Malware Analysis Report

2025-01-22 12:21

Sample ID 240518-xl7fgsad4x
Target 564d55570752734cde27e18623855a51_JaffaCakes118
SHA256 d41ebd08eaf6a59051d2021c841adac6c12855e763bf77c4c3bd498f97ecc4df
Tags
aspackv2 persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d41ebd08eaf6a59051d2021c841adac6c12855e763bf77c4c3bd498f97ecc4df

Threat Level: Known bad

The file 564d55570752734cde27e18623855a51_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

aspackv2 persistence ransomware

Modifies WinLogon for persistence

Renames multiple (91) files with added filename extension

ASPack v2.12-2.42

Drops startup file

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Drops file in System32 directory

Drops autorun.inf file

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-18 18:57

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-18 18:57

Reported

2024-05-18 19:00

Platform

win7-20240508-en

Max time kernel

145s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Renames multiple (91) files with added filename extension

ransomware

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

N/A

Files

memory/1848-0-0x00000000003B0000-0x00000000003B1000-memory.dmp

\Windows\SysWOW64\HelpMe.exe

MD5 0ecfc1c9d3140aa9c643836186e5eae7
SHA1 c1509b8ba2abf11e02825b7e4716101ab4b93e3d
SHA256 00388cfac0fe18a96545abc767acfd2c6a9c37c13f1e81d1eb487fde51c4e5ad
SHA512 4796d83c13d171a3b95d2ac2fcc5ff174ff11db6bd63dddd468bf593569ae14d134614992e67c7767b070883fe54b4393e89629fcfef75314c6fbb9fbaf49c4f

memory/2600-10-0x00000000002A0000-0x00000000002A1000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2737914667-933161113-3798636211-1000\desktop.ini.exe

MD5 df99e7112d5c42a7c51804e915891f8a
SHA1 f78d41894c7ee24a0ca80ae25f00417aac8404ba
SHA256 4737e118f8f17ca2e4fc5ca80ec53c79738f6b5ec72dcfa7a490071a17c9c3a2
SHA512 87fd5f8e1d58a497d073d81236d90e753d490f6a38c8cfeb35bd0eb922efbe1c529deb3b27f71ca27abf6ed0bb15a3fa3b5b7302660e6767d5b3080786cbf79e

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

F:\AutoRun.exe

MD5 564d55570752734cde27e18623855a51
SHA1 883c28ef033cdc11b4bf824289c37eb231e0de62
SHA256 d41ebd08eaf6a59051d2021c841adac6c12855e763bf77c4c3bd498f97ecc4df
SHA512 3f94c031e5b982ac7f9da155afd928b33c686726fe3b38ef4a90977deadf7f32b5e1fd71940b07b79c56415d3c2ef40d32945560595eebbb30508d452b8ecc69

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f16cdf2a21db2fddb10eec622bb3427f
SHA1 c59667bd67c4b3549de23887f54bd252cdabd0ae
SHA256 7a719393f184b66ff3d9b730ace746dfb5b39362f83e10abd72a0b90148c7a5d
SHA512 9f7f1dafff4185f0d8d2d228d35565b51298b3b0742f4a596871c3fcc90e97b71e834b7fc5ccceb63dc3a7c184153754b5c4116adf9fd98f5e19f05c737e2a91

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1848-228-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2600-229-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f16b9cd7affc94a1e9a745c43a0a7fa6
SHA1 7fea91a8b4fa6c9f1217ed8bb5e73b2ba851a60c
SHA256 34edf2e0fdbd9f7396a4f473a163ffb56fed0961c6dba0918f76bbbbf28643b2
SHA512 f54c81f7f9bf4393350b054f994196b3ba9a6904e49d77b37b86a018b8921ab99b18602ecdfb2f497dc85341281ae3beab3d56eb0d1496cd6424a270618f6c9c

memory/1848-238-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1848-240-0x00000000003B0000-0x00000000003B1000-memory.dmp

memory/2600-239-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1848-249-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2600-250-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1848-257-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2600-262-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1848-271-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2600-272-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1848-281-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2600-282-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1848-291-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2600-292-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1848-301-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2600-302-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1848-311-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2600-312-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1848-321-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2600-322-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1848-329-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2600-330-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1848-341-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2600-342-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1848-351-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2600-352-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1848-361-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2600-362-0x0000000000400000-0x0000000000478000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-18 18:57

