Malware Analysis Report

2025-03-15 08:13

Sample ID 241016-g31fhawhke
Target 4bbc367b36d74b608280eb8de944f471_JaffaCakes118
SHA256 e451f1c8ace4d6addadda2772eb60ac500343efdad5574acf125b1eaa7e22189
Tags
aspackv2 discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e451f1c8ace4d6addadda2772eb60ac500343efdad5574acf125b1eaa7e22189

Threat Level: Known bad

The file 4bbc367b36d74b608280eb8de944f471_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

aspackv2 discovery persistence ransomware

Modifies WinLogon for persistence

Renames multiple (91) files with added filename extension

ASPack v2.12-2.42

Loads dropped DLL

Executes dropped EXE

Drops startup file

Enumerates connected drives

Drops file in System32 directory

Drops autorun.inf file

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 06:20

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 06:20

Reported

2024-10-16 06:23

Platform

win7-20240903-en

Max time kernel

145s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe N/A

Renames multiple (91) files with added filename extension

ransomware

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

N/A

Files

memory/2744-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

\Windows\SysWOW64\HelpMe.exe

MD5 55da15393e2d5fb41a034003eb062119
SHA1 4f7b4bdac9d9f2ca28a46a786b473cc726da1ced
SHA256 9318b5b70fe08136c8f4a60a555b9dad37af13f94e6761cf12644d1bb7214d2f
SHA512 25cec5fdb3f6ef510157ec1eae48af0ace21639648b5c5c5a5adc6dd9bf53f63bb7abb6f23554b5ce259f5f7b8772ef52926da6059912f7a6bc379119b005790

memory/2792-9-0x0000000000220000-0x0000000000221000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-312935884-697965778-3955649944-1000\desktop.ini.exe

MD5 f33ae71181281dac4d0929b4e217f4e0
SHA1 c2f1929efd03aff86d5c02c0ac7fa6174d28d9da
SHA256 0b1bfab88f7f68af70dee5d654c6981ecb2d1b19679d315faa3d374988551800
SHA512 fa3eed4942ac31f4b7ff9e6561057e703104de1cb58deb2b3e1bf10da66e27b4f56912762e9843421af6db192e196ec6bc61cb0b5dd4899eec70ed096c02ea91

F:\AutoRun.exe

MD5 4bbc367b36d74b608280eb8de944f471
SHA1 f0ce626b3a4affb3611761dcce865514e9013548
SHA256 e451f1c8ace4d6addadda2772eb60ac500343efdad5574acf125b1eaa7e22189
SHA512 15936cbbaeb40d0bb6b410019e34103e8df55e983ac3889da553f4bd2596a8ce94d756031df0859bc6d0786d7b3182781f947110bddb657f99aa32ea0d7e3f45

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6e55d91f1de33e847853a94bfed46a46
SHA1 7897ebb366bbb69f300258bf7aa1009dc0002427
SHA256 f7a40d7ccd169a0f61e1dee4852927a1c65eabf3100c401e4cb907f1d8f1b760
SHA512 5adfedda1b74281e3354bb04f44ab268295b0040c4aa47fd7e5b755fea2b7c8ec58aea4a6522b9e08b6eee730fd313b4e165c8a5608ba0be8d3897c82ef71b64

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 187240abb82b10c1690fd26f932579e1
SHA1 1554c93c354b48383e8492b7f823cb0af34243d8
SHA256 63a25d854717647d2b05292c8a1377d2cf999336bd8a3371d30121139661628c
SHA512 e7dbdc67c4501fe61c6a13444fd0c2867b028db4a8aed75c11513e4d5e473cebf3cbff52505b08b59933c0a31464693c321a75ee6ec1b1482927ed9d069f1815

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2744-228-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2792-230-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2792-229-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2744-239-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2792-240-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2744-249-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2792-250-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2744-261-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2792-262-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2744-271-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2792-272-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2744-277-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2792-278-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2744-289-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2792-290-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2744-299-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2792-300-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2744-311-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2792-312-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2744-321-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2792-322-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2792-332-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2744-331-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2744-341-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2792-342-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2744-347-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2792-348-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2744-357-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2792-358-0x0000000000400000-0x0000000000478000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 06:20

