Malware Analysis Report

2025-01-22 19:54

Sample ID 241016-1gcl4athpc
Target 4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118
SHA256 79fdfe11cad2dab14db28c824638de95f75717f160b8fef44fd7cef32ed14824
Tags
aspackv2 discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

79fdfe11cad2dab14db28c824638de95f75717f160b8fef44fd7cef32ed14824

Threat Level: Known bad

The file 4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

aspackv2 discovery persistence ransomware

Modifies WinLogon for persistence

Renames multiple (91) files with added filename extension

ASPack v2.12-2.42

Loads dropped DLL

Drops startup file

Executes dropped EXE

Enumerates connected drives

Drops autorun.inf file

Drops file in System32 directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 21:36

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 21:36

Reported

2024-10-16 21:39

Platform

win7-20240903-en

Max time kernel

145s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Renames multiple (91) files with added filename extension

ransomware

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

N/A

Files

memory/340-1-0x00000000003A0000-0x00000000003A1000-memory.dmp

\Windows\SysWOW64\HelpMe.exe

MD5 9a7f61dfccba609c41c7cf0026904d7f
SHA1 44082566f32d40c2c29046a400f2d5a063773f6e
SHA256 fd8f738dcb65f09bed4105767415d82830aeaf6f03cb56bab890ee426263dd96
SHA512 0c9d585e3c98a5037ee1dd19de119d109be40e2ca5b2f369f78f6553e3d8dd84be0c82d870b6c7dfdfe361af3d0e66df13945839407b825e46b426d702afa2ca

memory/1876-10-0x0000000000220000-0x0000000000221000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-4177215427-74451935-3209572229-1000\desktop.ini.exe

MD5 bdb9d6751707d1e8100a4901e75dd329
SHA1 7364663b3b3cc2e923f26c549debed61cbe7eaad
SHA256 b42280cbfed44015830e31d764846de8e0406007c43c3092128f530837c2e060
SHA512 433a02c7ecfaa213965f54faacf39fe201f484511ef963df078cdc1b9fdeb4d9920607fa75c73785ca93a4a1a28503719bae63cebb3752f42e46c543ed129596

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d03bf2ede8b680beba1728a4d07ae703
SHA1 e2518adc3ecb42c1c79e6b5fa89d74173a1b7e18
SHA256 0e575c955289ad6bd513b91ca0f0a1f4f23cccfe495feac76344bca77f9c36e4
SHA512 35b35c031206ec130a451dfb0658f23a76c1900dbfd9c9b7f7be74b48a3b199a17cebfa7b173c61b7880f476583201263f86912d84667f58bb5c63a38b71305e

F:\AutoRun.exe

MD5 4f278afaade207258ed42d8a25dbbf8d
SHA1 8a2bd7c835a0b44a6cb62b14dd0cc2847268e521
SHA256 79fdfe11cad2dab14db28c824638de95f75717f160b8fef44fd7cef32ed14824
SHA512 9bbf885c44c172adc99175fcd3144a4b900f83ac6583079b2fccc173c3c12cdbed8a205eedc7d0c463b5b71204e6356307722c334b5e5bae31465aefa3894023

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/340-228-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1876-229-0x0000000000400000-0x0000000000478000-memory.dmp

memory/340-238-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1876-239-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 05e4cafa92fd152e56b83e28f657140b
SHA1 70c56bb488a0243f3057cff78df1ad78f66f3a7c
SHA256 340fae34d046b999d2b620c006d020a459440dfd820f460d978f405625006eae
SHA512 8a85cf160bdee2cb534b509b5eb452de44bfa019d6e67b1d415f553fc67184436dfad7df78782e5be6296658b8a5fe0c3fef939d9f23c3b4ae8297432165e84d

memory/340-248-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1876-249-0x0000000000400000-0x0000000000478000-memory.dmp

memory/340-260-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1876-261-0x0000000000400000-0x0000000000478000-memory.dmp

memory/340-270-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1876-271-0x0000000000400000-0x0000000000478000-memory.dmp

memory/340-280-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1876-281-0x0000000000400000-0x0000000000478000-memory.dmp

memory/340-286-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1876-287-0x0000000000400000-0x0000000000478000-memory.dmp

memory/340-298-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1876-299-0x0000000000400000-0x0000000000478000-memory.dmp

memory/340-310-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1876-311-0x0000000000400000-0x0000000000478000-memory.dmp

memory/340-320-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1876-321-0x0000000000400000-0x0000000000478000-memory.dmp

memory/340-330-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1876-331-0x0000000000400000-0x0000000000478000-memory.dmp

memory/340-340-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1876-341-0x0000000000400000-0x0000000000478000-memory.dmp

memory/340-350-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1876-351-0x0000000000400000-0x0000000000478000-memory.dmp

memory/340-356-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1876-361-0x0000000000400000-0x0000000000478000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 21:36