Reported

2024-05-18 19:00

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\564d55570752734cde27e18623855a51_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 93.65.42.20.in-addr.arpa udp

Files

memory/4876-0-0x0000000000610000-0x0000000000611000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 0ecfc1c9d3140aa9c643836186e5eae7
SHA1 c1509b8ba2abf11e02825b7e4716101ab4b93e3d
SHA256 00388cfac0fe18a96545abc767acfd2c6a9c37c13f1e81d1eb487fde51c4e5ad
SHA512 4796d83c13d171a3b95d2ac2fcc5ff174ff11db6bd63dddd468bf593569ae14d134614992e67c7767b070883fe54b4393e89629fcfef75314c6fbb9fbaf49c4f

memory/2588-5-0x00000000020D0000-0x00000000020D1000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.exe

MD5 5f54eedd5bf5134e57caeafbfb5aed63
SHA1 48951bbadd020445809e8fb29759aa10e833edbd
SHA256 b39ba0758044de7c628cca59096d71d269520a30a471acd1d4ff588bf8b9444c
SHA512 342b38c35d790a92cd6e996ad04e4d37440764f551f0b7b5d9530d7f290fcd339ff4dc7b60a8cf8ba3374959e18e985100c66e0b3f1b8c847d7023971966b4ec

F:\$RECYCLE.BIN\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.exe

MD5 e8a4d12b3f0a260f514c644ec511e004
SHA1 12359324ce3f889801d73c81727e23dd47079dfe
SHA256 cf52389f1f1540154a0b5e50bd7fc2edb2709731c62de1ebc5ec0e0aa0d4ac6f
SHA512 bea64497de09f6bc1d9f4c6de9a218ee6f4d9343c7a7c7f6d1d230009bdc95c952dda299bd6141b2096e1b35faf79890eb120f534d33ee5314681dc1c78daec6

F:\AutoRun.exe

MD5 564d55570752734cde27e18623855a51
SHA1 883c28ef033cdc11b4bf824289c37eb231e0de62
SHA256 d41ebd08eaf6a59051d2021c841adac6c12855e763bf77c4c3bd498f97ecc4df
SHA512 3f94c031e5b982ac7f9da155afd928b33c686726fe3b38ef4a90977deadf7f32b5e1fd71940b07b79c56415d3c2ef40d32945560595eebbb30508d452b8ecc69

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 12adc43091160b94cfbbd5bb9c9026ed
SHA1 1e8c8e7c68a39a4bffed04b31a1b20beb8c709db
SHA256 e0f2083379a3be965140a76d3ae231f9af50943450a0c4becb826c37dbbdd5ca
SHA512 899a67b3f20f55beb3031ff1146abb49401b3a13032e5db41b43b5be910c94a74be25f7aa70bf6c150153caef8bbddb91ac0553da55c4d552ba072c43184310b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 17649df15684073c2ebadf0eff675174
SHA1 a4f0403a24639792509b25d2d9535e410aafbdd7
SHA256 1e5ba125a9e4e48c27d126f0cfedc1598a716a86eb2a74b9a90173d18067f5ee
SHA512 a43301bede04415ca15117e12daaf4d96dca4816f58881fbad159af54fb5ddc6ee87db33330b46c8ead84a93bed62cb492ca2a97b310031f2ef6c5c8e5a40ce8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 500e2c31b427b3a09ec5de9137121025
SHA1 d15ab8fa2e0f76d9f4252dd6fbd4663e9a07d629
SHA256 a6e1916e7de10b8a5ef5aae07d37747349734d55106252ecf7a65541e87c75b5
SHA512 b24453f98f50e6452178630178765b35c25e8e93eb3f3cecb3d03ca5a6b748fb83f54624f8a17c5d38292279d8bc15d8df5f391f69f6c9cc5220c4fa4e9e0482