Reported

2024-10-16 06:23

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4bbc367b36d74b608280eb8de944f471_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/2884-0-0x0000000002400000-0x0000000002401000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 55da15393e2d5fb41a034003eb062119
SHA1 4f7b4bdac9d9f2ca28a46a786b473cc726da1ced
SHA256 9318b5b70fe08136c8f4a60a555b9dad37af13f94e6761cf12644d1bb7214d2f
SHA512 25cec5fdb3f6ef510157ec1eae48af0ace21639648b5c5c5a5adc6dd9bf53f63bb7abb6f23554b5ce259f5f7b8772ef52926da6059912f7a6bc379119b005790

memory/344-5-0x00000000004E0000-0x00000000004E1000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

F:\$RECYCLE.BIN\S-1-5-21-3227495264-2217614367-4027411560-1000\desktop.ini.exe

MD5 a84e688cedccd85dcaef244cc0874161
SHA1 713265bdc6438094c6a0fd156cec8e60635630f8
SHA256 dd6bfce43c49bc2744d7f131dff81413920699f2bb3ccbc17bc45e42b9c9d2e5
SHA512 f6ad7fd6d921bc78558a179072f75b960fd8cda7ca09c54b997c2b464d8f531004eae17a692c15acfeb6c11c8ff3187767b28604293306e87936d7c89520f494

C:\$Recycle.Bin\S-1-5-21-3227495264-2217614367-4027411560-1000\desktop.ini.exe

MD5 f0f722b36cd78b48c1391e309ef0535e
SHA1 983109e90736459c43d582717ab24bfbad408c66
SHA256 dd24b51434d0ec342cc98fc1a3ca57a279c273eda40fb47c30eb2fc666c400da
SHA512 78c734fec369ee8f6579629e8de9d3e3bb60a78ce97813ddcac622a4a3f63a4e76253a4b507c9fe13b5a6c3d7233d492dc80a2fcca679b14ce3bb0bd3fc9d779

F:\AutoRun.exe

MD5 4bbc367b36d74b608280eb8de944f471
SHA1 f0ce626b3a4affb3611761dcce865514e9013548
SHA256 e451f1c8ace4d6addadda2772eb60ac500343efdad5574acf125b1eaa7e22189
SHA512 15936cbbaeb40d0bb6b410019e34103e8df55e983ac3889da553f4bd2596a8ce94d756031df0859bc6d0786d7b3182781f947110bddb657f99aa32ea0d7e3f45

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7fc0a448c3e0d5ccfc9f6daed42f1c08
SHA1 f243cfacd0ca5a359012bb7bb5a5a6c01460eb46
SHA256 06452c62734201c1145f0563659ba30f969da878936ba52e01b6eb75ea79ea8e
SHA512 824f7ea3e5e2b32271ac2b6ba5fda7e780bdd677f14a132c6e8eaa1262e9a30b797ef9094742fbf5263ac5608bf567179c0e843a4cec2795ea8929f486a036bf

memory/2884-45-0x0000000002400000-0x0000000002401000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 aa8597602f340d4a6471c5f28c7124b3
SHA1 be65b8a4522d9bf8caa4ce8138b4775e8efb33cc
SHA256 d30dc14b89345df12fae84fc0f1ce23354aadf2f27340018f574293ff41f9926
SHA512 6542ba3c9952322100a0be80cd7a888255d081320cabc1b275b8771ba31ce6ce3de4c3ca9a5be41414d09d71651bd0dd81db5368d28d1d012b1f1bb69418f89b

memory/2884-48-0x0000000000400000-0x0000000000478000-memory.dmp

memory/344-52-0x00000000004E0000-0x00000000004E1000-memory.dmp

memory/344-51-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 384cb3146880ded96d2f6d21dde12cc1
SHA1 80cbaa38daf402a9e5064739d83b842d73f3e27d
SHA256 11b5fe6360611e24f20455cd486303b8170abefe143ea9e74d5d97e074325eb9
SHA512 6ced26eb38dfea176cb43819a4035e2b59df1ce5a192ba061fd862910c3a7c2dec059955bbbe7315f314d3869c54f5f18249cf694284ff619313288cff938f0a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 852b232e6af6b39f3803418920f5d2d4
SHA1 be78a0e804fcf39765c0a6a0a45fda364b91d155
SHA256 03012328f6b1afebbe64e2f520befa8e17a34b04cd798086a58a332d2e900ddb
SHA512 bdfe7efc4807dc56a83b34e83dd158fd82b33e24962f2d8aad8e7fb597aae819f9457ac36cdda058177aee1782691a4233f929e3db472977c15663213a2fe760

