Malware Analysis Report

2025-01-22 12:23

Sample ID 240517-qbppcsab8t
Target 4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118
SHA256 8df2f129c0abc2b6175475a914318f4e13137efc295c2536908336178535d4b0
Tags
aspackv2 persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8df2f129c0abc2b6175475a914318f4e13137efc295c2536908336178535d4b0

Threat Level: Known bad

The file 4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

aspackv2 persistence ransomware

Modifies WinLogon for persistence

Renames multiple (91) files with added filename extension

ASPack v2.12-2.42

Executes dropped EXE

Drops startup file

Loads dropped DLL

Enumerates connected drives

Drops autorun.inf file

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-17 13:05

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-17 13:05

Reported

2024-05-17 13:07

Platform

win7-20240419-en

Max time kernel

145s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe N/A

Renames multiple (91) files with added filename extension

ransomware

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

N/A

Files

memory/992-0-0x0000000000220000-0x0000000000221000-memory.dmp

\Windows\SysWOW64\HelpMe.exe

MD5 d320c4611415601ecc97d0f20da68088
SHA1 c44c55800fdebac36723502d6c50707b3c1ab2f8
SHA256 2b83b173d89d184aefaed69a82519e483429dc303ac52cccb7747e4fdaa9f241
SHA512 dc003965db85a278b46c2a5be99d5352e657626b21e7ae5b22be2666cc0dfabc22b404c4f66296bb5d68622f2a350e0409b558e59ee072255a20229c880f7a38

memory/2320-10-0x0000000000220000-0x0000000000221000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-481678230-3773327859-3495911762-1000\desktop.ini.exe

MD5 4a947d7a33226f009f0af58789542502
SHA1 babecf9ba2beaf251bf58b72481ce4bfaa010af4
SHA256 06682f1b0529aa83e892deb9ba8552365f1c01562aded7abae89ed743a8f0dcd
SHA512 888dbd48cb1ba36085986333f4a9f17f7f3e8294b9229b803e55b58addaee78e06be639b18f75bdd6c9dff86f60e0512d68a6a7c7cdea6f904db50d86c4e78d0

F:\AutoRun.exe

MD5 4fe309dc0189ef9066844ac9c0308e66
SHA1 8f41a87d0ebbe9edf167de1b4969a7a0d678d461
SHA256 8df2f129c0abc2b6175475a914318f4e13137efc295c2536908336178535d4b0
SHA512 7b68879f09d6e15095ff0fafa532730a3923d7de96dadff2b866b910bb9532776d8bc6a8c3b2b4b859f17694016931a3854500183f890316c5a3416c7f6cfa13

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4ac61cf1968b5fc3c72558ce359fc885
SHA1 d9995e266b27692acd909a9df16df083fcf9009e
SHA256 030539067e58e33ef47a43d57c3643c781e4be6ebcf705a8f5001a485c733aab
SHA512 473bb1df4fb13e410747ab2eccec832741c157a9653b3c5bf5149e74d74287dc8a9dbe4b244b7cae812a6e0b3e3c464b358c42d7da84fff4fbe3057a5c2c59a6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 dd85942cbd1c9d4ab41ac0667c700dda
SHA1 64bd3b685f0d2b5befa3336aa5e40c5ea4ae423a
SHA256 f1576339b9d5f759e610b84299cee773b3243e11a2fdb045a6488444fac9f18e
SHA512 1964a7dd18bc3aaa42c7cac08c974577466fadb166773b87330aed67df8e8fd8be0d70fb36815e4308ecf90f6334fec3ce6262edc72110f185a675fe519d90ec

memory/992-228-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2320-229-0x0000000000400000-0x0000000000478000-memory.dmp

memory/992-238-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2320-239-0x0000000000400000-0x0000000000478000-memory.dmp

memory/992-240-0x0000000000220000-0x0000000000221000-memory.dmp

memory/992-249-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2320-250-0x0000000000400000-0x0000000000478000-memory.dmp

memory/992-257-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2320-262-0x0000000000400000-0x0000000000478000-memory.dmp

memory/992-271-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2320-272-0x0000000000400000-0x0000000000478000-memory.dmp