memory/4876-49-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2588-50-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d03c617c5fe5d3b66bcc56ce38021b8e
SHA1 25b2e0106abb2094b3c55f2af7172528513e3b1c
SHA256 bc00ac633653839b75e28c2b2492e0fd71fbfe0570dbf4bea32393cae05323f2
SHA512 8dec59b9456b0bd6ab0bfee7da80f14d7d5ae9c86f002a217652a4251f74a3a2bb3420f7e59c23731d471dfbf1127ec9b0bf90c199afded5ded785aa743a50f0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 617d429ad15b40eebcd9d621f380d782
SHA1 75838ec178d1092d6503e00f666320414bbf48d7
SHA256 b2173afe7eb93a26dff1fbf57cbdeddcf03a51b424d3a9797485126c46df8eb6
SHA512 68c87ee664cf40f7b66eb02e13f0c076e28f3a8a90c8f583199e6b256841d3b1150212607a0de1337219cc5108b341db389fc5c67d91c955d7f6e514cc1405e4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 321074703b36cf7bcc15be5527378707
SHA1 4da169e97e63f811db8e5cae6fa0575bf7bca22d
SHA256 4fe1c56fc2d84e309b63401fc5991f8ac45a96b10a36766e336e2866ca00c904
SHA512 8e9a238c9daf81981730dea3f9ea113fe8cf95e6e5b50f55ebb98576ec799e9e0efc6f05e2ad085632f4dda1b785820273f51e530c9697673073e4d4faae2344

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 481b3035cb2d5b2e2ff8d0e17d3a21fc
SHA1 27944076d78e8e63f2e11d2793f9b6b7d04ed839
SHA256 44f762c8b31a5f132295094cc637d3c150755c31c24fe1fbc168670e849e3e00
SHA512 4323da49de1282a7e95b90adec11285f5d570755dc05d897b286f46015c4790de5d26b997856c1b1db907a615cbb206af0b166a459f19d15e143d2d5c01b6d1d

memory/4876-59-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2588-60-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a0d9d78be3c15bc70d67bb5208c44c0d
SHA1 243a8fe1e88ee9784eae9d91dfa0babe82613eac
SHA256 a402eeda98ec0906e4682f8cf23676a37318d08c1149ca51d341c69381022960
SHA512 391c3beff4801c7072599cc977c3425546d7211f1a72d0885fcf0855bdd83b7997f9a4e304a8b46fcc5a234a800fdf9c743972e142b402d36411ee92e195f542

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d7f5f8a318c1c5892d7b387eb960fe84
SHA1 3bbcefbcaf3732482252456379800107e9438713
SHA256 8c02adcf774a1c2c18b4dee088f2c9edf7d0ddc4330a5134ec06a0251bd98c77
SHA512 700f5dccdcfad6bdb455a1b4c93147cfbd146b4a115f2f9fa7270c6d477bdaa62aef2ef16004d1c0e568fea33900935c733babe7e522a289e26659eb4ffaf8ae

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c3cc7d1b6e30f9cbc3816b93e0116f9c
SHA1 0789ab9df4cacf9819659783e79308cb29c14cbd
SHA256 4788c97b5ed82b0373841d87170e2d8f2a2d0d5adf369c434d47133bfcaa212c
SHA512 4b6267a8001792706cd8904353cca83a64ec09d93f8313fc1db93679098d2c50c492cccac185a2a2ff563230ca97b903e568bb2dcc789d51375bfd2cdbc5477f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f67e34762e66b24af289744dd8eb9678
SHA1 69b14038840561b0d2be0f19a639e1785cd3ce98
SHA256 74d45db9e228725dd2a784caa2095522b7eb148e54f7dff872d3b73a381cda23
SHA512 f1ccd530b23df9ea60eabdeace267645608ae0eb0284510ecdbfa79cd835cf69acb07c64d5d242467eacbdcdb5d4fe6891a08b4b9e354a1e405f1f60a3f24c1b

