Malware Analysis Report

2025-01-22 12:23

Sample ID 240516-zcckvsfb97
Target 4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118
SHA256 45a787ae9cb457db3cad5811a421af21ef417cec13fc0279e9f6a89c39523805
Tags
aspackv2 persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

45a787ae9cb457db3cad5811a421af21ef417cec13fc0279e9f6a89c39523805

Threat Level: Known bad

The file 4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

aspackv2 persistence ransomware

Modifies WinLogon for persistence

Renames multiple (91) files with added filename extension

ASPack v2.12-2.42

Loads dropped DLL

Drops startup file

Executes dropped EXE

Enumerates connected drives

Drops autorun.inf file

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 20:33

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 20:33

Reported

2024-05-16 20:36

Platform

win7-20231129-en

Max time kernel

145s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Renames multiple (91) files with added filename extension

ransomware

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

N/A

Files

memory/888-0-0x0000000000220000-0x0000000000221000-memory.dmp

\Windows\SysWOW64\HelpMe.exe

MD5 c174f7ba9507537ede4dc2456ca8ad73
SHA1 2779d5c818e70253b271c04662496abb5935b5ce
SHA256 197937eb7080945fb730ebf7be11c46b12ed7aa2e0707f0072de30433d3af456
SHA512 05e340d4818d89dda16363a6b89356417079b9990eb6d21bcf3641c71bfad67b578a466b44630a87f1bcaea942e9a79c2bf3feecdc01b332f42a18e05b7f7234

memory/1592-10-0x00000000001B0000-0x00000000001B1000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini.exe

MD5 65e950a72dd0747b1318dc7683a8d625
SHA1 7a37007a74f34425a912d9aa3964b8add4e196ce
SHA256 8e81091967469e085eb3025aca322f575248941de7c8f84d68b6123bacf3307c
SHA512 6b91a4671079affec50cec0bfa8f6d5406f00c2ee3880ac67e82b97a16c31ee5d85221105aa350c93ff45a7a3644d2276e925587383dd5ffba7b3cb7c4e62fd0

F:\AutoRun.exe

MD5 4ce8b7b64434758644fe5b65c40c7dab
SHA1 ec61f7cff00954f762d62acabc7eafd60e8436df
SHA256 45a787ae9cb457db3cad5811a421af21ef417cec13fc0279e9f6a89c39523805
SHA512 1f115b8d2c16451fad74d9b7a85ead60aac3d3bcaf6239ff97651d9f3a384d78d21477315eefb2fd079d53c505ba533ad8d36a16382a48bf9d2039e77abe1816

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 62dd824ad692143fbe9cd6176c838276
SHA1 a949eb0c19dfa9e0f772bca0881949c9d98227f6
SHA256 a45a6f52370f1f311eb169353c1ecf542715877ab3e18209ef6207ecbe83b8b1
SHA512 9766c18198a1532e70473d45c3f7ea9189824c7f52ca5635795b239d2c8db7efa44a5f127843bd02f5a86e80fb97bbc1a0d1b836b8bfd8a9952ee49dd3793061

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 45aa55d30c1bf750ff7a43857a4c23b7
SHA1 51daaa4009ee3597062aa9d0b077a6a0dfb74f4f
SHA256 0650de3334748fb66aff49631006cd4844332ac266b2c27023c9a11787218bca
SHA512 1267dc0055f899dc8eb9bfab50161a92fe4c37ba34293a7c339f8a11ef78a779450a5c66b1b3659e4ab0530450d64ac7e4f468bd0c97091507a8d91880631d3f

memory/888-228-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1592-229-0x0000000000400000-0x0000000000478000-memory.dmp

memory/888-238-0x0000000000400000-0x0000000000478000-memory.dmp

memory/888-240-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1592-239-0x0000000000400000-0x0000000000478000-memory.dmp

memory/888-249-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1592-250-0x0000000000400000-0x0000000000478000-memory.dmp