memory/992-281-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2320-282-0x0000000000400000-0x0000000000478000-memory.dmp

memory/992-291-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2320-292-0x0000000000400000-0x0000000000478000-memory.dmp

memory/992-301-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2320-302-0x0000000000400000-0x0000000000478000-memory.dmp

memory/992-311-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2320-312-0x0000000000400000-0x0000000000478000-memory.dmp

memory/992-321-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2320-322-0x0000000000400000-0x0000000000478000-memory.dmp

memory/992-329-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2320-330-0x0000000000400000-0x0000000000478000-memory.dmp

memory/992-341-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2320-342-0x0000000000400000-0x0000000000478000-memory.dmp

memory/992-351-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2320-352-0x0000000000400000-0x0000000000478000-memory.dmp

memory/992-361-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2320-362-0x0000000000400000-0x0000000000478000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-17 13:05

Reported

2024-05-17 13:08

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4fe309dc0189ef9066844ac9c0308e66_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
NL 23.62.61.107:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 107.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp

Files

memory/536-0-0x00000000020E0000-0x00000000020E1000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 d320c4611415601ecc97d0f20da68088
SHA1 c44c55800fdebac36723502d6c50707b3c1ab2f8
SHA256 2b83b173d89d184aefaed69a82519e483429dc303ac52cccb7747e4fdaa9f241
SHA512 dc003965db85a278b46c2a5be99d5352e657626b21e7ae5b22be2666cc0dfabc22b404c4f66296bb5d68622f2a350e0409b558e59ee072255a20229c880f7a38

memory/4972-5-0x00000000020D0000-0x00000000020D1000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-711569230-3659488422-571408806-1000\desktop.ini.exe

MD5 958a8d84ddaf2ea23ed48db04466acdc
SHA1 cdf70d949a61d32944894a6945603c6d494b24cc
SHA256 23fad54e674a7a4f32c745b6c1a644e71558e74e27474a2f671cddae5ad9548e
SHA512 7e47beb0a8764fb69534ec2909e4747d6d332a8458daf810b39ff3e5951f996b8a5f56b137a779229a425c158c666072dd00cfccf6a90a6954bace86d7c8d689

F:\$RECYCLE.BIN\S-1-5-21-711569230-3659488422-571408806-1000\desktop.ini.exe

MD5 5025f6e7804eba4d10e5a52c42448aae
SHA1 1b93bc888df61864c5cf571f316331d16fe05030
SHA256 9ed031564624977cbba3a45bccbaf795f65858ebfc93bc946acbfedb70c1e00f
SHA512 b32e7cb4c53b176cc70e405578897f8235f220724489b002528ad8bbd0d8ecb874c8de76af86be0aaadad4e50d6cfca7435a85748dde1a5a733738799bd2af63

F:\AutoRun.exe

MD5 4fe309dc0189ef9066844ac9c0308e66
SHA1 8f41a87d0ebbe9edf167de1b4969a7a0d678d461
SHA256 8df2f129c0abc2b6175475a914318f4e13137efc295c2536908336178535d4b0
SHA512 7b68879f09d6e15095ff0fafa532730a3923d7de96dadff2b866b910bb9532776d8bc6a8c3b2b4b859f17694016931a3854500183f890316c5a3416c7f6cfa13

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4b8fcc0b5c8cc89df5e1948f76b00875
SHA1 a63448ac2a34b2671f333c9f7256360dafe5e610
SHA256 8a32ad1d337f49c048222cd8a0a49d0c7c69dc42a153cc5d93ece5bb4da2a709
SHA512 67df264af25b8a0080cfbc2dccf4ba38c6fed04ba8c88e6ec64939a2587a2d79835f809a4891005aae81bbdf24e3d691ee7c6d953ff794d8a75c7c53a1a4c31c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e59b6c59d07b63734ec10b1b17052d36
SHA1 209a77162b89155c33f289b90e025a8d9393be0a
SHA256 991e7f07006fcf0a5817a0596450f37ee63f82e6bb4cf9cbbc50d4918279f1ef
SHA512 02949d86fb9f5496fb347747d821915954246dbdbab6d997c6498a806ac3e71f2f8e48d8e497c32076ce1866a814ca704c76e9968c8355ac277a995ece321fde

