Malware Analysis Report

2025-01-22 20:15

Sample ID 241019-yglhwsxbkj
Target 5e57aedebecede14e69df054f123252e_JaffaCakes118
SHA256 3eb2bc9ea3a232f9a0eff0a66c910fe7544a21e99c09eff89567d0f876a53885
Tags
aspackv2 discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3eb2bc9ea3a232f9a0eff0a66c910fe7544a21e99c09eff89567d0f876a53885

Threat Level: Known bad

The file 5e57aedebecede14e69df054f123252e_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

aspackv2 discovery persistence ransomware

Modifies WinLogon for persistence

Renames multiple (91) files with added filename extension

Loads dropped DLL

ASPack v2.12-2.42

Executes dropped EXE

Drops startup file

Enumerates connected drives

Drops autorun.inf file

Drops file in System32 directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-19 19:45

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-19 19:45

Reported

2024-10-19 19:48

Platform

win7-20240903-en

Max time kernel

145s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Renames multiple (91) files with added filename extension

ransomware

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

N/A

Files

memory/2380-1-0x0000000000220000-0x0000000000221000-memory.dmp

\Windows\SysWOW64\HelpMe.exe

MD5 eb11d4980999e252425975f86030011a
SHA1 e2df57f037d97c4d6efc406bd9cb94b07d826e8b
SHA256 a0fe27eefa5b2d04922c421b4376dc509c7bfa59c8c32a321a1cfa377b2cae0a
SHA512 cd4d0d7047cf0f7d1454569410645969be6a97308f97e82a12ac568cc9d6e2729d8f99442c802a1de719016a27e93d48062375b45cc0e5866f96fa5bc32147bc

memory/2004-9-0x0000000000220000-0x0000000000221000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-3533259084-2542256011-65585152-1000\desktop.ini.exe

MD5 aa7b09017416ec9331f13100910e6a82
SHA1 3abccbe5622bb9d68e46c3b446b2f35c85edf907
SHA256 cb0e0b9adc22a6c808fa142e4970ad1b93e1ef0123df877afd7c726e918138ea
SHA512 02d1406e64125dae008e4e2354920c5fed7fc47ed379aa322bd7ed04e32eecad56ee099f6286dd4e9bd2e38cd552cf1a9bf579bcab4243506cc2cfd90929f29b

F:\AutoRun.exe

MD5 5e57aedebecede14e69df054f123252e
SHA1 70c57d06c9bd6dad889d67c8f794c9d4970bed75
SHA256 3eb2bc9ea3a232f9a0eff0a66c910fe7544a21e99c09eff89567d0f876a53885
SHA512 70015e0d046e13e105b9032dbfc522f3ecaf0d5cef67065a2fe92868a7c3431ac25ca9175953fb3ab68e87f11b09d59d6f3fab7081df792b8e3057d1aa37f5b2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ece45e4701abb1628e355f9d3d71faa1
SHA1 f444821e05dadcefafb2daf177004640eca0b16c
SHA256 1a7aa494c75527f653b97b4604a194f272388f4d027a0bc636b13ccc1736a6e1
SHA512 b6d9474a7291bd9dbad4c8e30e6521d4efa1eb68e25bfdab048c6bea33793a06f786987a5f011cccfb84a4968180534aec3778cab38f7bfe7b426fa9ac936952

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ed73ad1243a63129962120af1f93b032
SHA1 7bb0c919b5cbc5b45b7895f5dd4d4fc232c1477c
SHA256 cad5808bffccc57c2e3ec993891a5155c010a62051fefd40f57cd3bf22b239d7
SHA512 1d528ea61a402ac7be276e0475cb33f04a02ea42e2e76f1eddd1fc8fa44698f0abe737d6e033a3a21755d08ff52f62d1a9e514d90f64e8e71c539a3631badc18

memory/2380-228-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2004-229-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2380-238-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2004-239-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2380-248-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2004-249-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2380-260-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2004-261-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2380-270-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2004-271-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2380-276-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2004-281-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2380-286-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2004-287-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2380-298-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2004-301-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2380-310-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2004-311-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2380-320-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2004-321-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2380-330-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2004-331-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2380-340-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2004-341-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2380-350-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2004-351-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2380-356-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2004-357-0x0000000000400000-0x0000000000478000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-19 19:45