memory/888-261-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1592-262-0x0000000000400000-0x0000000000478000-memory.dmp

memory/888-271-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1592-272-0x0000000000400000-0x0000000000478000-memory.dmp

memory/888-281-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1592-282-0x0000000000400000-0x0000000000478000-memory.dmp

memory/888-291-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1592-292-0x0000000000400000-0x0000000000478000-memory.dmp

memory/888-301-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1592-302-0x0000000000400000-0x0000000000478000-memory.dmp

memory/888-311-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1592-312-0x0000000000400000-0x0000000000478000-memory.dmp

memory/888-321-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1592-322-0x0000000000400000-0x0000000000478000-memory.dmp

memory/888-327-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1592-328-0x0000000000400000-0x0000000000478000-memory.dmp

memory/888-341-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1592-342-0x0000000000400000-0x0000000000478000-memory.dmp

memory/888-351-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1592-352-0x0000000000400000-0x0000000000478000-memory.dmp

memory/888-361-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1592-362-0x0000000000400000-0x0000000000478000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 20:33

Reported

2024-05-16 20:36

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4ce8b7b64434758644fe5b65c40c7dab_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
NL 23.62.61.170:443 www.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 170.61.62.23.in-addr.arpa udp
NL 23.62.61.170:443 www.bing.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/4836-0-0x00000000020E0000-0x00000000020E1000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 c174f7ba9507537ede4dc2456ca8ad73
SHA1 2779d5c818e70253b271c04662496abb5935b5ce
SHA256 197937eb7080945fb730ebf7be11c46b12ed7aa2e0707f0072de30433d3af456
SHA512 05e340d4818d89dda16363a6b89356417079b9990eb6d21bcf3641c71bfad67b578a466b44630a87f1bcaea942e9a79c2bf3feecdc01b332f42a18e05b7f7234

memory/4808-5-0x00000000020D0000-0x00000000020D1000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-1162180587-977231257-2194346871-1000\desktop.ini.exe

MD5 9f16741c56426725582390cd3f28f0b3
SHA1 ddff02fb31284e755f51ef79143dcb09d66ea639
SHA256 bcb7f2942283e629c354b2c67b895d51357741f7f34fb550c202d3ef7a1a0588
SHA512 24f3be3d76389e84026c90aa7b9a2407f7ab1251a234bb77bdcf2188cb85f5c7964f4905379fbc65783f5109f1e621d5ecce145c2b02c5c474deabb7bc13d694

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-1162180587-977231257-2194346871-1000\desktop.ini.exe

MD5 fc7069b041086b2588d0d1d8e6281b20
SHA1 eeeb9a0b356ae6f1f6078a02456be7da76e645e7
SHA256 bc8e3edbdd477a615da14cf582d2996732b6006282b729d0db1b5945e7611df9
SHA512 c1ec02dde83bda59b6bd613afaf6d73c5929bdf0ed12bd9b63ad955462df5939f574871557915c118264fe943aea99e7cd2bc818d5fb51a25016e69145a21890

F:\AutoRun.exe

MD5 4ce8b7b64434758644fe5b65c40c7dab
SHA1 ec61f7cff00954f762d62acabc7eafd60e8436df
SHA256 45a787ae9cb457db3cad5811a421af21ef417cec13fc0279e9f6a89c39523805
SHA512 1f115b8d2c16451fad74d9b7a85ead60aac3d3bcaf6239ff97651d9f3a384d78d21477315eefb2fd079d53c505ba533ad8d36a16382a48bf9d2039e77abe1816