memory/536-48-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4972-49-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 10e1056c7dd41a1905a2f12c59099099
SHA1 f1a7f2811343f51615aac38666b0b6c9761d58e3
SHA256 2233f262e0b8fe02afb6742c39e0482c619bc9a5ce82c6a324f442ab3a576e28
SHA512 1cee461fc371254b7cba5d076dc4ffc01f233d3c440e5795bcbbefb28f6fa289c16b4d355407bada246c3373e0b082a4578f24293492334e4c53c93b754ca904

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0cb58fb5879708d8d979d7875f6c4357
SHA1 da4ea45a6fac9e864f01823b0f47c0bef5c9b8a0
SHA256 e5898f16872281b5537b3843dc7f156bb32a8e49c35830f002aafe1d2d39033b
SHA512 87dab0790ac389d0f07a97b4d57d65e805ecf3aa80f216e76a0deb50fe329096127f5ab57ab394e94d9be69dc20eb296986029928e00b20c8c88606a734cfc72

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 edd84865a9258fec2940181fb04c38a9
SHA1 1fa18f43c577392cf88833d916f4416cae3c7255
SHA256 f12cc4ec9b55f61c6469e213491ee01475f0894a54423f6d6112b8b17d5b8bcb
SHA512 33c19b2125148b0fbeefd8a8ea21791a0527da0ea9e8f43872d98f259e8a4ef819e86ce847e349de6cc6fc59406bfda3da03f19d10ba685b1a33b45e3d4a0677

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 97c7f27f21989b6936f4c41046f6e9f9
SHA1 fd626dd3f0e31854165f5fc610ccec8387490911
SHA256 71d789e0e9cdf58dedcd99f98d0eebed77ba2bd48de29403748a5efeafa3db92
SHA512 24f7e3002ca8dbf64885b6ed78924335813bd1cd0cfc212111307c1529cc342ceaa9507302208e26a3e4c868c509ea06d59f42f954e97bac1bacacc80d76e93b

memory/536-58-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4972-59-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4972-60-0x00000000020D0000-0x00000000020D1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1173b3825792fc9c1296540c5d26ba45
SHA1 f7fc9ab4273f12b1f50ebcf318b874c237e13004
SHA256 1a4970f82e1c62e6095389a277d3daa2e4cc60ff8e9808ab88d0e5414bf96ae0
SHA512 05d83755b4f58fef245f54de5295280906f676236b63fdcca5e687fd379e474473ea9c34d5600b55117408ff54eeb34dad7337952477f88771ba1d82e25739fc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7c75703718b9a0e09732f0b38bd7f2be
SHA1 4be7ccffe8ceaaded973b9dab92080074fe49e35
SHA256 3aaf6c4fc34b1ca4079c59ea2acf124ce42508f7c9bd07208c4c80b1cf0ec316
SHA512 d5ac131453b13f422e6dabef81e00007174aae2e5d522c281ab46d122bd4cfe92e9608bb1c1cff78bf131214b7cade6d5381c76ea564c89be2e642f790160836

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e6ffddbd18ccc8ce64d8422c9292aadb
SHA1 2c9c54e2e2978029883c5fba8d8bc51703e91a7b
SHA256 583004773dacc57801b423820b7637e9d7d391e588d0560f72e5b5a413cf791e
SHA512 b3c31c266060030b200093045b7a7e386ddf81dc144378ce0526588e5b7a85bc945473c9cedb9d26e89b8c081a18baf8cbf0da1f35edf0f5b04bb78f201177f5

memory/536-69-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4972-70-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 775245cf620a61a8fd73679bffaa6fa5
SHA1 a9b6211284f61cfe6dcfc2b9e588c387c0ab66ce
SHA256 804bbf4bd6116448d4130a0ba7476a606633a43ec738a4028064006203e07073
SHA512 fe0fd8d1f47a9162193a35a397357bdb108c4344dac05f61bea362a866e2192546e84e5e909ee2f4455ae199c64fcc09e86db49b4d24506037b4ae40cc4045fa