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e4ae48af5e8317cac25731a7f3f5dcf0
SHA1 c1f0910a2bd9bafebe6cb7ab842655f903749073
SHA256 575816f4357bf9ba15f23d1cc2dbc1b903f5580efaf97bdf7664c0dc8b7b18c8
SHA512 c8626c6395bccb62d28fd01c3e7acb8a5e849276bab65452b2b0823d34d2e3b3ff6c1caa0012ea9e53481be905fc84cdd7df178440ef323f4d2e68b853a880a6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c01f609260f2defa72745d7b4de0571a
SHA1 adb11190cc73657b47acbd7ee87a73eb24af83e2
SHA256 824cbc32c6302da9d0f702dd63b8fa0061921c8b280c6616d1389ce60cf1b6e8
SHA512 44ea48a770fea5c1bdfc29f4ddcc75fc86e620f53677925d9b0487c21160e514804f351a8dac2d28e851d028194f98272be2d3d33a36cfe319c7e56f772a52bc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c47ed2163d4a8b6c1918327a7ff4ad0e
SHA1 ae42b479718e054bc0c4c024db96027e853f895d
SHA256 5eb6f03cf68ca2c53abab9dd374ef05eb34e3b59b5fc1e6a80464aed9cbae7ab
SHA512 375638d31b70908233e6eee46198c4bf6580078b7a9d41a093864908d5313932496c3a4649bd0e66b8fb597c8c78bdc016daa8bea5db09831cbe9d400a90f3c3

memory/2884-61-0x0000000000400000-0x0000000000478000-memory.dmp

memory/344-62-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9ca60f8ebff8406e23068389efcdea3b
SHA1 1b1ece7ee6a7d452ba6321bff9578c37061a4556
SHA256 edf74a642288a4ca23fd1b7cdac11ff3fe8f0a1e91190f3919a13a2ef5579f11
SHA512 dfd0a46c04addd8d5f06ae3a9029ce0648e179b31c0ad018751cda04968088e17eb4d2a0452eba378a1ef0a5334d66c39beb1576ddb06af052049ded3f62380f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5b39f2ae4da36587bc1b7e3357289f43
SHA1 23f1657756255d6bc27592163ad2279ba73c7dab
SHA256 da35c49f1baa88dfe0cd34dfea64ebb0a02fd6259fc68a8ccacdb421cef1b0ae
SHA512 1de0af9bf1bd3d82507267557aaa0f8086afd888218796ccb4a0c45d5bb91e39197c8239dec619b568e95ca182fb5f0cf61fc0709ed9eb1cde63c38a02b3783e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a0e205059be224c9003e550a8ffe142a
SHA1 5030b76b5b7e879aec380d01bc7cd30a56913bd7
SHA256 ebc2e7e54a1b188f5d36260e81f5e7333081f9442d57affe57643e41e29ff171
SHA512 f5b72c81c18ec0cdf11b485655b38c5b8b861c9b7f11b649889b7770fc162a726a583605e85688a11e04fb0366857819db0165465e7b7ddb4a001c70b4322350

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 38a6b6720c13bf6d0ff7075493b02ed3
SHA1 8cf67b7688161dbb75902fec971ed97b8541f6ef
SHA256 26616b858cd3fd37f82f0adcc5ccd2142a54482c063d5e18b192cd9ced5bff1a
SHA512 91e82ce0c2faca647a606f89bb00e93964e28c25ddbc7002af52c9484a72b393b8e83ee4dccf68dc86c0d884cd0292770cf0421fd9183b7408a28a15f44789c1

memory/2884-71-0x0000000000400000-0x0000000000478000-memory.dmp

memory/344-72-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8788e0d440eeaae778648dcc0d0b2bb9
SHA1 2bc07f0e4bde3a60b5fd4d2c178c18a0b23cf2c0
SHA256 ebc163c8df5beac7a114163b998ba2eb5ab8303d3904ccfcf673e629ce87480f
SHA512 96fbd0328dd1cba4d9c14e04649e9b2b8b46038e5ef88885c34118e41b9293151492eda8dd14758022d84aeed81e57783df851fcba6db53bfc84eb619c7a0600