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4e35c555859f03d3f77793945fcc2efc
SHA1 59a329c84ee37fab6cd4cdcff0a18134d466fb68
SHA256 b7a15926f71374b9b6d22e21376c32e1611e97ee32c22256ba3add4ad25f7ea5
SHA512 89e0a9da971882e711654166d72dc9786c1a504184d45a35160f06ad2a275063ae92f6a77a3f52bdbc6d63041c7cbd3f8ac7fe0fabd194e25ef27e53a2bde7f1

memory/4836-49-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4808-50-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f94844efdcdc674f1a1d4a5c8557d267
SHA1 80a82d9770bab48e5385da14079827c6970505fe
SHA256 2ec8c81b5a9103e4c8f0c75f3d6724efa28223798eb8aebaa629f81d187038e7
SHA512 c4c32fe7ac188def6a326d60f7ee46495ea23db6ecee4b099236de203afec21be1257014ba5c81fe46185e49d149a8729918e459057700b350db4e5e7f453b9d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ab87049e5af31c4180d3d44cfdc8f3bd
SHA1 c70b25f79e232e3fd7948d4378105ef727cdfbd2
SHA256 6459d8aa159d26c5da73a62402d8fff314247c25a58019c29108d79dc255f064
SHA512 bbe77658f35b63d312ee7fee01d9c8d4d4fa60849c8e87ef77529b2ac90729d9412eb9e9fba3a5eafe5e36893c7d4728d7d8f1da4f286f67bdd691e67fd15413

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 77f6ba95db36ecddba56bd7d5fc21a26
SHA1 e70f59d38d1416f5847a19825947de54a6be6020
SHA256 d8a3abbdce4d81246055bc79d595e620ba8c07cfdd46264639e4b7b2ac576afe
SHA512 f48c32911099e3c144d5ac16e9055dba816f92be8543e269b0e7bbc1ec724a82bd64c63d0032ec2f2671b33a40d42fc4df3bfd77a1143514ea337f16b6bf62ac

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6db2c448d78e4212d00e8338766be399
SHA1 d75491cf33687219f2376e9a4810b1632c773426
SHA256 8df084ccb4fea9187aec993234bd25e2237a382e9cce269c0da436ceaeda1334
SHA512 2c168d01633f4f7be64dab59b070c813a58d880008494039b0923cbcb4b2fbeb025ca1bb17e7e94738f20c6df053cb9852469d2ca017a111a91c0a581bc153b7

memory/4836-59-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4808-60-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 072d9e92a04447b3a69497842e770c20
SHA1 b732b4d26d3b0ab2cf72c0d9eb8fd030016fb4df
SHA256 f735532a782f765afca99cdc36f16f5825524ab05a8ac5c103a6f9f11e987412
SHA512 ac6f8292a980c41deabaeb6d7c292b77249ca69dfa0f71f57d76544ed21195b8a2204363b3cc5715653251a73fc4ed18851fa9711c82e62e3ebb4af550b67e3f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b73a4f2b4941076bbfd8c804ab588fad
SHA1 285046af2e190cb34f3941c0e5fab1196d1df217
SHA256 4314e8502284a9e104dac959189ba868a91abb9eb71ebea13d495af78c2131ed
SHA512 d8d681208f8af14ef58a48cba55eafa95d300d5778f0e4c569b49d91cc8ee1bd7684f02b1918eb2848281b3967a826e94c12939c65ba8d9bf7d98e70b93cb373

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 117cdd12d413f87ec95f7fb04f8a7c4b
SHA1 bc182eead2f2f1ac66c00f69eef4352249a2daae
SHA256 2f9304173dfedc80c76001580df483cd47c4df8e8a541e7ee14513c924425ea1
SHA512 e8b75d2df45f1a33811277b7f25391afe74680553570d596e820732f9e55c21f76a4eebe333c746d923f72127e0b62c07c693c883a05d117508513ffa6d57641

memory/4836-69-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4808-70-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d7a862d7faad551584239f6bd6dbd3b6
SHA1 c0c38b0f5eb4210f36353335d51ed6c524d9ee3c
SHA256 f0cd7d380c03a8b6242786b649ecb43b267a6ea87a1b3cc4da1849bbee01d93c
SHA512 e1aeb203b6d4dffc4a860d93fc97cab6a0a2cb101330a508133bcf8cbdd94b84dab0c3ac19a9a8d90f3087aed64a52e3a427e41b5fed2d9bc575752bf6e20211

