b321f8239b8ae08970cc0f185a6b0cd286db6bf1152af00dbc18a4c7b631d196d13d4719b6acc3bebff60b97ee

memory/4236-123-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4164-124-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7c7583199cdde17f61ce212adcb12818
SHA1 29775820ada867e3ec639413dfcd65d727837a0b
SHA256 66176539890f438c1c065a079d1a7ad118b70284696d39c37c5d2f43a048c266
SHA512 625f93f60905a09c1b8c907c5773bc9f4ac2f28874d855d9e1ac015d59988212e0471566a507df829a9762e770fd9680e8ddca93a99f26a147fe60827e4642c8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 06a0d1f94c663bcef39e0364940a607f
SHA1 fc3e745721c32ec50bc0ae72ac9e6db371a1672c
SHA256 282bc372d623636ec637c47fa8505a3c4e1e37c90a22aa1fec6df027cf090474
SHA512 5e5b81ff6312ef0a8e168b2d5a84e506ebe110e502bbac9185c0f5632371891d4256d9e3f6440697aeef3d2bade690ba00884304166a2328a2a1f35dd963398c

memory/4236-131-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c35c41ae0c8a7d3b8b5228640c65ced0
SHA1 94870b40dffdde3251c0f25bfa759927ecd94ae8
SHA256 ba85eb4d34ce7492ad2727ef2dad818d9315deaf724a607f1d6b8fbccfcc23f4
SHA512 0678eb71ac313c98373e23449f6d5d212346d62ba5b564d2cd501ed9d992d0a1b9676b1e363354933c40a17a2583c39b8b1bc35bd8c46507d63d4e070a9fceae

memory/4164-134-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fce9a564a8cbe4042b12ad9e71e40417
SHA1 259134e7be9071986811fa2a3fbfd72defd7ccd5
SHA256 07c2e120b4d78269f86b91efbdcb8744d8972948d4493c61ce9066901a8e55fb
SHA512 309b890dc32d7e0c8ea6b3dfb66c611343b3023b47261b1b49e0e565cd1ada1ae6e3930d751bc65fd0338e38d4a305da3457340033cf444576640de7b663d851

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bd8576ab6139f6281dc78a7e3ae59f16
SHA1 f97b69e9992dc27cb6ff6c3b98e2027fbfaf0724
SHA256 cb725705e358799eec8019af981a982045cc16e77f05e5b4e7f56e49207ec585
SHA512 42ad0b9fa2b143c288512ec98d348661da614aebce74bc12c1de87b3cfa6bf1b1692e38323f62fc3f2e5e24ec3bf2e17ba8e0cd3a099d9dae9e9117fbb68f9b0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3900fff8401fa2b85c063e9fbf172696
SHA1 1c98ae3d6b971ebe87ee51a5cf189f1a8883b9fa
SHA256 49bcfbfc9f1da71aac1426baa28b48b433a9e043b8e2fa5c1f5fec7b3af8dc93
SHA512 6ab0d28f8e802eaba7c63375125e80b5fe560d44e5ef90482e9acc4cd130bd6e5bd41af48f0aa36c33514f5d4876fa4ac5551ae98c2869db798ded5dcff72a7c