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a45b15abf913d9865d7d068a718e2109
SHA1 afcbd6bfeed46b9ddfa159f882213164650d3433
SHA256 0e1c7673d5b0d64a32883521e64061187791518ef69d4086976e000d83e2f98a
SHA512 999b15dade830f4f51288446b97e39a3937823a1b82138212a9cdad1b4a866292e72efe920db86cbdf9a17170f7200df76af0af91f1bbd2c5e22aa3052f13cd2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 463270043d9c1da816abf9fb136d5773
SHA1 23aea70c50c21d3dcdfee8377db6112287b4940d
SHA256 2d99e05b7f513d22da9a2adf81bd8f3cf670cfe726f879a94e288085680df0d0
SHA512 f0ba6b9f9ca558fd9859458d4cedb2ada7d735a6cf2c88c228c8c1ab1fdf159e69c9b251af40f6b707f5b283136627471650a22a0e270da26b962865c2ff6b5e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 afcf77e3f139aec7d70cb27898a1b299
SHA1 fb20cbdc3b03dc993710f13ac33503814b6efd20
SHA256 4645326642dafffbed32dbc12e7001d4a50cfba79ea7f0fcf87b2b72ac50154c
SHA512 898fc42694a0c184c8adda902a07a43a5b23dc2dd93a49fc16359796f14f4aabc50218c388f4f467d28a17fd59d892b273267680958e07293574930bcbbe88c4

memory/2884-81-0x0000000000400000-0x0000000000478000-memory.dmp

memory/344-82-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7ceeddda90839d600a67ce0a6277ddfc
SHA1 b750ad65b4d60bd81daa985a8875fc29dc1b89c3
SHA256 c2b75f332d6aad9dd8d8af7d96d1983b1b960698eb6da6d18a969d0309fc7948
SHA512 a117fe50c2e88891204966cf027195e1aa851e9dda52a88bc0204ac9a07d25cafad8d00a7a019517cd33e58985587f068d9bf31a49bc2a2034860e5dd411ea49

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6260cbe4a127a355302fbccd606e400f
SHA1 2b065b1bf4bcdf3b55a783ca4b2c9ae13d3b3a65
SHA256 e405001d47ffb7fdadcfb978f210a4374716053e7d07f11ddfb3d8505a92592f
SHA512 429d8b45ea001e988fd5fb45d49f466ec9e5adf239aa19aa14e5eede40c051a6e06b852e2f2a5881391158f3164b28bad8bfbab9068b163241bd3f1b05285a09

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2591a0a441d159d144936aef30a8e69c
SHA1 dcc3d7f6c745127720e686026029181858121845
SHA256 e6f1b03cd23598149ea1db9177a11f498d33b3fade24fe5eabb8d925624dd151
SHA512 65d0eb0ed30781e375f3d7812a32f8c4c9650541b8ac5d33375e50977c532cdc6cceddb8be4e5441b3c4c74ca35f35103a2f968afdda08847255d201f49eb075

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 edce5fe3fe2d1285e0d9c917991001aa
SHA1 361dc7a93fd60a39e5341ade4fc7b86c4a88ba12
SHA256 2ef021cf338a7981f0f11fd47f11f4397616ec20f36d8563d5022183f65c1faf
SHA512 164d7a61bc9d04f9cc8bb85c2eb6f4fe72579f0630ddb73803b15e99c4e7010bca9e3b9550aaaf4b12f54da80c79ebbb44fa49f42ac43448c057710a6bde4161

memory/2884-91-0x0000000000400000-0x0000000000478000-memory.dmp

memory/344-92-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1501a1a623c73e44e1e234f12085d5f9
SHA1 e7692d094ae9e2b731d11962eaa31ee66ce75137
SHA256 fef7d7d7f71827d1e71a4e3d2f0d3c3bb6cdbf32b6c5f3aa0d72e64f54df47f6
SHA512 9a7d8baaa065b6d4c2edb6aa9a4a653109fc47989aab3105f4dbef4e1d9506c396796391e4fce6b6def1a22382d18526d8e2c78e763970096773e4026641c761