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8b0c2b6ceb0f74ce5a231b1893957bcb
SHA1 8973a1e040a9ac2e195c4db87fa6a7c56a7413da
SHA256 3b98223c0dbce49a4fe6d80b4599314e5c0c9fdfa1bbfe7e700f78241a22ece4
SHA512 e94f7fbf1ddf40f510fbb8c2f191a5b42afafe03ab33efa2331bc10f33d72eac74e62ac9da6daae801580675ff956bf4214824e9fefcee88503a61af6ccaa740

memory/536-75-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c2b0dc01b328518430e3499fa9f076c3
SHA1 18295c5168db4aa6b7a230c45e388f2f67391937
SHA256 403bc8f458c26f9ec880fb6ffa40c750539da836fb72fec8d7605c0e360ad452
SHA512 b05a94c0e88f00d79f9a6e2bfb07ec9f1db08ffeb3fe8ec62f7713f67f0924ef7e8b946698c7a309dd81787403ead5137672e3e0384dcbfc26429f45f80ab5bb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 317920cac1146583aacf14b7487b630f
SHA1 cc4aa9f137f5560e2fd1afdcacd53a1f3afa51ce
SHA256 861e6d20b881ec6582c88e14e8774e04dfd25ad728093bf00ba0aef7a0e7dc5b
SHA512 6d8ec0fd7778cc32c17a14e5f3c3c621dcca831658e35a48e0b8dcb1e089e32eb7ce045cef6c4990f554c01612e154dc43d041eecfa0158c351d9a1e02e3d1f1

memory/4972-80-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2700a0e5ba4f13a290887fb1f084db9c
SHA1 7474edaa029ef261952bbb495cfc79ea4ba9d9e7
SHA256 b7cdbac4d8608d90379f0747b8f0a5d18bb3f6f7d7e5d030a79c06e2830d86a9
SHA512 95ebedf1a25678945c4dfc837c24d04bc4164f4acf452afffc5b0670ad293d793218a99b487512a0ee3767dc1b538cec7f6cb54f0d7421cb40ec77518ac8cd2b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b6c08593843602341fa4fc9f50783c02
SHA1 7234ecbb6cbc148d1defbd80ccf77388bb2a3ad7
SHA256 7ce89b88570bf47aa8699b9e97e7ae117ed99a9d7fc04135eaeee1a37ad96d38
SHA512 e258237b2670868321b94339a635eb5775bd8c2c104e53d68712fb4fe10b5a09bb0acbe31baea9a18ddf445eb1d0413001747bfbe36445b882564dedf5f56ad1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0936a54891648f71261cea78363a0816
SHA1 485da361fd2bd86f791cdbce344092cd87393e76
SHA256 7a12d971568b0f691a13ad24b96b6092b0881acfd99fc79b7c5f59d525276361
SHA512 75d99e40aa12d5d997565d8a1fc871ab19ef63138f7af000a599abe5b868dfbcf8d473a5ad040c95dd8f1500f3e7cd281e40106d54226ebb5ad9ea0b864b2447

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fd8ef5e27e4bfc48e24660e1a3d3d6f0
SHA1 3066fb36d1e1aaf47e51aedc81aa03c3e0b011f8
SHA256 31bfc82653e338022d03289dba98cab1412fc85f3b39d9cd3b6e451918fea7f5
SHA512 cb8f4e5f4d85783cb9887f31172b8f2068fe7df806483909787db66f3232bd1b5ccca7e8dbc1626a00608c6086bc28e838675a20c3abde20c400c97782e19e0b

memory/536-89-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4972-90-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6a9b3b638f6e97f02d505e85060beab5
SHA1 34c8769ed13b19d6470a5a73b1116b44d4342ce3
SHA256 502aefe8b40fdf66be9349995e6d411c5352175d4b59cd7df08790d796e88747
SHA512 274b6da84e65ef94396028bf07ad31f76cd10f304975819e2d9d7830206dbf2f0bc484f2a5c9611016627aa191c2e35db442b2878813476305d66aaa4bcd6a6c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 911a243515ebc0a2483b057d63318948
SHA1 7e703357d0308b315bc82360cdbf5e94a8ed3f7a
SHA256 638ecb606868bf0bf986c3fcf011fd187369a8e496e6b141cc0e64e21ee1850b
SHA512 b71a793bb8cb132223a5e68a290fedd1d0d30e183ac42ed25e22106b0ef43a8fc8086fa0f458d00d7db9b87620fdfec72bb2a72331795b4954410013a29aae23