Reported

2024-10-16 21:39

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4f278afaade207258ed42d8a25dbbf8d_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 27.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/4080-0-0x0000000000750000-0x0000000000751000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 9a7f61dfccba609c41c7cf0026904d7f
SHA1 44082566f32d40c2c29046a400f2d5a063773f6e
SHA256 fd8f738dcb65f09bed4105767415d82830aeaf6f03cb56bab890ee426263dd96
SHA512 0c9d585e3c98a5037ee1dd19de119d109be40e2ca5b2f369f78f6553e3d8dd84be0c82d870b6c7dfdfe361af3d0e66df13945839407b825e46b426d702afa2ca

memory/5040-5-0x0000000000730000-0x0000000000731000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

F:\$RECYCLE.BIN\S-1-5-21-4089630652-1596403869-279772308-1000\desktop.ini.exe

MD5 2a9c866963c1d7479972a31b05b52935
SHA1 727e62236c14f212eab5174c9c8ba958f7b3c4a7
SHA256 ca435867b22ee595ede40db865192ab6d23bef67621ffc4f936ea3f474ac5fc6
SHA512 4763b8d6119132b3be9fed5ab23f81b0a4c913acf0ef2fb67463cc2e2f0c4279edc8f7589834bdd4ccc70355319433c3253865d55af2f44de8ab30b544a57c7c

C:\$Recycle.Bin\S-1-5-21-4089630652-1596403869-279772308-1000\desktop.ini.exe

MD5 e11107f0397a981cd438c71629473277
SHA1 ad30ebf8d1da1de4e5d33a3275b480c353e5fe0e
SHA256 29babb7b0caff2ecf3c84819c62546c3fa5ae8a53e195bc0d413876adbb85637
SHA512 2bd229e308d1f1ee530321e469fc787cdcb42b7d621485f018089d52206940e2bdcd8b2d8fd53cb00a75d04a428c56736e22b5faada9b20b4a14fbcecd0a11e9

F:\AutoRun.exe

MD5 4f278afaade207258ed42d8a25dbbf8d
SHA1 8a2bd7c835a0b44a6cb62b14dd0cc2847268e521
SHA256 79fdfe11cad2dab14db28c824638de95f75717f160b8fef44fd7cef32ed14824
SHA512 9bbf885c44c172adc99175fcd3144a4b900f83ac6583079b2fccc173c3c12cdbed8a205eedc7d0c463b5b71204e6356307722c334b5e5bae31465aefa3894023

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4080-45-0x0000000000750000-0x0000000000751000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6bb99023b8f29d1593166d3eb32d7935
SHA1 b507f8a35357eae529a2372a920ba4835ada847b
SHA256 ee88db9b34b518c83a5322ffa2a464f05ff55a03a01434868dce3e4761fd193e
SHA512 bc1c0f0250e157ec420c0e2e50615779294d1ba372407e763010252daf5793d0b610048502bcefca90544b41e748234496a03c0b3360eb7d943e914d6cd270a4

memory/4080-49-0x0000000000400000-0x0000000000478000-memory.dmp

memory/5040-50-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5340d24ac8c95d972f0169b67cd9fae3
SHA1 25f9ac8967871416f138f4c0dc7f6eee1ff2f304
SHA256 a7b576137c826d4fd4ab247a964fa98009564fa683e0b6c5b774161426743897
SHA512 9f0f2f9e1584d2506cccfe5e27f66859e9806827039948067e01a7be65ae666c454d5e2f88a581def13e2826dce0b4397c3f0a5b2f075cf016985e1e026f2518