memory/4876-69-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2588-70-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 70d90f44896a8cba1cf9e2590c1b1ce9
SHA1 e60428b24aa8fbb46f095c3851866224df1163f4
SHA256 0cfb82f70e707dcbd23eb78f7727d48a7d2df6dc93c8722c52b3db92e0d9fc18
SHA512 274261cc4843cc345cca97636620f4ddf3bead34d338050eae1dbf9fb5cf31055c9a260c0223858041adef34e09db44cbe4efe862904a103246d661c46a92ae6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0f9490f35fbf7cefe5799ef53c3771be
SHA1 fce141e1745dee5da9b1c9dc911d27953186033e
SHA256 531f2f6ba0f9b465b5d314f9e964cfa70524f8ef07725ff4299f0bd7a9156cbc
SHA512 58b7b878a8e1ede394ab98e7f79accc99edeb39b80e64f9bf7f45d808304987db51d1c93184079652c82cd3b941a8a0428e78e0f254104cc84fd792abd69b18f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2336ac8be7e9eff55d3c7af3ce00f3e0
SHA1 5d371a10e98dc55eefa05973a7b5cebbf73450e9
SHA256 dc3a02eb665504b7c06a515b69d6dfced0eff59e8df21532c8a0a84f2e1d5bcd
SHA512 2d39250203f2e96535d19ee4ab753fb01021ae8a38a029ad9289e3c53d5f70eaa534d39074c5755035baae02ff640e261cd66a5f210220c9403ecfc34f64f63e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 236c55557ca46306a8b81c9ff8c8ee5d
SHA1 4ed4019e4455e3d4deaa66ff999a2a71ceaddcef
SHA256 cce9d72c19b8c2f7df1c9355c56117700c50af3266a5b61c49b596b521f1a9e1
SHA512 6d81b9cf4b1f5aec2fa804bbf3bdc7e892870f2a6affdb36e6f48c7905525bd22ab04aabe2b9f6d8922176e70fc7910edc934a3e6508669954c823dd0a5eb1ca

memory/4876-79-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2588-80-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4c20a690dd2d665f97a942a42b4df035
SHA1 ac4d2d0b814be7b2cc37893125b16851b73e5dfe
SHA256 c4ab92c364b3e2f0c349e76e98cddc0f0cb448e3c8ad134b0560ac73016b6a41
SHA512 b8a0be56b29d63cf28fc4cfbb96d89245b79515e1414cab6693b4f896e33cb69f2c50f1acd982fec4e77c45b4c68eb08eea44c1c446a8388371c11d9b112c09f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 aeec2f857670565357d149dcd943fb2b
SHA1 8c28a6d6cf50a0aabfcb9736cad4e03f2054855e
SHA256 03a005603198d4acd01dc32e8fc7883d542859ef6e616b5c837ce008beef35fa
SHA512 10bec5dfa1659197b97c065905bf03985ee8af7bc9f8f662b9de40f1d3ec4ebecc02f25de6a3123e5bb13a57b8e15efd149451ef6acf267623cb96e31eceeaa9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9e2be09b9dee21fde01a2ec502bbcfee
SHA1 172c662df595aac4834aa017d893a8b107370263
SHA256 58c69f130868e0bd374822c4786f4c129472bbd6132a9bd13d80d388749511b2
SHA512 bd76ddd379e22a69f4e3f4b2d466a582902b4deed660b11193b360ed209b175b27464563088a171aad21c9a890ba6b9a8d586fee8627ebde0a28974f77df1e50

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ad4f7ed65cf42cb317f60684e6f8c43a
SHA1 2457c39f694756dc05f625b6d3e4f26d7df2731d
SHA256 c343ec392da69a009ef3b425c0ca32a7b945c727e738421193f7602ba8182144
SHA512 3aee8f4d898b35069657b639b960f282b37b194e82e269a637615a0e4c2be2d7b2ec76ce72d1efb17fa4d45ace0506e2b51cc607385ecf1a7ca0278c8f055b0c

memory/4876-89-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2588-90-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fcaa4baf051848f02549c0677c70971f
SHA1 3753819bc332c2ca3ebe7f5e4319c273fcb19088
SHA256 346600762b38fc90b7d2b7736a334b71c06df8112dbff826b4b6fbac9dbdf9da
SHA512 08908c89d0733ceb31fbb259e68ae36812e6bf68b75edc3b1b9521b77643ce120881515560b9c64b12f3595948222e3fbf37b115d4c52a3295b0dfb21bc85be7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0fb9ec146c879c930881c25074ce2013
SHA1 483d42c8f43139190fee92c6cf2430777cde7cb1
SHA256 3f356884dc120951bb2b7951027271e24e070d5ce46c0a3693301c178ce55bfa
SHA512 baeb785340304d45881505d8d711521176a844a298472033c78319a1639a7f48299e8d5d54918fe4d0d1b87b69bb4cc04f1504d1d21e6739303b7eb7be177cc1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 da752f7d76b114d756688152f09a2510
SHA1 5ca78a23012e55e6df528fdc05ea9c8c9d6ae2f2
SHA256 e5cd4f07791d04136e5f8100180f4feac3d5a90ae809c75a43aafbb4d768d94e
SHA512 7753601d1938217a60316ef98f67f3b9c9ef19c13fbcb6f0fd3c6b11d219b13a839d04c5198e162dfc041b51f12355cdc1cda85e69fbc95826dc643012433850