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 42db723f121a53edc8e8aa7896b97dfe
SHA1 56bb5d18aaff5633e0c1b58c9191f1b15690b90d
SHA256 1c66eee7db3c2f0db2b392444ad8e985aa2508520932b460d27e619a12218d56
SHA512 e3c939a72efe135a86b29f4e581a015f8131e1ab8430919966987345420869fb833cca046f15f7c948baa887bda31c2aa64aa65ff466246818d895f9faee4050

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e873fd335ece19d89ca8d3f69585bc4d
SHA1 4d30932a0962ea00196477798e8858474560b9cc
SHA256 1d9c703b25f7373920d3a820da975d741db1f6da79f1e3e340dffd3b7a05770c
SHA512 7538a2be3913965d3c05cc99db6e8f52127ec0ff82834ae901fcaa845ed683dc96aa81d5b8892b89b7505f131ef1ae87e7868cf3c5dc170861202f437791c2eb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c61b36359177b03faf7574d16e7a5055
SHA1 b5bd5a95cbb8aceb59c9d171dfdd09d9319e20d6
SHA256 03d9bad44dbe857d638f6e769ede0c65f93d1e49daf9cf89f5f67f9105006b77
SHA512 1054ee51d998c9c870aa1a1281c0e94aafcc7049edde06908a0b41f948feae81fafc7113f801c86302fcfdcae255ca8abfb13073e5124ecc3d1881974da9654b

memory/4836-79-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4808-80-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 59a5dab8521a857b1592085a7f0b9068
SHA1 7dc4b650539261e548d4fe25d8d02b0007f72738
SHA256 fa65251b478cf0cc28229c0e3eac517afb550e3c1e112fa91b7405a9751187c8
SHA512 17a33b55d6649f64cdbb874de290acf754b60defd7fa990168c5df9193f482ff8e906f02a8c029ffe74f8ce7675a6a5a906990032c06129797f3f5513671e1cd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b42d6520975e169a9c568e7c38442b88
SHA1 73792c7a9c272eef97aeb27c18d769b879bc36b9
SHA256 ec12b0a8b016347d5f15a66f0e8c4bfc79dca2f46fdf7ead40e618e82fd8148a
SHA512 2f05141bc393245759b36ce4c5884c62c626454a35cf4e8553f67b32f87bac10e616562c84513ac76c25649cf77a3e0efcfff4b33aeb42487c46769c764e8f40

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c976bd993b0dbd1585b6fba55e420545
SHA1 90bebde8b6faf42e8357532939b6b396aed674e0
SHA256 f2299527a3a586d2a3264bb1580856a0dbd8351d635168e4e0fb95b595a2453d
SHA512 7107d62e3b0b4f83b18616863b1362e057f19807afb41dccfa1220d5cbace31f4e71bbc3101fc1b4caeffcf54a6e9e8977882900d9285328fb4f6a63f78d9fd8

memory/4836-89-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4808-90-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d665283706482bc989de3f2f795db05c
SHA1 d666a2e68786683e19eaa7a7c57b5f42c3654a5b
SHA256 40d26a58ef46f129a95649de9de6c00a24c2a4c88f9a5804060ce9db2b155f75
SHA512 e35268baa374b0763f8880867a64c8428baa05ac6d18cbfabc1c46d28866687f907952cb5fd163f7e6eda0099b722084657c4866b1a70e1e7c1e465516f4f316

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 73fa01b42812110150a43b14a53438a8
SHA1 4a1585c6aee17f9d88e7da3c0beeae62aae5fa47
SHA256 ca86a06c9041b6c36e112d12e03a85ce6289244bdbcdc01ec9a52159d0fa7394
SHA512 d7262927609576cb2138369be8740624b8eb1cbe2765dfac35dca71ebad0feaa74b337ad47767aaa7c5bcbcae0799d1c4d73ed6f39537d4c73f40efc1adbde89