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f4c66320afd5f61a6142492bb2e11b96
SHA1 d180dcadc78929f4e108ba14a8bb8b3b672bd2a2
SHA256 07f14a57e2f574e00875c8f5ac925234d7231040137ee39abb16e6503a5ce3a8
SHA512 6df9b1f7d3b9804ece3dd447f347791d9b79e8715c1dea207d179e542168663605cb88c4eed185e23f15ab9f1a6bed09af434e58c82ee61c9e4ef9ce26cb7f9a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3a3f67d83f118cb842b1adc627071ca5
SHA1 8772a2c0cb85ee3a02018d713c4c7d6001987d9e
SHA256 a9a0331d1aca17f57ab803f8e1da2c437b1db4abc8be74b9130a19a6b52c34c6
SHA512 5c833f4f0d6d442f4f8b0b1f7e3704b438d7b858f75f3b19466c6c06b456924c7b97e1ecfa0ca805b27eadbf7c724f469def8a7e4c5348e291b93443f721115e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 07ce8a01587e660b9c85bf0bdeb5f3f8
SHA1 c7fd5938777b78f05bfef1a51b9b327a4694e626
SHA256 cb6a0eb9d99b6d9fe0f3328d6ad2d00a8059ae22ea11bbee52c7d601a84e4ef3
SHA512 12da7f7eb3a0c19525fc150fe538033147e873f5fba17667d5e87df2e5e7d2647b5285b671b7e17a750fe1dbb141a3265b39832357930fae51fb6a7171d37c8a

memory/4080-59-0x0000000000400000-0x0000000000478000-memory.dmp

memory/5040-60-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5b5049dd5594b18364748886adf6fa2d
SHA1 7f45befea54d9157948e97ad407619cc32e60480
SHA256 ca428b0257d18b6132d30756d9adc9acb6e91db86b372c79f9fc105bb40c09a3
SHA512 b0876b545aa1d9f2906d11c9ce075b4a8b0a3b48ba495cfbab5830b675c17f7754219a433331c95ef5d990a815418ec1a017805844e40d004c0204d4924c5c23

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7a1d44813ea51d6c1bd5df2ca5c8aa22
SHA1 c2dbbdf4ffc4243c6c13512c148877d4a6470216
SHA256 9a7010f95255abb66e7ba43f3ac1724cbd57ef2f3a6c82e605f24b38e3d60b7f
SHA512 842858b145ed35e8ea724827e7b340776b7a6a4e60173cdcc7641f1932728aeed0972e823e59926a13b6c3b62d43b6bc527591c0bf4e1c4d714b83974f9ecb6f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c9aa07fd55744c0a60744401065aa564
SHA1 41599a3d473585193adf0af13c8c5789dd6ecd29
SHA256 38272ca812162c25da722864274b80e77c39a8639abcd7cdd0b0d8ae57951337
SHA512 649cf2fa6eeea5983af8fa220ad670e0b365885c5be071ce2debe5d734d9a4cd2b3ce79c337d0d00938b2790db47d0909811e443289ec5696b90675f4b7c6013

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8b21d136468c06355f03ff73ebab2d8c
SHA1 e38d5b074621b30a39196ef7f52453888e386968
SHA256 a985acf4844b386efe31b1d1176cc9454d332772b0c89332852e80a8cd8090cf
SHA512 a5bc7dd2b44be94674e0ac1590ce69ddcc25e6688549c8d9371094a676954cb9b3aeee80ae9a78225f88c9db667a3d073f6b95ea95e93b0d9036ad1df94bbc7a

memory/4080-69-0x0000000000400000-0x0000000000478000-memory.dmp

memory/5040-70-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 37ca021c99e0df94cfb33d40a518d5f2
SHA1 54ce8bcb4175900af56fb250e44ed52e78e60855
SHA256 321be1b243935d77d87dc8b1a1eea5973eaa3cad31e46285beb6d9aa5d9d20e6
SHA512 e82f774838a543b5f06600dba245d6ae94501fe15466bc79971b43c4bedfced80a585cb058f9311d991979a73771684f03cb63ea5b4fa30fa4af8cf6cf56376d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2cec264b786fcf236164b419ece407e1
SHA1 a67cd96d295da980414be7e939af6f82633b11ea
SHA256 a9f1ae27e59b07f0c596186bc0ddaa80ac644e8204fad3306aaa6f79d62270b9
SHA512 b0ccf5a3345078c3bcc8c172153d6070042ccfdec7e9874155171f36b0474932776aaa8853a985f734b4cd22130a63afbaa769cab78ec25b60823cc825573f5f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 615b6a1338bf601c9c3fe204d5dd074f
SHA1 3e6424a1c7ec7b93b37080f01b51b00f9c56a4ff
SHA256 e609a0a1ac266b0d0539f0c596c74aa5c836cb6a3a0ab92ac5afadd9795759e3
SHA512 5e376c7ceaed770d74acb118c227b0309ed4eb5f88234897c4bf98c825cf27b5d90c640507e0bb3f93a33b4d6b1dcaa456ce0ea671d1d9a7505a82ce0a824810