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e5b9a651d3b58831484d006104c81d30
SHA1 8f9726fe7cb7a1bf930cef2c9392a6f93f117af7
SHA256 aed63cc9ea76298b1dc24ceaded666361667e3adcf5ced436b22e78efdf8e5ee
SHA512 5dcaa97ffb1cd04bbb5fabadf00fe26467ecedcc09c097085b42b0845b58235358ffaba0aba6279818ed0e80f9594a9c73d5d02a026ca401e63c9ad7abcc6196

memory/2884-97-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a6cd24cb8aa3b98b8853b0a26c5bca12
SHA1 aede0d7f50c45b9ae2486edee6d4154d9989d800
SHA256 0f51a67eae437593a81baa9c56a88868410f0f54566208201a269f24eeccb62b
SHA512 cde9d8786c8f98b35cc3e10aefee2f0d10b65f720c5cc81e2c1b54734de26b540a3817acb4083bc14a380b5f0aae89586363c317dfb85400507b1afacdf196b9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c3049a58d9fcce76acbd4ea477c7eb41
SHA1 5696e4d8efdd0e8cef4799a7b6056177bee123ca
SHA256 3b86d21c631dc170db1f991d77d20e94f5f0cd3ec6c7e0e1bc4ab1e7e651da5d
SHA512 e4f6b9b5b420a992a496f5aef07cca12d4ea8d680de525298dd461c56b999075794ac087437385e5f4576d4929f3ff30906a13c283e2ea8822017f6244ccb4d7

memory/344-104-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9d4aef40f0e6c447c2aaeee6f3390b7b
SHA1 4ddcefaa2d6a43aa31a7193fd628831122476660
SHA256 dc60c4323dd2f1af0d26d99b123267f42280074255c787e6ab5c643ac5cb49cc
SHA512 7db5662162f90ace23b2bfe41430ca784d9f08d6123c550adc2fd094231bf8c4af215b3418b0787186e0fdcc2125767a2d6093cf8b9d8af256316e99311767c0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 69c89d534eee0d2b0894d0325372aea6
SHA1 b87cca7e4e112831f0df7f6ebcb6fde97519d90f
SHA256 1c8f56aa4b0776eeeb6188a1922d659ca025fc8087cf00fe003e92aa4d73f4b5
SHA512 91a71c04cc55089f4f387a7cf1303b9531f46a06309c10d08658bf22a4f354d9931ad19c243a0f10351ba70541eb2e3b1e524dfee91ef48b4f5267fa71551c7c

memory/2884-109-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c8d257efdd750e5a912a25414eca8da7
SHA1 465600beffa8435e48ac8848074fd85fcde9f628
SHA256 424b99a18221966b7f0d6168635a459d42754884f7cffd646f9431e60b1ae837
SHA512 78823a4204c3ae55d15ed33e113f6849c54ce7a73c8fab66b0ee615b53ae8928390c1c6db125526dc074c35cceee6b494ebcb540356cb8387d46e8f2b4cf2350

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 549e475d6de9cb255507cec6f3f68ad2
SHA1 4372f71e495444b0003f74e29f216a21ee93ddc4
SHA256 d9d81246d8646540b83c8fce9d26f367f2aff4d77dc9d8fa8f6bae0d25ff89c9
SHA512 72c66a4aba08a543c4d0f2448cfa0c4b37e63bf8890e352b55a9db73594ae2f722c1aa5ee27388200503a36c8087e2c8146206ac70880f45711566db0f252b08

memory/344-114-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0ab18198aa5dd7a76b62329e3e683e07
SHA1 43789b391996d9dfa7de9a8dbdec08412426147f
SHA256 9144cf7b320cc87dc726bc0c947038bd1a5aba480b8376186339eb765d287974
SHA512 24df03f996ddb3e13f4ce6c4171427f1e001da6378ef39bc31af66aebc7cae92427d469dd2481bf84929adcae9c349551fc8717236ec6bf9a8f32990c22a739d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 673ec18e353e245ef42c274b17e0f531
SHA1 a2c4c6736486891d63b70ceb9820b16c40f71327
SHA256 c30973f94538f255b1dfce69c7a9b25d82124f65d23815dca8fdd7707c71a762
SHA512 ac57ddacaaa1b89f4220be7cb9a44d64f022d7af0afd51b6e7aca18d1c0f0a82e6c15b5beb11ad88ff9cd9776f9dc32177c216f17e5bd77dd64ce01d2555958d

memory/2884-119-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b7944ccdf5abb34a380bfc7d44e489b7
SHA1 bf9e953b06a907674f7a3ca7e0a2a9b005b85421
SHA256 00d6c2855e4be966fdc6f9546867405096dfad27ddf6d2fa91037cdb4fcc2e64
SHA512 3a0a4f5b4bfffb02e8c7c8be99ae91ec391e346d8503838a4cebb2e437a5dae2e422c1acbea03f4400e2c01cab2513a98d96cc16ab2f92cf53ce642e04faf408