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e336226824defb3333b1790c32973bd5
SHA1 6af4f41c5f2ffbd80ed0459654aa387c21b88639
SHA256 3eb38b9c1046fd0da159063570f9356775663fa68cc2a0c37b40786b1f69683b
SHA512 a46cafa7f470acac654f622b012455263086365ef33c256bc552e478bf1209cdfa10deab346a9250b52e619224655a547c77810fb1bed07daf7ecd411c754113

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4b408ac6184e83ecce0078aed648f96b
SHA1 ba6d404d7d1fc716072f7e384cd4d4c8c80e4503
SHA256 07c30193b8b8a4c30cb4cf6cc4d09559b8264adc2bddfb1e58b30a6d00165b4f
SHA512 78d7703cf21c74fd2a1622a40f270d62cf2d006a3bc32dff88c93d53fc30809f7bcfbe37063e39449e7fdcb98bf7ae4229543cbf1e2dee1d3979fd8f958fb400

memory/4836-101-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4808-102-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c08be984890c4503fa865bc737d3c2fe
SHA1 eeec1912b3add798289d05b9a3bd7a375c180e03
SHA256 93a2fe98f961d104193d8adc3263b006641e38ad16797dedce491bd76eb8e77a
SHA512 098953f467460df87ea0a46cf3e0a751e1b93b8986bf042b9d7db35e78ee4bc22ecf9964f22e248f3a7d5602503e8b75b8fcc88878857baabad93748cea38fe8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d4ea71d866819f659d41a9f62043356b
SHA1 7576d3b5c66b9fee3aca4c40eda4e5cc6d7b1b6d
SHA256 1d1795f3ba7239193c83f0cf7ac81d399e394bdcfb6832f7b9f962be00c0b686
SHA512 faa2f0c261fab0666f532bf9d7a2f6b47d80501650fa9004e4bc4973b0701aa7c7ae41c03adfc188f00fd238f1cd8402cda715f2748a215ea239033944d1afb9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c669e01fdc7919542bcb94c600b5d678
SHA1 26ea55dccc7f2f4af289c8598ac70c28070fbf79
SHA256 167a4530622c574763a95b0914f0814666f53561cdd5975cf2b755e6d0c973e0
SHA512 28e88a783ac113608fab4f5f35a742d33a44ae95a02bceac7afc5ab7511c66528e680117dc5539d36171494c5611243582315fba8c54342447d9fea71dcd3253

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8373e8587a705572597473d8cfb02762
SHA1 b0d2f3e59f871a7394f1f50dfca02b3f9cfe5f09
SHA256 28532082fe594c1cb391569090dc975c0d3dd99c58b6487e9ced40ceb402d78b
SHA512 341a0ceb070038572c43bf93837c13ba4efbdd4ca66123639fb94028b36bf6fcb67699283cba69770c1fca5cd1392f86377160a5f14da89cbef01166ae827476

memory/4836-111-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4808-112-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1a629d1dca3327e1eee904f7ef3aabb8
SHA1 d9a6dd381259316680b4c5bfdfa0447f98c51ee2
SHA256 4270d1e869ab4ccc1633c61a16df883eebdf05b9f2db771edfba06f1c19445d5
SHA512 0914f39d6f6bfbb2983692e94d0f8d773670f299e4ca605797e3db1ff199fa1bed04df001ce88cfd3c594020f4546c2beb7641f0341f137071c655a02cfff2ef

memory/4836-117-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 359a5426d7d71d5fff3751fc0db15c18
SHA1 f29b221c4927eb7349193bc66b9ed278e5d92c35
SHA256 975386b1ac703ac763588ab7ab22a880f3f178c25aecf2d0bb9dd0b84c66c5f7
SHA512 2f83820d9a9bb7db3e2ef38cced8a1c9eb2eead91c371e04e9e51c9128337b3afcc69af6dd78b9d263deea3c89989ad381d86d1e1920a17bee983da622aeea05

memory/4808-120-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0f556fd631d077bfb193beaaebf6bc18
SHA1 f8b112e79a643a286abbd8ffe3376940f53e38ac
SHA256 23136166ddbb7b61e41630b34ba2cf494add0ab74594aeffba68be34434736a8
SHA512 6a4f4391479cce2d2343eb3bb50be2980777b5e2a77097b1adfd38dc498d650b1d6a8049753fbc0f3c76e7c24f3cd095696590059fe422f5aa15205c9bb50224