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 55c9b66063c3f653bf4008aeec69a9e6
SHA1 25db2961821417905fed5c0bab7d45dbd54e4413
SHA256 10f6344ad80a91dd37f6da89d405a3e3ce4a49ab1e5b76fab1d6bf4caf0e1b2d
SHA512 ccf58de657544118bc837efc91f7325ac7f686a479cff44dfbdc2141824d8d1b9413129ccc34f49b34237b1dd056545dedf67963424c249918991911dca82f8a

memory/4876-101-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2588-102-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 418e867d3a3bd9ae01039baa78fa628b
SHA1 e70504fe99358f40ccf43ef714b2543463d755c7
SHA256 a6bc90aa4566f7207311540e35a9215e6e7c1c6036f7e8142c259e665b9a4e70
SHA512 eff4d95ee0c2213aa236ad8ed004421c29ab76f9d44a3ab433f8df88724dc55d68ad275a0f68daa0b146310f25a08ad0f15fe99d52926625f98eddcb3a6eb9af

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a4f6282072660f83e3734a7df76a590e
SHA1 c78eef6ce4f09bec4897525c92dcfea9d44de9dc
SHA256 fb63f85c4af8a1404396b36b6ca0a8847cae91b5499858223cf9ab574fd72fb1
SHA512 7f3fd9472cb350d21ef6bb8f7e8123764307b8aa066df56a0340076f43056262ff2522d6d6cdf11bf3e30cd6406eeac7ed37a0436f229aeb932e56ab99417655

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9d6ed3422df2319c47afbe01976c59ea
SHA1 aa45864e769df6f32d6359b9eddda2a5e15384b6
SHA256 9823f8330b9b730313747acf3b892e5a6370da5c01698d92136721b91dda5134
SHA512 766f10aeceabcc76e5b93faeafd0309e561ae3debae5d0220315c7cb449d20666261d64181f1c865a4425b12e13cd30c538d63a6adf35f1392b2a486731e9146

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6cbb444eec39a78b351ff3da2b1f5d86
SHA1 9d641e68135611a8ab9cf7915e1866911c13dc04
SHA256 144749bd7b761d107ebe197f3e8b337ef198857d1cc70ad95379dfce180a1170
SHA512 7cdf4f0c5da38b5b3e1a919278a9ab5878ccfdd09ac156d1750c982f891d2bd68c90188769a4afb4f6999596b2726284c50421b271ace627f0f4abdd258a124e

memory/4876-111-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2588-112-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2452029dd23873a31b976bc7648330f2
SHA1 f6977424c0d729b64e33825b891e4b5a5670874b
SHA256 2dbc98a206c86750adc73b043767870a6785827c80d1fbc1e40ce56b4e7f1f0c
SHA512 25fe5114647f20b28a891eb2b94458720f7fe707d698777e78838e5888618f71b8b9c64ee9afe503c96d897b800c7cfd78fa5ba7e763442d86f0beaf0e100401

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d5b8cdde54b7e56e85d79271e7f25fad
SHA1 2021085aae8cc3a08c1a1b2020a35869d017151b
SHA256 b5a9f2cd022cdb6f7b0413c654998ac13c07d2401bef01c8df568fdf056d962f
SHA512 3787bdd79e4e19646011dda06d1e5c29dc3427b64ac5b5b9edbc979f4cc2ef89a54837dc11f7f275511f39c7bab366e13f47c398400c05e635beaf0736f75421