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 49c6322015999241fbd0749c25ab5826
SHA1 5a6a3ae30b413a980c625c238adcce515c4cf389
SHA256 935fae6c284f3f351d8909ec5a036a81bbb99fce188f513b2f936d01dd44b0c1
SHA512 42e23453ca01b4c6892ffae8323f0a719ca76d113fbf188ff147a244c193b12af840471892d41a902697fed6fbe2e4b7e011251017d80c1941d0a5f8eb620f2f

memory/344-124-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e81af3cc7fb5a62d95149e130fffcef9
SHA1 398badd707d95288e5d8f7e2ba7ffc7f0f6847bf
SHA256 5141fa524d347c5ed7fdbedbf6d2df828a2e56082c58df1a7611a64afd2a84ae
SHA512 6f25ccadc0291596ec3ca7e8598a97770c9b98c33d4d595c3b98c12fec2af4e8fbf3a6454f45b0b6971258297dfcbc99e401160473fa4b5f89c3017b196fdd29

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2748766303f9d6b874a02e0a69520e90
SHA1 cb0ae311e748ea5c31e506b4034c8202c2fa2214
SHA256 59723f51051712a48901ce208410c89d9581e9013022e56ae43d3a949da10381
SHA512 366d52e88e24587cb8c0763a0a91a11a709481fe523530e6c20d9e671db4e355150c61222e33ab39ef5ead2a6a336ba45d51a4c00c8d5b443a71b8aec5f06cf6

memory/2884-129-0x0000000000400000-0x0000000000478000-memory.dmp

memory/344-130-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2876c1e56c0ae8b68e6381b832c5e3de
SHA1 b72bd1c852cca79994d9bac9b1d69e85e61577a2
SHA256 a97abfe15256bf39ee127edbb7863c9a4b086ac125f4608e19d89215da35d5df
SHA512 dc55c59329f007caf176b19c83b2ea4ba25dc9057f5e65743e184528c41dc4779f9319582244bf34164da21602875eea492999e8b4cbb990581655f02a23c255

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7e52983a1062454e4673cca820f27054
SHA1 6f69bb35c6df53fd615082f4790d9c50b38e9659
SHA256 155dc116c40bdfff2fa8267b5217c5fe2b0cef7cb8ee9374c2be2c14effe2013
SHA512 65f5ae78e90941d67fc6146c859492b6fcda325926d83cb0c0bb2123e35cdfba5576805f4d9d3a3619ad0eb9f1e4507f9464620a594c081b97bd6e00cb2324b6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5f114c90af0e70a787ac7d8735af708b
SHA1 0c17dbb897d425d7f41296df55d0178479369bd0
SHA256 e8f17e27770fdb5f0359912d00800a176558505e88ab826b1ee480b1b8c76b5a
SHA512 39469bb8d633356b07341a49fcb2d1fcc3505e3c3c5e6704798d68213d08e8470e6a308c7f91a7469154bc6e03194dd65a47cbceaf1064275c369cfd3b674996

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 39c5cc337369c517eb0f60afd068fb16
SHA1 71f59d1cc1af1467847c9d23bf8222117e11f131
SHA256 6cba8c8299f8f19da2246bd18a6dd6775658feb799eb8ddbb1c9c567711629ca
SHA512 435dd61912ca7ca4ca1d68cb16cf28e7a0e06d81717076767cf5ce55168ddb997c35e61049136e2ec20e4ef907171fc309b9b59d50dd1c6866ad4e1b277069b7

memory/344-140-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2884-139-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0b916bfa4d5e0af7c29af9c4f9d65497
SHA1 ca24f141ccb7da59d18c7060449581f139373bca
SHA256 8b63e888ce5bb226521b9575b6ea9057e3938f6f36e4500e33e4da7658869427
SHA512 1f806896506dff9d23224d0412e7b00113a24b83ab607a09a6f1289469ab261c43dcccf328dd3eec2071482085e6ac7e01087783e39912a40fe93238efc126ce

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 66ea814d154d4d25a03331c2e94da2d8
SHA1 22387997af7a8e69106a9e44e516148bf6ca016e
SHA256 38d5f0abdb46f8b917620f5a0aa062974b9c2ced03e4ab03ef02aebdb3384347
SHA512 4c114682829e02787d95b1c2f4a05f617ecf445c4ff5ad8ab13f928aeb80043eb33e11f90f20481bbebad762e5afb2e8b60f41d4f3f5d99ea8ed270029ef3599