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d0b33592bc4aa36078e94e076a90ea4f
SHA1 8bbde633385a97279b6b958ec90f593340095ef4
SHA256 94a9daf614958f324e45eb8c19e21dd875c493eeb51bd6796962c017858ae55e
SHA512 e41bda898e394ea215f7e486bfbeaced087d955df3b7122fe68874da629989d0e064f14fd95b9d0e89e7357687cc14fc0aed3f6c3c861fa9a827603ce040ea66

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d104e3a3bbc0e14bdffd4a016dc89ddc
SHA1 ef447ad4ef8b8787db9fcb3adf432f3f91964e12
SHA256 04283c5dae616705b5e1f96162877eff5ab03607b10d2166e17e1ed30803cd26
SHA512 2e0d83a2fc445ac2b29f79d0488767e4f1b97dfec3cd5094d8e9f74028304b2af14dc15ad51bba6191c49e2fa5149dd7cbd32291b5a26f576055ac9bd8f1e3d7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1ecd0c1e179b9d4888255e010477dfd2
SHA1 a66a893707ab41e6746055c87a2b7c1ab3011f14
SHA256 5cc7d32d876c6411c7ba1acf098577c5c2beba7c7647425e9da26d0cc0555eeb
SHA512 d3e46b3892f0c741154010d80a0d36b088d6682aa0ec4141acf3b447972f9e36b58e101db8a6aa2b7e2a32353296fa8f7d78219a47852ad009cbc5f37e851162

memory/4836-131-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4808-132-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fefd792000c48211f2e9280e6cc675bd
SHA1 66ffd15de89a03b15e6bf098c9f422b15f19b2d9
SHA256 8c3ef3c2f8ae191f46a01bf92f385ac01aff304d94bfa4a360864295ac36d767
SHA512 c7f699676b86ae976be3d8f8c92bdc2e87f2429de973111cb5be371caa18aa8b06bd419d1a75df38fba3c0db407825539fe4777f58ece2aefe18c9dbcbd239aa

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 226c21dcc2a540f26d145aa1a9a065e5
SHA1 54704be5b78ede485145574c6478b31159099fb8
SHA256 5102f8c44df6ab7e4fd4bc8be22f22d784aa9aaff00cd28a06a1ac454f105655
SHA512 cefc8caff5cfac9f3480f6588cf91f71a1b6cf442ee3773e2ed36f896055b9c60df91395a3e477351b03fa704b422974daa3eab85299a568d2315faefd77415f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0562684a36eb117a89241889a1bf3451
SHA1 7829b7b09442097136abfcbbb6f49c7a03f78326
SHA256 6828ef2fb8905ed75d5ca03853eb5d53bd95108457013d872964042f182d2ac6
SHA512 2ea4e95319421ec5cb25b25021c804e5cd1a37b7350915833364a3be8333365861a529bfaa369bbf464769fb33e5f8981d3f015c69be21ee78632faa0f77929f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 47d4ca6e5f5703e11180557011bbcc3b
SHA1 096fda6401e1fe4ad1c71b0aa91ac84d08f6e4bc
SHA256 206056e22b9489d796914c6cb582afb4d70df4681811bef9f61ddf2f70216352
SHA512 7e3244a04cdc6b1ee3758868af3f5d9abc77de6f93a2823db897e2a38e322384fd10ada16b4961da310ee96899ce5e9fb1f04400dc6b3db52f67acb707fc28fc