memory/4236-143-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4164-144-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6467e3416ca6d47b74779f3343502c6b
SHA1 2dd928f5eaf56eaa33dda721ff89e3b91e6be3cd
SHA256 2c7aa4fbb6487ff64446281f6a17bf80c63422c7feb1d7715ce41d77404a15c4
SHA512 ad6fd150818ea2f55508d07ddbbb9d961917bf580733536e9ad4badcf6465687e34e264ce6e1dec3c2a1addd1647812215c627ce45d927b640dfb929865e53bb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 be9c29143b394d8f130cb500f422f9fd
SHA1 a6fff9438a29829b6e958a0b4327b405f0764cf7
SHA256 5279c10e7b069b8ed0d2a20d6dcf8a6f8c16f275407aef9d2e77fa81925da490
SHA512 5dfb6a571a3220243c93a0523431d021bf3b59ec74f9340120b05d6f8b847761b15a15da075ef346aca8d4707065b6195f6cb5518f057ae395b70ddccffd11b7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a45690baf4f6b2933221e0c907063b35
SHA1 86cf5feeb03d62fa8dbf8939415cd6ccac7eb653
SHA256 eff66c7ce026309e833c934b8059bf2c5b6602e2a3f0392e94905b7e25e13417
SHA512 a419efa7e9b632250abac4bc80cfee650ac25ac09a0cbb8fa080d65bca51a075e975b5efb405c19a16e0e09cf382dddc5c4b46f9866e9bc76da929cc91bd0770

memory/4236-153-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4164-154-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9105186234bbe35fe4f493cf169698cc
SHA1 225f61be453493e6013941181f30aaf8b6aaafbb
SHA256 193463f81e0c52c3ae6c47c9eaa1e062c18302d22fc24e2d39b9c69855318fdb
SHA512 07ab1eeb395114de845ac04dd1a359b83ec15f6341ec0397a40310690a2585eecc2c51528328de2d724e3b22b10353ece60853ad93d933f370b9300c1b44b7b3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f54da7d0b87d4b924024326b9c9b57ac
SHA1 8db9b692565c033c00c6db739ab1889b7818bff0
SHA256 3ecbb3fa2dda6cf7e069f47d663c59a652b0f0a4a142ea9185a340c9ae6a4485
SHA512 ff81243cd07f1a7494ea8badb099e8def2b571d1a416eb067a233f6d7abfa630cd8166398eca018f3d1c3e077b7ff5116b7d831d8db97a1f18d6ed829c935769

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e1a525857dd0cac905d007ccb6392db1
SHA1 76b23e5b65aebefae8d84dfdd0fea8a2f696d907
SHA256 734971138cf29fb3e5cf902aed92732a56cbfe98b3b3a5bcc384dec8899e166f
SHA512 0559f195804380ebc22ad42d1e0cd52cfe3da8b908cd5c1fa7bd0ccce4755dbe70302da962070030cbcb215cba021437984f725a4f075c0ab46ed03c02c30435

memory/4236-163-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4164-164-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 59be08519c787cec6827fd2c3c0696ec
SHA1 3271061275722b1b929ccd740b71343b305acd43
SHA256 775cd201e577d8665bc2a398635e2b4a2d10a5bb874d33cce05c3932df30f743
SHA512 ba9ffa2801959d8abfaed2f16acd318917031cc3bd5c31e5cba60e54a8569fcce3b24ddebc363a9dacbe356dd34a924f4f83267327146d63c3994e2f02ed54f7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b22c861dd886cc1a8a31f02ba5b43ea7
SHA1 c6456b998e9e12da77f1d4b890bd664292461b4f
SHA256 d41c70be65b2a1b0af26af8853b8f4538067f98d0ca8d009d9f5d619110be19e
SHA512 40e9d96b6408096e2f96fcad2203e31274ad9cb9d950c94fb1bc418b5130619eb97892d276d3c416a5c8153e9f5b6736daa1165885fffd21121d8aaf48387d76

memory/4236-169-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 55af21a8f71838600dc7766653c33827
SHA1 b5c55a54d96e2e0ad8085a7d377aa93f66ff84aa
SHA256 cb1b0d9d8f05ec5e58164e2a836611b8d00877e925c4d81c6a0e131a4985834e
SHA512 b7b0b32ee1ce07bda113a74e5c9886fcfe583acaea839a031208ba99676343daec1e72a28701b173b0c70a64244e6797f3e4b73b55abbb7b3802af41c2673b70