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 abb8546d6ba9aaa09d259521853d8578
SHA1 b2706e8b6de20373468982f39d2fa833b2d9f9f3
SHA256 b113e9d7a9fd200bdf8719463de94fad606e9967cc6806a1f3c0c339c12947c1
SHA512 0e86cb2751e7a14788bce3a436a7904b419e7a529cc9e3a012376c230887521e156cf18e5b9d3ccfa150dbbb9858cb9d579ab46553e9bf6ce7d172d7c32aa570

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 105beb68c485777affb6fd9da2ecf418
SHA1 5218a0cd05300bf758de1f0a2768db4879f6a25b
SHA256 1c50bdf4af779503d7af812794abe5790ef0bd7a3a649376ef4754fd9f39fe26
SHA512 7eacf4a963c993b2e8a04fc99a22e2ae1a3032e6782a8a0ab92a7ca98b98deb83057d744d4b88ec37d619d51ed3102de5379eadcfc9bad2c20c92d222cb42abb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1fff2b65ae41f7b48c2e2305985a6b21
SHA1 107c78b2848ae68bc6e4380540c50255bfc4da88
SHA256 4baa4b55d610b3b70aff925b01edcaca99eec5cba36d56b907d2dfe306f6c035
SHA512 b1ab9a8444dddb5f102ea7c8cad97bbb91ef2fe3656c248f423315473eaa13bc8ba2a707800eebbabb57af6d9956018e471c8599dc09b9794b07c173baf86b78

memory/344-150-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2884-149-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2a90ea56d99c1cf291147fd7b8a95609
SHA1 6f12859f2a2d2ae700a3531a395e2117f4d5d0cb
SHA256 cbcf763345c0e1df0b45396486e9a227fa49ac2a7c18c06e5f48556c2d98f334
SHA512 df5a550dc96ef3517786cdff98aae4e474b7d1d40f82e3d926577509a4752f5888d125d55b459dae6c274b40bafe57a8d25ef3570330cdc35ebcd25ff5315ac0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ac4c901d3e2939331922679761093e0f
SHA1 9f2170641756070c7385e25bcbf8c90c28ce251b
SHA256 540d4a6e9c5e2a90caae2eaa7e305081527ad786376f7775f32c5231c6f41e85
SHA512 75b160d8fec7591f7a16e9940dbe024186078e089b831d49fc16473f1ae5708f8644f3890a61c13505a82b447a7b4e6c3f1b288f3e6e30bff798bc5865df4d1c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1e1a2bba8650f78e0970aec1416987dd
SHA1 2a85b55347047441f42868dbf718698ac7bcc097
SHA256 fbb1f280a1fb5831b01828ecca896c060e95cb1513f4ae763de9027ad91ee1d0
SHA512 a65b3e12158164b093de98b7ae2367e9ac8fb183d57b31f45d0f3e2433caf711d7fae37f5d3dd939dbfed887d90c860dbc47a5951c3077fc9e75bb69dd50f68f

memory/2884-161-0x0000000000400000-0x0000000000478000-memory.dmp

memory/344-162-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a4a7ea101f4ecb1ec949152b1246be70
SHA1 f135508ea843d2996dd899d537a4ded425438533
SHA256 804cfde019e61bd052d577a480a7a62ba376c936e1d13854e8c44fd09c59e8c0
SHA512 79af0f4ca3ec143b292d24e6232c5b7d69a388935fa56e25736ec6dd137eabc573e53a1a301802cac86cd5dd07036cd2e6be66386eae68cf5e6f616bde6b3de3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7a6ff63dd8e7ab2d553445b95a202752
SHA1 36e5bf9048e07447d4a1dbce7b32196d13fc06c3
SHA256 9147e68119bc8decfedae9da5db8a0c24d991e85163156bb0ba9629adf56f2c4
SHA512 ceea5fb82e55ed90c3ca12eb691abac2cb18ea6fb86555d7fb24a566cd4353de72c4205a80ddc3384cf46bea1399c15b2e6d54f6f33f2880c8d1c7ab8bc50b5c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b98ca36c6b9e0fc67e94644f2ce7e4cb
SHA1 82206ceff779bf9a00efa1dd338e88e462b05668
SHA256 83ebccbfdbd90728a7a01d02129d429548ad558f9b8bde6d2cc11b1dc740e0b2
SHA512 1cded546133a33d4b46ef6cfd1c9a422eb2b857240af54e1662ba68ea99b89eb02b06cc61d6095c26481ec1c1f3a1d591da491d54ec60154152a27b85148e0b7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b164b7c4ac874716d6b2080d8cf4179c
SHA1 6f7edd281846c7d46e770abc1f2e6996a76d7fb0
SHA256 bd52de1d4c5993eb3946594c8c64af9ea000f11a4f06f671d6f968bc03b86a82
SHA512 e0e0b772b7e3ca78b75a85d53531b25402ac2173dc05270674fdde97c79823e89429c5262c3748e95b23e0f633601f974cc30db5ca439ab50123eaf90ec1987b