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9616545179b4e7aee0d0a97a130a2bd6
SHA1 6b963dabcfc2d91dfd9c19dcd3532b9e620e997b
SHA256 2b17e63030e543bf9f398cd78db7f6724cbeae59b442017b7c7bffd059df83c1
SHA512 37cb6a24fefcee0adfd080052265eb0160283e1497b7184fba40f878e5e9f25a765411a8ee3655d375c06bf14cd64f113852b10eb9b0107d5a260ff8384cdef1

memory/4080-79-0x0000000000400000-0x0000000000478000-memory.dmp

memory/5040-80-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2723ac72cffcb946b2a92255a827999d
SHA1 3a71a8451427fd04833aed13d844f432077ec430
SHA256 6d83b0f5aef59ce69e5406248cf68edd633f4498a9af987a65028fe3da9e83fa
SHA512 beff0896ae3bdf73b3f9647af590e9468436a3c7591efa0961a1ffc381a8fed2b08adab399d79ff9f0f212434ad9628d321a1c50494a50a9f24be7900e4b8ec5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7be8d4fca6b1c3e76f7538e49a7842c6
SHA1 d498c217da60707eccbe15572a03b2ffc4c2b605
SHA256 9992e250663ce188fefae65708bf135014625bb09bd32ef3b5de4c7ec134d8a3
SHA512 61bbbf98f0dce04448e083026ed049f1c67e34e6e146537d620d5dc427a37c8ab74214ee9cec265d70dfefff6d22ba0b7e256ab805f656277c51dac83270ebfb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8d2e7112339212018cfca4b12f6308aa
SHA1 d54f52d362de9157888bc22873cf4734ad044fab
SHA256 e5542cb28a0d08ace4829c44defd87eea2848a4ea257d5701eb9b895bd6a0ebb
SHA512 36b14f171a687d5e9c2573063387b8f8d04c163bc592ef770236e19ce174f0883f5403448e98dc11011f8d893c315ce2032b18abc7b3c25e75cd97bb91217231

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7ba9c0c632abde8788d3ea023c543caf
SHA1 eb79608f9a1cdccc927c8110b42c7afa625b47cb
SHA256 edd6827e9dee24d86d1bb5a08052007e85f743b55278594ce7463f8b7b92b51c
SHA512 4bfe436cb572d91443e82585eca116428fc5e2febb29b96d477930424e6060277575fcc3108ce1490d0672a1890f4933329a091e01e551f4c49ae76ac30c89da

memory/4080-89-0x0000000000400000-0x0000000000478000-memory.dmp

memory/5040-90-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c7dca68f44495e784babd749fda15387
SHA1 8b9258bc8c8da1bf32530c5b0610b5692ebe84b3
SHA256 d208861ee5c64a924ea1cf7eab472b8eb06c7a848887c6c278be3a6d0aaa1836
SHA512 0aa5e873b8c1cda1071ec2e4a2d8aa2cf3b22532c74e2f9a022d06466368e861193700db49bc01d6ac81d82e1e9a4ff06b2c59c6d080edd200dd342cafb3d302

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4cf680de7b9bfd0ab18c714d10d85969
SHA1 27f44444e10d4920236aca3ca6f4a11b1301ddb7
SHA256 050c92e10ff9725c2f185ffd9b981ce0f93855c0364c41adb62234be9ccadb03
SHA512 6771bb4f28a7dd9fb21f171e22cbeff25716fc1479ef62ea4d746141c54c123a5376610352cefe077b49905d1006716893b5bee87fc2e5508d1605227d17182e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 466a965798b3bff0ef72d10215ab5dc3
SHA1 1fba4a05255b46a99bdaf79d9704b63860bd421a
SHA256 369c4a57d0315497289aa7ae841f1e3133aa5f8d8b1f232fb0aa58ed5ed893a8
SHA512 1a0b6d9c2a180615f895924767a662cc90e860f2b8e29d92dade6f5e02bdeb0946bd8d1b293392279f43fb4597cfab6810fdf81da87a4bf597120f107f84cdaa