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 44008182af0dfdf3e46cb5fb7c91e651
SHA1 e1b25f9546d9c48835f1935aacad4c3356d38bb2
SHA256 b0962d745e02667fb82626353e33b88a0f386658e7ad8a2e9491e0d0a0c8d605
SHA512 7f25b165c26f88017c24c13a65c4746a4067b6587d9512185c921e3dc14646fec5f8f6c7533c1952a0efb8b125e3ea824871c5fc0239253bd2bca76ce71df5ef

memory/536-101-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4972-102-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1a332f60eeeec435d564a5dddf3305bf
SHA1 305b62ce6873ffa48bbf8b3ab9bf18cb8fa855c8
SHA256 3869c2b0169656a786fcdf0c73bcac5e72f5724076f5587e3254b7697a7dee5a
SHA512 211882d7b3d22101ccc935309e516c11b0bf944fb8db251c2b3c85da55a161753f9a98b6f7650ab72d1c15f1ca0dab652888b3d8065838e602d3963e01b2ef4b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 678946b98284c7025248a02fe81e9656
SHA1 d5f247bc61f98110350aa740ef0ad0ab297d0e26
SHA256 2b1fb45854d6dfdc7c2157f32acf1deee43fee470cf7b1efd556c24a816c1392
SHA512 4986600061397eb86e19eaeb70eaec3aa709dc8042cf44c5051a1323c768f6b1093f242c9bd3a26ed9973134cbd4e1c00daf30def0ce5952504ef7372433363e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 91863a055e84c79b5ba56f02fb44014c
SHA1 cf63d5ef7311c7910a7c57fabdfbbe3f11301ecf
SHA256 5b77226f8f01af6d507a084b1147a43c612e652065e587c5f385ca79a44fb1df
SHA512 ca415736ed55dea7baecc8195d7d094ca2da06f9bafdb432ea20e2610f240d1c6a1c7d2d94af6705ad298d2f1b9323a1a535f5caeac87f7a3a25337cd2a7b013

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ebd1f87763909d588582f416a61719f6
SHA1 e5d6a45d31298b4f716f71427c18fd8fb49dcfc2
SHA256 76373870b5ad48b53110aa44b5848c58bbc7d4b8e2bc9335e294b7486785636b
SHA512 ab362ba2dff95a8edb7612c0138fb871fd867732e23cc16d8c6246f6e7dc52b209c92818787740b182cf971e3186f20836b1a68c8b8cc7ff1b44302ca123a193

memory/536-111-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4972-112-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 60598505981e9501291ebb9a8c8c25a0
SHA1 785c86d0897e24dfc7168c70c6c813f88617d9e4
SHA256 b8dad6428151fc45938833d1a4e2253afd395441553937e58de20319e3f7fb0a
SHA512 b897a818587876ce583fd5a85bc6f90c4494a2fcfa96bfd77c8c028ef2534191d89aee6095c2f2118b20b538b7b3c3f0993858e8beb46de422ade703838869e0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9b7e280aa2d7b8285423d561996714e4
SHA1 6d1d350be8b607d6d2f550e3ade10c1a1b662fe3
SHA256 96b0d6366530330b34e01e1a644a74f4facfe0191e59d87a196487ac035223bc
SHA512 f1ba9ffa61bd560b9e62d855fcb97b6dedec1ccfaa8ac52807b2b68e855f4a920d2bcb993ef4f9fd2c0577d313aec932ee5a0a6e22ff29614daab0861333eee7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e3c6019857413c50ff32a72ed05f47b6
SHA1 a7d39f85f460846547ae81932cb96d2f57d6d692
SHA256 c0771fbffd5cb7d3ae1f89f414e2fbd7beade3282516ee9b512ab2004ca6242c
SHA512 2f57d71fba8d5df8229b7d8f8d56026e9f03e7ed0c3f826c4478e0b0930ad0b2e9078d76d020292079bd2b7450a495e019f304a4911162c1cbe068d846f5c3ff