Reported

2024-10-19 19:48

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\5e57aedebecede14e69df054f123252e_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 201.64.52.20.in-addr.arpa udp

Files

memory/2996-0-0x0000000002320000-0x0000000002321000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 eb11d4980999e252425975f86030011a
SHA1 e2df57f037d97c4d6efc406bd9cb94b07d826e8b
SHA256 a0fe27eefa5b2d04922c421b4376dc509c7bfa59c8c32a321a1cfa377b2cae0a
SHA512 cd4d0d7047cf0f7d1454569410645969be6a97308f97e82a12ac568cc9d6e2729d8f99442c802a1de719016a27e93d48062375b45cc0e5866f96fa5bc32147bc

memory/1020-5-0x0000000000740000-0x0000000000741000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

F:\$RECYCLE.BIN\S-1-5-21-2045521122-590294423-3465680274-1000\desktop.ini.exe

MD5 2b61dd1bd248ccea0e02be7762b339a0
SHA1 4752ecdba4bbb03855373e458011d4a9ccf77a84
SHA256 34c75f27ef2291f7ebd5c3eca587697bf5cb91137126ac704b3bc946a38329b7
SHA512 4ba32955dfb47c0e7d64b785e1777a1bcfa2e9d6743ad2f2496123a606829dbea7d62024852852e4200b4f92c20e6316671611b648ef15b8355dfdd7ccfb338d

C:\$Recycle.Bin\S-1-5-21-2045521122-590294423-3465680274-1000\desktop.ini.exe

MD5 bfbbf5578067d2e90a20ac344553bf96
SHA1 2af8cbc74ea8e1ec319a7f0496495ba946ae2788
SHA256 7e1aee86d74d489ae5d8eeffd430127a5d4554512c2bcb7d50f9f91867eff620
SHA512 50630c99951173e530a0231a23dd0555b4cef9f3236679869a04b81e040220643d760476ef8fdab83626298119e8b279c5dad90ca402036bffcf3b9f3d50e1f1

F:\AutoRun.exe

MD5 5e57aedebecede14e69df054f123252e
SHA1 70c57d06c9bd6dad889d67c8f794c9d4970bed75
SHA256 3eb2bc9ea3a232f9a0eff0a66c910fe7544a21e99c09eff89567d0f876a53885
SHA512 70015e0d046e13e105b9032dbfc522f3ecaf0d5cef67065a2fe92868a7c3431ac25ca9175953fb3ab68e87f11b09d59d6f3fab7081df792b8e3057d1aa37f5b2

memory/2996-44-0x0000000002320000-0x0000000002321000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 88e33a1e2be61704b16ca47fba61914c
SHA1 f5dd6fd9211f34a8d9e01c62cb65684308d19b8a
SHA256 b10c06c55904889f9e297055f7ed43a725e7c786304673ccdf7eb17470fa8f01
SHA512 e8b8135fb435a9d1d1fe30b528758174d84e5fa9e11dba334f9e328e0da36ae0c5f66813e9f7353ba3a656f9e301cebd66413a0494fa5fc86e395d7d33222b02

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 eefbd506d92a9dcda295ea2de176db64
SHA1 d5603923203ef9da1fa6718c72325bb5ee088350
SHA256 cb8c0afaec7d7fb0220e1b9d315d367db381ffaa79c59f73b01d5283f3c3435f
SHA512 e35769ffaff30408317912f1f00477e666127acc460f4c1126ee21e13727e3a9196a4eb6411e96d0c8716d781af81c55cd034abba677d2295700519459a2b34b

memory/2996-49-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1020-51-0x0000000000740000-0x0000000000741000-memory.dmp