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 482d55c7c406002acf32d9c48ff5521c
SHA1 a30d97d43b314bddc01d5de844d9357ae7d688c8
SHA256 683714baf4c024f5f4e1005725c64e38354fae640c9b219e8dd47eac92a0bc08
SHA512 f406abd10be10c125e968078068f8ad75be4d738148347ed8a18c07cd0086f0c14bb49d62fc90b23ce0f17f7455dc9e798105a6c21fdd70b6d78db7f1de4a22f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 56a061a6e9aaa2d9f321440768e1b49a
SHA1 00e03c35eca1faca009c3b07b5f5dfcbd8ee65cc
SHA256 86d34a7bd8fe60273c6d59457895dd415580f7895f03b98b5a1bdeda5e0ceefb
SHA512 d61cb4732f3bad134dc79889506e1ed662e5a872b5d82dea366908efb93ee11797117745b8c0c5d235d9021343a9a9eeae8c9350d9a286f87afc6ed4306eef06

memory/4876-121-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2588-122-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6f391b710c54e7fb0ae7f3e1436db424
SHA1 fb59e699a888379a4ae0b6536d4bedb487e1448f
SHA256 b6da37bb1ab93ba692c9ca46d049f5a220e7e108304b4a9f9604212d8d68ce4b
SHA512 4461968921d1207156c3f31dc636c5afb286cf59ab9f296250510262ceb4bb515dd06bf9bd2360a184cc454ec36e49d69a3963d61c0c2f0962bb07c0983bccf8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b3e20e9096fa95b304c0cfdfdd5a83a7
SHA1 8abdd74e5f3a7aaac0043b0d1270abf1425590ca
SHA256 088dcbb1ed98622ed07ea26694958284fbcd1ab38992f0b2a5c1fed207186a27
SHA512 b63e36b3bf497f40b9c0ca1937d1ad3cce9fee2d4e3a0247a12a2a0ea2cce071dfe541af7ae1b753d8f03e04cd677345de0d63fa6fe91444a12c3a6c93228823

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f4561fbbe39e6eeb539a4e56d24f13ef
SHA1 8b5d62cebdf2279ec557d41154af7a098a31d486
SHA256 481025500b4c869883be3ede4b4cc9dc7d8d4998015f4cff21f83edec1fb9b5c
SHA512 2c656877135483068b4cbf8ae0603947d405b227b2f0525ef576123a51d2b46a4c29cd7a91f67fe52ab5beed9012188b22d8f2f90e2b8e537fd28ab7e08d6449

memory/4876-131-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2588-132-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4df256e81ce95e7ff523544fa5b6f97e
SHA1 fb9dece41290f9654b625d8fa39679d77da46cf1
SHA256 d5776d234e9c458a11513046ea932555a2aa9adefe1851343f66eb5a5c91d561
SHA512 6fec586455eceb8c1c1bcb2430b620c0a087112f042ace3e3cc25da322d8b3e111cfefa7710d576ed6ecc1f828f4b647fd672a0ccd294c42d169863517296373

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 24adcd746b25ef3dbc0aca693241746a
SHA1 5872ff1e0efd5b76f70c15010dccddccd57e7f50
SHA256 272fb0bca84b11cd7ac0137f5844168ac127540284784bdd73113fe36d6e9ef6
SHA512 6ec249abcfdbd5b151faadb20cf03eec2ee19ebe5a2672f5f0c62cbd865b41cffa56c440cba81c07ad429f3318bf05d65ba505e7c298b940540df4b53c61ae5e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b94233ff1f8c16ce5543e2a492c7aea9
SHA1 7b41fd8c7a4e2d15eb99e017bcbdab3eb03da5cd
SHA256 aec6b324d69696f5ee3805196fed548f466bf1d51e6a6df210b85f4d26c7a529
SHA512 dd9df29b2d827994b97398a9234b8469f29fbb4a4f2f4ba2692347f6307ca7bda21cb6949ffcacf15e7997379cb0efc211c5b7e165226ba9c4771385d44a12a6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fb929997dbcf36a1aa5bc0711b028b74
SHA1 6805c13a632e69d6e8265fd17c62c15e4a9e8a74
SHA256 479e6088739ada09946bb1b684073383a398848638e376bf6f95fa7a7937cc8a
SHA512 61ab983c9e4b7e6ddd093aa80e9cb26fdc31f639aff49da710d16fa3448166c83794ba52695768a15a5ef28678dae6fc2cdc8c2b3a5d86b1bca5bb5944198310

memory/4876-141-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2588-142-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c06f70c832b756fa584617a9691c7a26
SHA1 d33aceabc6a4fe34b3d0475a0e42e5a8870cdd6f
SHA256 b9e287d0e54f37aa55624ab06ccc52b31b8cb58dce4fcde4b89517598a568c15
SHA512 2213abfcbca2b950817ecd005e87ba0b7a745e17975af84bfb02a5746896e052a3850a8c960ea56f7106b357d791475c5499ba2f78a9a011fa5f4b336b11e849