memory/4836-141-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4808-142-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 644c981fc1ec56b03360bff57a88e2e0
SHA1 15e2fc8bc3f3980aa257a1b605ec44dc0044d322
SHA256 b077f26bc14565bf8b89fbc75016f5f02be3d6744eda49dd893c4ae8a9c3c8ce
SHA512 45aa0e1c3377dd811ced13954ff77346c7b0a43108a28392d9d404e826ad720f6af8fc28729fab0b852676a2fe35facb7fcc09f7e47ad0e36f52caff1daaaec4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2f78190d0c8e7055e1d12e8f6372fd2d
SHA1 cc72e23cfe840b906a919ecac011188955f9c7f1
SHA256 a682607b8c28ba72033f1fcff2fbf641f1589d9c0cf62751a899813481b6ee63
SHA512 afb734825c90e9e72186079ab8d212a4dbdcdcb801268f50b7d5fcc41e6d4183f06a103d082de8328b217fb37046d535d9a45bf1517b5459f69e07e610dbcb54

memory/4836-151-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4808-152-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 16ab7cab83a0a8d4c97c9c19fee2cb71
SHA1 e6817268bbae2495b7048e1ed2c4fac50729f669
SHA256 ba45f51ba6d8545ca28bbf36bc640e6288dfa9968afd31a4d485af5e11513760
SHA512 91c01e2a3a7ffe4bcbc42855f1ef6094127e8ffcf048885827be74b48757e69df0f5a275daf918a541178b4389f3c45fa8bd1db3342604ec2a1a91ce1684dfb7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8883fab806d8f1863e45cd77ff333977
SHA1 0d26f21c76a4d49417306265a17fe50e21c4059f
SHA256 c942729856bd5ede023416eaf77cd6041ff62e54212310c7032d6b08d6057ddf
SHA512 1fb44c0af2a220f1fc6763c5945b98d2c687246ae9467d5e8dfb192836f88c083b1444b777c1bb43aa4e3ef14e9add663ddfb45614989fd7e6f49f096e1615e2

memory/4836-157-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4808-158-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d188a6f34a93590089ecb37f09732b07
SHA1 f51f8c762621d2632b4b556e0e0255f299c51aa2
SHA256 730f904e049a0f46961cdaf2fa8c4c3c35521d4a3084c7d90a8028157a211a7b
SHA512 2c5186bd0791f98331bf39d23578a9408f250069f5f21a3d2c904c4768f64a1695c8f1cfd527c663a9c1f1c27c1606ffe8729eb10d2da3e9ef2755182d755753

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bd42c89270e71f6b5006ce9691eee406
SHA1 e00ec5d35248c7a4a799e3e8512cc7eb2ca545b5
SHA256 f41bd0fb4df99a6111f06e73045c3eb5a1cd1873a27c38b80165a3028085f008
SHA512 55d1986a1401a1b04dfe04258246d314d54c261e8f17d168b5d793681c65cc15d73aab2d0269d572028af2e505a5f9abdd5d1a18cd1869881092491704bfe246

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 dc4f702e0a5991a84a4a1309a726498f
SHA1 a72027ef26c0860862cc150ef414c5a9c55ebf86
SHA256 dac1dec6504dd5536c66d211bffb672215d82424a2bcf90c1b7634261f3cd317
SHA512 c9c6ef019cb17438b4cd00eef61088b0ce1ff4d474c88d53993791a741466ec3bbd3c782e711a5a14be7df6a8b05be6ecd3edc9c410347fea9034d9a474b4364

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 dabc7314bee00c02615ed32ae48e49e2
SHA1 87ab5c0582916d8ffebe7efa8d1f1c80497aaa5f
SHA256 c27c170a5fe12b36d76eb9d2e1d247c450942222338270cffc8c6e00a32fe2a2
SHA512 9c5c660fd8081c2f94f1f54f8abb4bfd1a92b3d291bea7fed2734afe2b78d85212da915f3139d3dca026d1ea261c5cf1951c858ae7204ac02313109319796929