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 be7e9eb6bbebf74981899592353fbc62
SHA1 aaf2d645d8ee18fb7356eb884a8f4afaeddc8432
SHA256 de9d3f72db550d9ae651ec650032b2267010aa23f63917706be6056861b981ba
SHA512 d86653158add3f574cdc7b476d3803df7768c19917b7af239e2f0bc570c141ffdaa722cc7145aa5e1609349e3a2250f65aeb4d14cbaaf0dd70978fd4ffadf48d

memory/4080-101-0x0000000000400000-0x0000000000478000-memory.dmp

memory/5040-102-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 268bec0dd04085fc848abaa1412192f9
SHA1 15ad23b0c5a4854f346b3c765cce83e22bbae306
SHA256 aeba6f07d6fb554a2d21763ad2923de61d1c2f36ad085efa1e05cf4b8843badd
SHA512 a55526c50d54e96bec7199ac16c6e77155d403e8a6ab9eaee3ce2d4668475b519a0f591185f5487b9d4f62f1f2903a8bbbc882573dab127609bca889983f63dd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6663d15af72a58e2fa1eb1af68da1914
SHA1 b89aeac9452e0757077dcc7d4731d4d1059ac20f
SHA256 9515e003796a905a0a80d81a28e5aa83407ae2f5f754a302795103f02c5fdb19
SHA512 9574f9f134fefab2e2598e062ff871627657106490d83bb2e3fe2d778d77cf00da9eb2e491c9f85994e1384d553789f5eabb5df65e2464459afa877d7faebc1c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 457914cec18e07d9537537d3d6a3b790
SHA1 114f1b1765f120b0b377b6e4544fd28c521c8336
SHA256 18ea729ad0fdf08635f3a6f5f67313b0b0f4814b1fd778e0ee137d9014bed19e
SHA512 ca2bb307b9002adad001873e1c8159938d8ebe7edffdbdaeff8fa798001fb633e1a6fb715422f47f4b497ae25b0903f4e92f9e000506805a5fb524a0abf7a306

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fe5db918e3895e6e13ea3d2f67f1360c
SHA1 37f6fcd9d8bf78c23bdccad68a134ec77ca2679a
SHA256 2c4c27824b410327dfdd9cf63558bec119bc7909a8450233adcbb458509bf514
SHA512 02ae4ee89b99ed8b0236d27bd69f4fa115fce6da3ff39447d96df911e8c05d85abfcfb8a6e0f828fd1316cd2e99d72dfe15d47afb03f6656e5684e8dbb5885cb

memory/4080-111-0x0000000000400000-0x0000000000478000-memory.dmp

memory/5040-112-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7ccba8eb252a16abe39019322bd0126e
SHA1 618f93fc0c35c9f51b7560f9a32b28568006dce7
SHA256 058f4184aba9920469e7141a775c15f8a953e77bdd0db8a58766ada683053ac8
SHA512 60e0f5c55ffaf4e920cfe0880a405e32f7170ec32897a6cfaa7a44060e7d40f813f1164d8a6b3e3a4a04b9208f94861c111ff8228bdf67474ccd35fba90bff49

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 53d50709df9648cd0ff3082b1cc6d14e
SHA1 09c94327028b7819e9e188404e5eb14169c20b23
SHA256 9275294b4e102c08c7f580c9af6174336375fbf803ee5f9ffcae47106fb0eee0
SHA512 b19cf24cf69149343040a3875ce350e341266f9dfa47df0d91bab6e3e9c7f270daf7d4e0adcfeaef895f4ab46d3dee30c3d31082e77ce2a53013c0385f15bc8c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f4cd31b51a3a396093b4471ff510a9d7
SHA1 3dabe3b1a42e64dcb5601d39ffafa425c24c1afb
SHA256 70c1ac237b74e96682d138e29740e9f749d18c1de858cbc7e34690a96231bf44
SHA512 45545490c26df670c0e24a49e01b77ad311575ba7dac3cd564d4d7463e83f804478436826fab7b3b80b819f6d5f842f91ab89f48aaaef9723cde2008570a77f0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 298c7a880b73662b0f80c1d9b70164cd
SHA1 f2cdf3d6b8a76e9c1b3388bfff6233d315711829
SHA256 e64f0ee7e7d5bfcfb15359ee5369ad9e5eb10b1f224a03a230eb4e3fbea9f997
SHA512 8a0ee60c68aa89a840f1737aa53df748e7bad3076080540d1d2e9e8659c30ea3e21af86285dac0930f86f760c72d71eaf950f119e27e2e26f9e193c12f37ca01