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e7a1a9d96932a6b03b8846da483bb1f3
SHA1 8f3147d2ef91f54caa092b67531b23eb82cb0785
SHA256 efe7a5ea93908713e117c1c09ac89bedcf185219f11b1606052ab8fc2201f056
SHA512 91c1659a66e2be59ac867d695917606d605055edc03dcd2be5abb038136172ba771418f9a8ce3490b51bf29849569982e07df2c2c64fb03094f5cb728348a1f8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 57842f07aa63b337cdd89dcc1fd260cb
SHA1 f695b575b13e82279ff741bddbdd1d39feebbeba
SHA256 662bd5acee32fc1940973a8bdcb070117d934fff21dd4c2d7f21bf8adbfd4830
SHA512 5a7e9da5d497638104064fa8badb3e60e6a3d4f2ca02f756bad119e8f877d60ddd75709fe50d243e77c77a65b3a02a56f20eb6803f0dca00cd0f5be70080ec38

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7c9d81005720c6acb44c70e6671a579e
SHA1 2cb133caf0555b1f0d0906852358a6af70686e09
SHA256 80a5c80639e2f96f00d366dfaa5fc19a19a64c68ad504f924319a7aac42b4be8
SHA512 51f7c75b99fcf4dd9daef86f3160d471ed45cf70bf78b691d2942bfbc3c1b91e33250519c0196cd617a22d9791399ad78c713876f1fd8e1caea8ebebe1e5e7bd

memory/4876-151-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2588-152-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2c60bff4d2e105aae7bd26d84b22bc9d
SHA1 96b17e615a9a38e614d4aa80023fd901dbf20c37
SHA256 523c3669daafaf9af18e123627ef96c73e8f2900b1f60dbd1a17218d061f046f
SHA512 d5e3e34b53a6fffaf44b566cadf72497f9b98659793dea633acd6622a11b3a5cb594b2696c63e84fa9dd215532e216870e555d2626196fa4b348eb6d52a3fe58

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 aaf5c8e5068c96904fc1f9854091c6db
SHA1 a9f64882b964aa228c30f9855116f14a7c75652b
SHA256 fe042928e3e2ee74e8f13948b33ef4248e4fae73902a83fdf563dce796b8209f
SHA512 63f829924d1a307b78a6e97fdf9aa699d88f28529e5218081fbc848513212689a0122c9cff0b823520c3c56d3b1c07a4715433807babfbe311db293957c649f4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 aa9601cfc58ac2dfe2059ac7a7d61250
SHA1 508334fe289940bebdfd12a71f3795e069208782
SHA256 540ce36ad58af0862bd97b1c178f5e088b6aec8059033de7dccea00c0f76ddac
SHA512 51d9f405f5d4f277bee2f7bef55b21891f15308a662d2ee441f8b5a733d34bec31a740a4a79e39d267b8cd0bd1e3965760d2f832b6efe97ea96095a056e8dcae

memory/4876-159-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2588-160-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0ff28f9c14705e10da44a7007fa23b58
SHA1 e6e4cbd8dbd06e15c78506ec53d93affbaf1d0f9
SHA256 055e6cf0ff6855c51905b5c358037e569925c441aa2208d9f6915940f7f17529
SHA512 8f1e071407514aa1d8bdc73d3df9ee70303d5fb40d9086e044b51991da4cb2d7f2361327696dfa377f26084918e62ed1a03286082bd5b2707722fd3daf57b78b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9becddf7f9f7ab74c60eae59e571f39b
SHA1 e15b60faad4d7d8942134fd4add906880c6349c9
SHA256 300dcf41bad774b2f5fa272c231fd4ce9ff51159837d2b7c25b2e5eda50a158f
SHA512 fdb3928c4b366c7a48f06374502d3f7cecec6d17d2f8f807fe3814e43f2f9c380fe89e742578418ff754107a94329d064f0f8488cfadebbf7e2ae9db591b53a7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2f1caa4ccb323c0e94fc99b41d520542
SHA1 ef86c39f68bd4237fc2b9e99947cb2ea4af220fc
SHA256 5566579ea26322995739cea6389ef4c6fdc6b12f6e7dfbbb43ffba9f78a62676
SHA512 cd8d40c0444fca4c330731d196c5c44316eb8c8f92fbb5ee3b4e221071627a845404b879099be1950fd804177ac7e90f15e9665c302ff93d5155b96cfb3d25eb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 67c824f5dbe0a8f16f703e45b9b24920
SHA1 43da442b81758a9b9aeb8c921e89df09e2eb2e1a
SHA256 3e73ac9e7c7d7f1e48ba0c077a18ba3afe5b90d41d1dd50d47482df1d99c108e
SHA512 d540b299d3ae4ac60836c85dcbf668e5896ff133a233afeb989ebc93e2eb14e29a4f68e18099046fb8ec16f808bbccd33336d13fbf2aae063f3d2bdf5224f945