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 11d0573bdce06fc6ab9b86e8b012c3b3
SHA1 ad8f0e5f266a5b69696fffbe942837dba26b9833
SHA256 6ccf64420f8efee49f49f1fb77c44160ee939d4a48d6d35aada4512732c7930a
SHA512 33f6ee1bcba87ea4047723ec3c4bc43b4d56476a4eb4ec9280db3fe39867f0576fff00d55792cc6e4bf9c8a001708ce011abffc556f578a44dc28406f7157534

memory/536-121-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4972-122-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 087d306aae2400b7dc0b3a60223d9c3b
SHA1 04ddbf04da9d68509349532f56632e843844cb3b
SHA256 69701003f27782dd83a53e2b7ff4d42b3bbee5f0e55bd4ace17819632e2e98f9
SHA512 4bfe37ae4744dd614996a2d6822cb83a579c05b5de9ca55142e537ae9db1bc776398fba71069d774102b7b6fa2eae5fdfa536387142f0a1772022a572d504bfc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bc6c4000bcb6e08a276d417e214e5a89
SHA1 b1d496f97aae20d71bbdaa25e7fd564789f4f716
SHA256 8a3507e7bee40190e6f4e838bc8a76efb93b940a932c9b7c34a41e7e1e6c78e3
SHA512 47314225d4ba42f332095a3b4dafccbc6fc1d2104042bb93be54280bc88b3fe2d20e129b7ca4efc1b304898ae7379c01ae1f6a97c49b09f5ede3ed3e182946d0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d16dc6c17b48a88160fa0538c95447ea
SHA1 bf2a1063619a459c25bc50f294c224636153f4ac
SHA256 6a10786ce5b1e29f58e9805d3c0d49d515235d55d99b87917341622a0659b2fb
SHA512 7ed0f01f76db86d978a2747d97d57178379b578af2740a66196ee2d2f130036a71eff403bc66ebfd4afe3056213783e70fb058cb7ac183dd74912631612a9708

memory/536-131-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4972-132-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0216613155ae5a7cd28d12a602cc1f1a
SHA1 99ef630812e08e5a301f88709d1091b63a78b90f
SHA256 1d0869aee46d19a12afc982ffdcfb60666ed50ee84b5c46d163b6cf705851dae
SHA512 29fd37018730f4e0b6c22dba7dfe40b111b067644cfd1c48efc0fdcbd9c0d3603600f10b4f7197839e1a1d4a1781e55c7b4a5e577ef2ced76eaa15db32eab5cc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0803817b3d97f629295a681f74ca1839
SHA1 337cd63238a0c1ecee3230246d69cec22f0a8490
SHA256 5d5ac4b043be5bc6494120db272ac7b8630c64aae0d60c5d49247429143e0b66
SHA512 f3353b747840a80133b629a50d5e7c93aa701b29a58d1475bc0be699abc9832d755e0ba9e192ea8d37c9ed63edec872450d6ac5ec98b2c9a0a7508fc885df192

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7e915bf507973b0da0f4eb4111915b86
SHA1 ab8971b785a39da9dc87b2a851a1e453363aca47
SHA256 f56d893a5b9faa035eedb05554c7f0a74b52616c5c1ab81cc2d3946c35433603
SHA512 ca1f3628b19f0c7e080b8b348d69f7591ee5332c75a137dbb6241c3a2b43a2f23857d0ac223b253ecbb0d6e0c8c886a83f4c9a67924a432e82bdbfb7f3d5b790