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2133776a68ce9d23c141648c7e13cc50
SHA1 c434357306fe1958b15f3c7725087e825b826695
SHA256 a3f8c21ba470e887e2e25c3729a7af5790df7a872871a410f959ec9063e8393d
SHA512 57022f31757e41f2556b7ba42dd40f0ebf09b29b623b83bbc6e4b3cd7d4089c00ff68661e0853541a44b12d596be88b01467777f1d62da7119708f57f34aa68a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6137d18d7a6bb8edf1655bae1604acbd
SHA1 7cefae88b6444afb0f08aa85ef26003807fede2d
SHA256 2e4026c7c5fbda63d5953927a704b69e503d36d6237d1f24814fafad8a4408ba
SHA512 ce1ad7115c9777ccd50a6107d78787e010d8e50b474ec2c78e8263ddd9ea687bc92b81374ebb3aa0fb31c192496af2f9cac46e22563a02d8b6c49ea9c044b25d

memory/4836-171-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4808-172-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 199ef7b3207e10632bcdc7dc9b85ea99
SHA1 27a39db2b2837b47337097d708cb65878637ab6e
SHA256 fa1dbdc0b24c921f7a46699c8b60ef7ae90419e4281bb091c31a70e05cc24204
SHA512 a04fd9519326931d367df09f2d615eb971a7298a6a5262ca712aa8adf81f2c62762ecaaef83da37e6b5180aaa12ec36965fb6625b372a93fc247db056a318aed

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 770201a8080eddb82b801ebdd92885ee
SHA1 2200a9376c5213bcda82f474c230c9f00ebd2f69
SHA256 45294977e663efda3b4bad2b7e46286f285da403c2787bc0b878d5dbb29bed87
SHA512 d87358b80f23b816fe6aa292702affee8bb5e25db9eeca99c7bdc57380cae139067b76a96e3c6227aeb30ec823ddc3de2e2fa8127782797fe592171626fb200a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 042b60efa83d62eec7396e4ceeaa29a4
SHA1 5e22df76e337a2aa44e2f8479cfcce0402b448db
SHA256 ec76ec28d7ce6408b32209a8341cf0c82e69a3be43f0b6bb875f0112dfda9ea7
SHA512 f3d689d586748862af8912fd1dc120ed0dc9c44e8d0f4d79eb7968f5248a1efed2731798a0b50471487a725f6ffeb540e16b71864f7ca1521dd9cbd80032e4a2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 94a43c761e9d25d70c5d7d43a3b0115b
SHA1 87acd54ac240113d8034ea18b73da2b2ab4f5668
SHA256 1634f42c8ebf13530b2c1853571bebcab5041d888838d8837e8fa2e45d717662
SHA512 e9c4ad130f6f6d9e0a5ba63ccd2f457867112a404362b73f9391d79d3829838c52301de1d9de8553e1e63077e4afd70056c13a6a98f94cc676488563c4bb8645

memory/4836-181-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4808-182-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 901dbfe058b0845038435e9e624ecbed
SHA1 1117e99a48de59da3218366f3f9ed3b92eb93df8
SHA256 268d528a9f164eb8f9f3fd01265be7669ab94f065989bb533a8cf23cad40d867
SHA512 675d6b403816b8dd96ec1b061cd1bc6253fbdd58a084262d33770f3270010821d82b2ee923a95b873db81bc66b7c539b5d935c7a46c13fd3ef807f4fa90297d8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a5ccd7c676f65236729f4445ee10e18b
SHA1 d9f80d4b0713947d3a60b6ad2147baebd4e27e69
SHA256 1bc5eb26d549368445f66403891fa9c3ca15bc93ea0bec710f9eb582a6333b94
SHA512 685f8790d41a530214bcc3e20232d07467826a623ff5ed20eda8b2e003eada1783ecc5f0081e2269efa5c9a41b7fb940044dd3537349b12578fc2cbe42a2a9ba