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 80b13e3b634a0255ade79738ae12d908
SHA1 bd217fb44e03506abef9e2625871008e5e255512
SHA256 e775b2a99dfbe7ebe765ae4f667dd4f3d8a01ae229dcc0080da8d6e1be63c7a2
SHA512 2e795e00afa7f09fad80de1a8dafb48fe1467d2bb6a0a16ea1b9b36f753fffd15225462e0917cd5d6e11fe3cc85e42d3c07e92981e014390eb32576a4421ca1c

memory/4876-171-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2588-172-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 eaa6b02ed88cc12c541befdb21877480
SHA1 45636370283d4a37ed0b0347a7578cbf6053d4b1
SHA256 5998985c0849eb4e2ff912a87064c966c4ff5c4a74b324fe1b34359d598be328
SHA512 a54bf47efd8db266f480d407e06eb23699091c974ee29dbe8536209968b3232a591cb311937e7e197b9ff6b0b859dda620e1fafaaef230e9604156a7bc3f35c1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 295996a2c7943d2de2b5609b30730bdc
SHA1 1f698777bc416753b5910fb3e28bf88f508751c3
SHA256 3fa1633c8fd9ad338f53a401ed970864412cd847629e15a651cb9ef8ca7c4a3f
SHA512 9279a79733792f803d9374cccc7f05ebbf34ece0fc7194437f1b1c80192ac0739c168e55bd15a4a4cc6a2919b641d93532e312a25b3ad083a2579bfe23d235c2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6b1dc838ed2abeed677abb2fb792b825
SHA1 e252192192c9b497e8526f3ac6894fdd2644c875
SHA256 a9a3978b8fd30c22319d358ecf32387529d6fe3b5f381ce8280d15a346f184bd
SHA512 6376e5671193c8e652f1f15aadc45229f8b50c1b6ac4a47ff16a7f09f0dab260f5b876150b404677396bd93e661f2f65c048476f8fb59510488eff4ccddfc66c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0852119749c88025fe9c522fb08ce3b5
SHA1 782d8ffd91c1ee921a1fac6e2e8ee00897717670
SHA256 8a64497c74fdf6f00ca8521f5fcae51266b34ef6cd2c54521f1f3a4d3bb946cb
SHA512 b6b4f3f5bc32e55b1cadcf072680146a7a1d27f82561e2529dbb6cd850f00a0656667cb35c96966ea8b0903eccd5fc57ad45e2db76b05fac9fde923f3d3c35f6

memory/4876-181-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2588-182-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b87e48a2573cce615a3cd9d9f579846a
SHA1 f668da392822f8c297e5edc51b216ea4215774b6
SHA256 7cc3fc005accde14176b3f7fff671e420b0699a7eea5463604262476dfb9d0fb
SHA512 c55f0c457257ef4e1558f4b2b3da2a772df86307affb00cbce150c48eba27fcd9df64b7f713c109502565ad82794642d600499b2ee4a42b447ba93f3a41a96e3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 138932db34c6504d02d63cb43f144645
SHA1 d004e6c3aca036565a172d8c744e267279b7eee3
SHA256 a11ba67b99c99ada0170359794af57f98da449f4f37d04472ccf5a3a64ed7654
SHA512 d24f998559c2d4b2b24fff7c0e1a1f95df1ae91c93e5ef6792fb9c473a8952517b2357261b4fefe1c0bed421c891724f8d57f20bdde2d9ca022ae546bdad0077