memory/2884-171-0x0000000000400000-0x0000000000478000-memory.dmp

memory/344-172-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8022550d38086c6b0f0d13c601924c6e
SHA1 2cb8601e6b12b7b57762bfd54128a2a0b46e2e9c
SHA256 02aa128b9247a008b0d7a8ef511171e7e9e1c8b6d024a6d78a9924789c56ad4f
SHA512 34f33af0fe083997095c6591bc14c5b652df3d1d46cc0228158b3c6393e096d4191fcd216b3f90275b2852c7d0532d0d27caccce54a4805edccef5a0223b9c3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3ae999d6f850f9f453e2e41767882ebc
SHA1 066ab2eb1bbe29a784db743cb875717a41ad4132
SHA256 1af01abb99ac45b38db5419ff3c8b2786b31d446fbfab48a548f32117fccf741
SHA512 4bc92ec30b6eeac2e035b77cf995aae92f950da5001d3f74f37967fb5bfb2eb7b0bd4db74b046d2c840cfebd1bf3f4868d926613daf71240b5cc36f7b8da5c2a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d5ba345f04781dae5b6f5658be2430c9
SHA1 c76208a6562646d55c057f67db60500785a3078e
SHA256 3224a4bc48a650656788fff242bcfb43c88d77e63be4aec796418de369fd71ff
SHA512 f8f4f86c0c79edd114eb08104b591286fdcf3ec1cf2d075412a370d3fc027ebb46cbea7ccb4a9306fa0f94b6ec5f2fd64db2abe6daf7d2f0b8e33edf21ce5dae

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 47984aa3833ba735c6d09a60de4d48b3
SHA1 35c4a6f82f2c9a5ad7f34b8fe46eafb9a5f612d7
SHA256 0809a5773b802d8037349732b1535b2f811823b724ec6bc2056a52fa67cd62e0
SHA512 2c693122c69c42bccc512afbc22bcda3549911c3f8373e99e2e055074d99db96ce0a9c7a8c8fa07123af972cceafafc02839a3cae64da9f5b28d6c4dcdfe2d86

memory/2884-181-0x0000000000400000-0x0000000000478000-memory.dmp

memory/344-182-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 57dcc2a33e01e53faf89f8b79f5338ea
SHA1 ea5d20b4411cd4da88c05fb4c2f9c15027a689fe
SHA256 4b7ad2a8097a36ac8ddcf131787e4cea4259587c7b1caffe4a849962b8ab798b
SHA512 66010be000ad3722669bffe13eca3d8bb2cd2bc29e1406034bb4a0e5cd1d43f38cd2f8d5f5c353a540ccd70abcf26da547b9b0bc184c4d9c513bbbcd0ffd54ec

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7482fd68d2c6dd21d70a9e994b597765
SHA1 824715854d528cdef7252a56fa93c5b091216bf4
SHA256 4b85d918d87fd3c512766b1df7d1894af3e632949af4ed82429ac9974b6bfd21
SHA512 85d5fc30b0f6e030c1372a38b3a7e70205e6d6b8ed738c05b8d7743d7e177caee99cb0e9e46807ebb3b3c51caf10fc0bb617980ddf2fda76558d6c74b49d3f99

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a7ce780d21be5529701c0eddb008ff6b
SHA1 ebd436714d37ae01fa3abcdfa7fe7bbd66cf0a7d
SHA256 a4cd57d375075fc1f9b98a7a5d5c0b8bd91d0a247d405b45eecd5fd916ceb265
SHA512 6844bbb0bf3a21d7f1e82e416ccb831771fb8e16c2cf1ce9ae5d00aaad392cab8384dc3b8d0d41c3cb440eaa4d4ee2664f73569db1bcdf2f9b4decec9c2499c1