memory/4080-121-0x0000000000400000-0x0000000000478000-memory.dmp

memory/5040-122-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a853b0ef9bddc16462e137425651cddb
SHA1 bf1042c2af2579f3f41de6443858536877dc45a7
SHA256 b65fbf291959e7690790991eed7aca442db9b0c1e9f0fdbd31ce9ab4053ea0fe
SHA512 b033d8f80fae3f8f6ffabae84d76ea89c837f655c1beb3e34bc167cd5e05bda2d21d9f7cd27ac1954c3fd8272bc993014c14cb25e04678110884b4983b08ac3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0b4910f49c986600186a7de2c444e6db
SHA1 b6517290736d063385a1ddb5c2bb915e50f8f515
SHA256 f1b3a975bb99d1d8c1b1ceda974d7537b94ce80a4f0c239dec816462899787f0
SHA512 a51aabfb5039d5951e5a24d7fc33182e0f9e2ae21eda10fbcd90836c96933946cf7579e8b43712689abb273e273f10dad129450e262759d11ddc1512f50fd909

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e7d8db3a73412f9eb66bf6f752fc3d9c
SHA1 afca01a54aa5149cab69e18b3b3118b2e7ad9df7
SHA256 3030b24efda950949c1fb039ff3119e7cdbd73ca1102fc6bf42f391407c194fb
SHA512 6100c6c88dc791cb662501e9880f67704507b5313860377cf5cd59926b8ffa8f9dd93d0a8d1b9fbaaf38fed0382c9fbdb85f505d8dd745947aea82d2df2100cb

memory/4080-131-0x0000000000400000-0x0000000000478000-memory.dmp

memory/5040-132-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 cafb37b0d8436d8a213a562263fcba7c
SHA1 8f2b3d08bb1f885dbdb8f3fb321786fdf417723f
SHA256 30ed45cb09ff82c537353b3c5e89aeab52cccfe2f16cb3d9bab2b17af23d13ef
SHA512 eb5bb98138a7754ccd180ec736e956dbd9a4381d4c2f6c5c7a1f901145af9b5ba8cd2f809fe63bc7c441bafef74ec303e18973e0e0fccb9b4fea830b4169b814

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8e5f7f910b2d2a48e069800bf8a89001
SHA1 273dbe9a4d1e67f2bfc02ec99ef4ad6847255ece
SHA256 bc042279043f434931e6196cebec0ec04e3335f1efd89b0cb43a53a1d6b6133b
SHA512 57d79b50ea259c7845b1a2c55a501148c1204cc23077ceb195e3929152b3ef17c068eecda69af788fe02d394295a8f11ad44e01541eccfb77f9fe62934d29955

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 050deae64f4a597b49943a39944b1c71
SHA1 882a2ee9b3840de707a7091f1436964a31c78b9d
SHA256 ab3cad70495286481ce4afde490208d0d76c3a340458a508303075780b6b5010
SHA512 2d0e0e4d1c38e28809b4fff0b497b7b5a8c1f2ebad26f98261d50b2dbf86d862b29ffda90ce570fd84a7d09ac95c45ba81101381c117090d9384ba1bd8491208