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e323db4b82162967d711ff86dcc27227
SHA1 f1bbf09afd6803bd0acd12a82bdcbb8559ee2f61
SHA256 b4165176f8e721dd34e0362b4c219a8e39316b71a98f375ef2c7ac66562a5171
SHA512 fd877f578c63ae0cc9c304762e0bca7586fd9a2c4b132b02ba871f0d3b04e484eef9c6b9884b94a4b8d8157a0c5ee0fd3b79148941a2980d0052fa1ed3053341

memory/536-141-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4972-142-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a0c8f59a282cbe4d8b672c0d71329122
SHA1 e9d157fe41dc9fcb6e5e9250f1a5e32b50dde9ea
SHA256 4344c97d055a21a838ff1a7f17ee14f1bb0816880e359f22eaeffe1f9dca7fae
SHA512 86ea89ef763868e3a4831c38483dde68eda754bb925d16388fcec16cf1799cbf45c4dff0562cb30c04ea40abc46a49deeb0a83213d96638fa81179dcc9a1cc58

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 19a1b4b344414f503780c569f3e2268a
SHA1 1b219fc235b547dc5efff23dd791835c6c18f0f7
SHA256 933bfc8d58eab9a20542f46ea9a57edfc5281786bb4fcd08d6fa3ee81f6fbe89
SHA512 2bdc98b8c42996ed05ac52d05cd69e46cd6f383fc1c3b621a8b0a1721793267508be867af4d11115b073892efb62c46f30b192a847f2552727a1ce2107576d6e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2ef16174d24cdc5094417dbf4cf50b35
SHA1 95b2f90deba9f036915297935563726f65dae453
SHA256 aa6ed2457df0eee46b796a91d061096f4f2b8b9f780940ba1e2d126c33f8cdae
SHA512 fdc8b6197a889d0b4c3dbb0b4d9c7cba3e70f3ba1d5ea7e3705273f8ff97bbbe5b8ae78cf0b807caa88c89ca038c953b4adbc50ba41c33269f40a43256d114d6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9526e7feac86c30ffba6cd6dc1bdef76
SHA1 96bce1b1e0e5daca94c4159ff00f3a1a040a0367
SHA256 742ff770fa5bd9bd1dcf0931451f600d048f8a801d4509961d78ff7fc6d053a7
SHA512 0de08f6700442738e9468a6fb8596fd3593234eb025daf582d896cd0b730f7cff062e919dc833377564e1391f53d0dc2bd7798b9b8a96466ac8d25809bcdb42f

memory/536-151-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4972-152-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3e4a44c4305a132efe37b8cc89751d40
SHA1 b7429da224fc7e5fe85c9214090d7b6db2de664b
SHA256 f04de91b10263be2113d828253a0c3de28ac1f4b9cc90bff1c973e7f901be624
SHA512 521afceb0e683e9e300017dfd1e8f8405dc83614ea83fecb2407714fcb7535a24d92bcd333f16e248df1867b64237d014d4af395720b9498f5b0cb619a04145b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 eeff046a9d95fa3d1145a9e0da85d152
SHA1 dfa3fcf893419e0d9668faa633748537ab20f305
SHA256 c1447f914ce5fd5dfb4d44b90e51cee65daf79d8d3d83d91b7d888a675262149
SHA512 ed0d1e97ae904be31c5996a938241b8753e952392c485ddc2a0e99ac1de9ce54300b4df9271b2f27abe64bdfe117f78c91e3ff66cfb622535f293c5ea5039a29

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0bdac766f38987c462f2b090ee2f7cb0
SHA1 682c407d367e99a04f3ed666f844d301187286b2
SHA256 a81edab1e39127fc2131007d5c03149e8bcd03c1f378494547596f0545c3ee5f
SHA512 d35a050297f05670430b9da36c3ec1b05deb2619ecb234a337fd4092ee1cd62e5940191515557091d65d285fd3abb8c22ee254dbf4a9bab36a1291d4dc423f64