memory/4164-174-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0cb29f8c6d6e4dfba598ba80930f3979
SHA1 ac0494c756f05f96f451a3613b9b0b0f68df1934
SHA256 974c0687f7f83ee707bc5c0273f4b42e96cb02dd0d47650291a20a3dc25490b2
SHA512 929a5a0fb5b5d9fbdc879b8e9cbc370baa90a3a0d53712408273b1b3e30bd7c8e86d14a6ec1c9b769a75ab25692ff81158a0e8f6d893514a470dbea2f67705a5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3b09874ef945fc807fd1e29a3d9d3189
SHA1 a54dee551d9e1f6000b147b1ebba77a789d9906e
SHA256 1bf49276173fd57317d0061d18d077bb89e036f587ade25eab0d95ee247b18d6
SHA512 6da928b3d6226744dd065620f07f9a080575271522df29f43fe38dec32a830cd89e2c50ce7ee2f71ddc68aca02e393a4807298337fa9444bf1fd456ba75b48fc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 12abeec0b7203e00431da7f6e0d51be6
SHA1 2b5135ae81143c345d5add6d41ab3f82e4bc6fad
SHA256 48db7c899a9c03040520936df7a09587d551b6385cafaf8110c9b43085cd2f6d
SHA512 a66b6720dbbff954cbf677bc361d7e6110a06b334a775df36f5fff53ef035ab4131ca9cecf645caa1a1efa16117a63f302d6349575243164ae251e3e182838d1

memory/4236-183-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4164-184-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c0c88d4b126a7bab5f1c15a163a34aec
SHA1 24ef4816b5673660a646f7be2a8e4a97fcbda823
SHA256 98e7722e544ed2fa07e5aa7de29dd6775274fb37aa2873a274a5de0f8966c4d4
SHA512 11bc881f823d73f99bc56a78b8b25a695b45ddeb17abac2d6a86cfc0648b5d5c8963c4c1f310b76e475c7d668c9f6e2fc79ebbf45e66dcbb6f179803279f0dbe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ffbe5e9d0f70be3f4c42d021e2c8f18c
SHA1 ec3730682907dd409447562ffb5ce9ea7095597a
SHA256 217c2276ce8ec290431225d49ea64eaaa281ceec728aa26e6417ab4c42b785ea
SHA512 0c4b919ee231b345fbe199c4a8ecf3b50d28818e36fc4dc590b8f8799a6223f1a3895a54b0e7d0bf23da20dff43e21c8cc295a5008a9473d1bd437d5acac1b3c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3f1e335f6d0fa346de0973b4ae2475c7
SHA1 9bdfcd3b67361d269ac2eec6039bb54a013eb186
SHA256 26bb1f27fc80dbf9b4f8269933e73c535a1cc0863ad331f294bf263a1931c50c
SHA512 a519ee82b7d46c959b815865e144120bcef1c9e7cbc171d87c2563cfb9867496ea4ae0f372bad9db9568421462ccf710a7e58c6d3d3bcfccbeae3eb495224d5f

memory/4236-193-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4164-194-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b88877eba83d0390c60c24ad6d6c52aa
SHA1 b494c2e4ab418c2070ed43edc398bed4edc04799
SHA256 fd7ea3606a08b1dc338abc374dbdb8445395a2b9cab37d00c101fb3504fe37e1
SHA512 59b069d315774e88bcd7d0940b0b4e88f8bd50d4be71849df5549ae00b6a6c2c9458907391a41914ee3ce37f3a452a88445a9a852289fc19529819d0c4eaf7b5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f58ae66143c022a4ccccee75bbdeb5f3
SHA1 00e0d4bf0b368ce63ebf80ec410afd5b3333fe70
SHA256 fab9867e729ba5b754d53416cb6d4b98e7ae10f58d049455c96a6d5a825cf159
SHA512 56c43216c7dc391a33eabc6cda4f56dcc305a4dce9b300a92c550c7bc3e3038ace32dab3027e7d03917fc976febe3875ff11f9ba91c7a7c41e86a84fe3fb0579