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 80889808e8d78bc3014442ae1790d13e
SHA1 626a562efb499c472dc0d5207eb52e5e5512f736
SHA256 a9270dec7bcf5f81a2ffe8f2cc50bacfe9de302ceaaca5e756f79ba76308a4af
SHA512 1b804e47b4ebff46c13616e87f97969dbca03d828ef82b63f6c94a8a589accbaecfd5ce5796fc4032a65419279923cf4139095b198e500ff03fe715209dac48a

memory/4080-141-0x0000000000400000-0x0000000000478000-memory.dmp

memory/5040-142-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a9a5fa74720d4bfcdaf1cfed4352d604
SHA1 83beda4bd3c169df9cb0cc318a27a4c9481a1342
SHA256 839f4b9bfb59e4688045b424722f31d4ab2fcd573596feef2e85aacdfb4bdd6c
SHA512 f01d64966a17322745da52542a786a5b9bc09c13939e981d0add8e64c2479a94d2994ac95e24cab29faceae5ab14d13994dec283e957f137725126e7c0c766ce

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 04a4bd09d9e1b4a4f561b3b22f66a364
SHA1 634aaec6873d1d4fe7faa01b445e6b257559b114
SHA256 eaddc04f136152c0056bd3e3267e04e3b22732c6ef33f0c8066931e416e76e60
SHA512 3a377f7fd2ceabfea8aca1fff31d4f99898152d4b81dd3956bc2231dca67cecfa4ddec037e15daddef90d986e6ba39fba0d65aa545c08d3cbe295fc4068817bc

memory/4080-147-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a812030028e0894770ac56e039e077ef
SHA1 75632afd88d21e09b80ced9c4783c69d20763284
SHA256 4eacd6f8396da0d213fcca6a3cec0bf086d4c8fe880bfcddcc91e22e61c3db74
SHA512 f6d9a2c67f184f8909d5daaed3929790eec84801abb67fc6066364147ed3c645d22b2a83c70d571ee1e799d68d35d513ce66afa0de55b9084c867c171e4621eb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ad33f73eef941de6e03d3e3f37d36f3b
SHA1 5020109f0ddf3567f3e23035ccf48d5102c985c3
SHA256 13918ba8c2f44371636a7154eb257024f270bda945444478df841bde68b78b7b
SHA512 6b8a86a089f30bbbb5daa724931a0ea543d0af1c87c5fbbffefef187d1491724ef895a3964a20595e1004662a4d13d582d0e03101f932e982f40e6a047955a80

memory/5040-152-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c69b0b69ce10cec8fe638141cc0b6a38
SHA1 466255e24c43c7a29f061490fa562e400f7e25e9
SHA256 bcac032dd5e0dfb1a65fd28b5024ce42998a97bc1578e180554cbbcf899757f7
SHA512 51270d2e76ca5dad814e585655bf6e57c89977fdc5c2257e300e9553780e986191838ebb04cd84b895abcbf3f47b60efea6d864e1706a7623e0dc4e9a8d042f7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d282a119aa8b48f67531b7f0c114af36
SHA1 56e06c31bf5510c09a569fc3cac85504539567a8
SHA256 c38c7e8cd06b633fe71e0c49fc9fc74f9de9e89ab43675512e4d9141b88cce9f
SHA512 dc949026695a810620ea6fcf130291958a02de822afddbb53327c975108e2261e399501e17da1734d55e203a25dc5abb51b40bff5c09cdc93c1e67a8347815da

memory/4080-157-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bb268f40478537760f5b35c8f8a9b877
SHA1 79bbd797921aecf5f4db0a849eb8821bda3d1aa2
SHA256 5b386f3e4f065ee0275f15c41019f55336c660ce041607973ce47e096288472b
SHA512 bc3110ae3f544dc3fa7f13ee784c9f510efd6e9586d8f75dff4eb7da1cd4f52e87b5ce9fdee01494603383f8b2fe2aa548a8825f4c9aff6fadc42252a5e97cb1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 cabb9c0462e752de2af6da99ec1f206b
SHA1 f416deddde8d1b6e62704ecc384ddb6f306a1129
SHA256 0b58b52189c3c1e3ace6fdb397eda63c930f5a5985d6019b6c9aea552ec8d309
SHA512 2331eb6edc3f865a350153627e6055ff8575072d5ab94e745dd830dd540fcbbf5ff9d68bb72cb3168cfe1bba8d23100ed7f32909ef255bde5f8a5507605c16b2