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c027890b15b4be50cd97dea035a83a79
SHA1 cd5905cae5b5cdbabc5fda6cdc6c4b50fe599300
SHA256 e36fae58c4f8029647b20c8a497ad6cfa2e3c088dad20ae35f3655ed515e38f0
SHA512 1e0ef2cef80e3db78b9ec850fd777f1b255c090da8a9ec3bae0f60dd1d7ea216f135f94f212424a9843c2e3b63f31aeff788fe74fcf5a59e4fabf407595be2b5

memory/536-161-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4972-162-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e16ac430e536ceeafa5817bfc14527bf
SHA1 e5bcfba8ce887ca9089703a2642b87b515757bed
SHA256 96f0bfee6efa3aadb6aeb45f70b709df1f32b2bcb37ea91c33254f9def0fb38d
SHA512 b755ab35e50c2513876874ca08b701a95bc6f22d9b0bd8b51c3b070ae44ad9114c6d3cecf48e0edf1c278d78726d3be9a7ecb8fc7a9e7ce195812e22f08dadb1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2f3f787aaf5bac641d3af4ab91e2cc79
SHA1 88cf317cf8dfd5f87582d1e65a1160156f16ad69
SHA256 9a60a94c793d248bd22f1acc645bc4a06fe0f83931af81be76eb70a73d974071
SHA512 8ede9aff711b343f5c600da4fda83f9ad031a4a385f37658b7a7c028936aa4d09e9e74fa103feaa31efc5b2e28774708f0b1e02297c1d905cae7941e206e3fd6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6e5fbba99f368c9b5aeb1ba1d64f4a8e
SHA1 b52658cf86e790df899e6d71b0f2cb93a47f2512
SHA256 58b02f397ed094dc89cd98b24fbb4076eaa238be2d21302e73eaade4c41d3da9
SHA512 757f5116752aed0da21833d849520811aed5b0a934e148d2ac95529cce8244fec8d2f6a1d6ac6184707fea5274db9c4e38219f597fc5371959f891fd22823842

memory/536-171-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4972-172-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a91f956583d8dfd784b73f0891f5fb3a
SHA1 192603226b4431f5b902f6da8460185bb11ef524
SHA256 e1e271712bce89613631f3f916b01c9fc638db26425bdff7dcb47804ed3e95ff
SHA512 2013b5c1b9a3ce7fbe291bdcbd05e4afaac127f246396427831cda5cb713bb418434417b5add41a5f971549da2b9edbf212c89f82bd5fa59b95f9f2d897d4aba

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4aab9bd700a270aa86c7492dfcb2d173
SHA1 0c4152bbe0a00d9cf9306918097210d55f37f8d9
SHA256 96a39eefff4f0eb1b3b04ff7cbe07682eac2978a180830d7312f4bfe2c2f1235
SHA512 6947709a69a6849cde9f21c3972811fda406649f5ed44fa0b8df1cadff696068628a178d0c2501e8d9c21f7d6b66174323c6d45aea456915d3e46bc4d7fca7a6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bbcbcdba70b83329b59ad2352e350f51
SHA1 2075ac4a3e100edec48ef2451106cd99c2273b07
SHA256 cb4d272efda87136a7601bbf37429b8691560a7826caad30f6eeb9b0ada5281c
SHA512 7e95878f96331920cca6755f645491b564a2574763c7c7524458ef37f19980a4b4b1dec7c5115b43ea3fc895e5750630e6c4f8ed180ef1a7f582d76eff7f88e5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 dc04d52d31a16a0e7b1cdbadc52597d2
SHA1 f926ba0177c250fe5d4ac50b9fbe5d0301e981d1
SHA256 1f4ddc4ab64e3a77581025dc89a77b09c7d74f55d5de8390c76ddfd45b63ce54
SHA512 dbce30c5e92237dc42b0ebb661e4f547c289f537d83dbeba208e9470288defc482ec9fcbe722219df50016673bb8bd30342367b2944961ecaa043f9784aeaebd

memory/536-181-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4972-182-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 04946e6f0414f4c8a4ad1af716f1c984
SHA1 f57bb10f318ab7ec1bec2f7183933c5a8fee6b55
SHA256 7fd08762407e2989536824d426276bec5932b742e246a1568937fd89d5412541
SHA512 68d0ae131796541008b933c12fbe1d41dfe69fdf22ac234115ab547ad3695aa67374acb68c41a9dbb0ebb6fe5b3c6c49fac4148d21928bf122d38d37e7e5ba73