memory/5040-162-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8968586afc2b61e9f3c339418ac5adf2
SHA1 4f20dbdd7505981a1dcbd51d829fc893f03a128b
SHA256 f3425ba12f9ef7b14a38405d70b62a55ae71f7cf3c8722112a83354e65653483
SHA512 c9ce77a1346fbfcad920b87179bbbab1397a69af64a3114e42b61265e89280aab3de9fc56e68b1fd49dde52d633bbbf93266f96cf1e4beda642851a135fa441d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 af969c556fadfe2ef3266e49708ad41f
SHA1 7f878fc7184a3b5040eb647589efd11fa6e46c68
SHA256 dacefb2a6e5c3289d4a8dc9e5407ed45209220f674d688f29e73ab5d64e8385a
SHA512 ec2567fffdd0dd0db58ed7cd0124e2b4060a3f9187301a3b1834aec8e8bde314de81197bbe37b2c128165ad25a2f976f3d2e4dfd0cfff11e4bfc5bb6113aba8c

memory/4080-167-0x0000000000400000-0x0000000000478000-memory.dmp

memory/5040-168-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a33ba4b6ade7d49c9a16c381e23ad3c4
SHA1 ff9b89f6d86a6e89d22f6a38516f966d1d781d26
SHA256 9b02ff3511e0719066601e2a51292bb8b93b82e030356c9a76b46438ecd0b4df
SHA512 d802054351114bf8805dbc9d88db370a80878851212fe6efb28f6f06f0cbf22821654955217a5d00885a964f2e516c2178689fad568dec4fe32359f217f35cfc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 526e31225075e600ac7924ec3cd39daa
SHA1 51dc4a6b5177a59fd692a4bd6e1b84392eb607f3
SHA256 77f8aad719827e2f143ad1d1a7e4599fb92df91b675e835699d8c046ecbfda65
SHA512 91bbeb8082acc2d9782434832f71a6ae2cae7a5e24fb61bfe5fe1f6c18b3b2aa0cd72cde81a4b9e3369b2bde2eb29db33302d0a639e9d7dd06343abac1055c52

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0a637052dfddffed1eb744a3cc67a284
SHA1 00cb64750b97717864bd2215f03c10f9ec251a8d
SHA256 32361ada73a624ea1b22035a53f0b28ddd9b2aaf4153c5f369f9009926972425
SHA512 704d78a21620729945f496d3be88bf9b4bd424360309a8002f3caabf3a2192d032b46df6c5c650ca0a6825ddc76ce4d8a2373ebacf0198bc3d3bede558827cb3

memory/4080-177-0x0000000000400000-0x0000000000478000-memory.dmp

memory/5040-178-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6341f076914bab0ff283782c36655718
SHA1 5eb9079a3ed122fff95f5839548bf785db0f3a88
SHA256 1936140508673a6f8313467c77bad19dd7515ccdf62bccbe5e1bfe0cf80f86d1
SHA512 1921e94a0381bb82146f0fe16c49fa0417bf4f52bf9b8dfd7d01c4f51bfdb7ba89ef5442383ce8446ca300df7ccf5bbb87d012f9f2a054fe769f0dbc0fd1f89d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6b0b5da524885d7298cc8610872f27bf
SHA1 a1e71966c915190a8a31012e74a1e41bfc3c8388
SHA256 ea0ea264e6bd0114b5fb1bd6f7061198df038d72a7424bc1c85927c1489dba7e
SHA512 6fa626835e31db37edaeb05113ec1e8d20464b0415d04ead06c8e9e1d0c58733b1d1423929a67b660ee2b7a8d116430894735a33b213b490219b142c45952b0e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 78091cc6deeaee983aa4018ce72b8412
SHA1 e3d6d245d8e93f97614700f303049d3e72794018
SHA256 fab5bb5dd763840798829cfb5cea4955c68abc68f55cc53b33b77d79f5966319
SHA512 2899d57ede6090ab1aef52a176df281d93e8ccc738f0427e4196cf8cf466d58ad247f691159adc04bf5d318afa90fe85b4937412399cd29cd1ac36153cc4019e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 419fd693acaed29452c91c5923addfd4
SHA1 35c1d5a96382ee814f5be71de78b4acb20bcd276
SHA256 6709d49c215c4bbeec9cdf437aa3020c2d387c730f322d968ba42ae850eee15d
SHA512 8a96b82363114494c00441b349434be9dd2fff62a82178f1a3c957946086912be451fb463e009fa2ffc593c413a12e499d1ea95cbb1b4858ece7208377b502dc