memory/1020-50-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9e971e4faf5cfd276e92d9363ab71187
SHA1 479b8f6a4f747fcc4adb9542f5bd6b7c76cbc0c2
SHA256 a5e529a23fcc45de1fa1ce236ec023b85910ae9f46d30470ace9b14af7341476
SHA512 209d519df38ce18123e08d979132f92b653f73793ec03316ca219f3dea4431c426ff2e6b8eecadbb9e6d392fe8430e610dabf6edfd68795fa7a39b854d96c74e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d47d18e910b0650f9b3296d15b0549d5
SHA1 50e405f708f2585969f7e7e0fcc0d7186dd61ab6
SHA256 f4083fe6a9bb82460807db64c6bc0ed66572d358f925a95d85a265b9367f4404
SHA512 b9c617daac2d2a1607d7cfa3a14ee270a994e38ff2c8541130195de65d54ea20cec09dc98447f1e1c56c57f5cf0fda26221cca3c9f879a5903ef5806acc03fa8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6fc95b03eed5c905b8f7cd4904fb6e47
SHA1 208f1884f66cc68b9317aea4c726af1d9d7146cb
SHA256 412703e8997bcc088ae59e849ad9df8d546218e085b23a1381c8cc14776738c5
SHA512 5c046d47aa59b732fee39e893c21c49197561ddc933526827603262aa8c1f95fa1892af53458d96e4ed54ff35656c6e49820dd9bf36c8054b6244645ee75e281

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8993bbdf62305aad3d9cc84477d6e3c2
SHA1 82164408d0a6dd9141d20bcc7da6af1e049e5930
SHA256 39e1a56cfb9f0a3806e41dbc83c500f4072ec28ac2f72f6d189eb0710577ba15
SHA512 80d553509b495d8102fab5ccb0914ab08bb79c60d31af56e393b6b517557c65e69d55836ec5834c6fe39ee718c1aaad65b1b425f0b526f0f16bda5cafb688696

memory/2996-60-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1020-61-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0db2fe4536bc7fd992793e2d1ca62600
SHA1 2b7db260414bdb860b71c5c7e78ae532c4833e65
SHA256 616385e1e1b84c19a1a4688b292aeb5b10118b57108b62a3758ea63885f2a632
SHA512 e544c06874bd87dbab4c5848156afcb3875e1e0d03f1016c923ea2afaab3af3f64c59d6ae7ce0ec8b051518160fa796afebdd4e91076e1b7ac35d007427072f9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 95fd15ca25f81ac69e24294423d4417c
SHA1 dc18f7413fcf7e3d341b436a0a2f59c5ca07a64d
SHA256 506cf4f057eea299b41024045c6b8043c5d8e773dcb969b059cb6438ce7ab434
SHA512 a8afebb4a60685d20a48c5c044fa99a63625ce3ae33b1a79bf9ecf812de346201d90d2de46baeaf594aadf7582f3fa74287a92f57fd7287d5e9d33037ffbfd01

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4200cf8e5c4c5ecc782b544cb54598eb
SHA1 cf9727f7f31744cfcdf5054c8926d9b3c3df7954
SHA256 5f9e45ca1ce2fbc763da47d1e9167b29786efe9f3cbbcada8cf77a77f1b551fa
SHA512 7c948e924fd2b9d8939c76f6136b6e1de7f29f15fb843c9001b816c93f543435f628df72329de5ec660a72bc8697c4d17cb66d1a3c8accbae4f25156fb9f5d1a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c30d2183096f8a05194be64036a5fe8d
SHA1 76a095858d968c537b0b6a3e3ffe272118f1f613
SHA256 649871cf646d74f598a5d07bde4c0c7a0ff403d64e737e43465824e61226c981
SHA512 bd9510b7727ecdb746e89490381dbd57de53541d6c7a3a1cb00bbe66ab12daed4673ab8a60a9f53faff66ca8ed3b4a49dc5fa6c1d82f6e308001dd6ef3de061f

memory/2996-70-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1020-71-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 869becbb2038deec7833b71c49b374ac
SHA1 ea364c38fcf8a04325c96abb316c42fbda9b5ba1
SHA256 12c6d7a387e37488c37276194b7a287bf98e0c035191a6fbc9c6e60d520f8fdf
SHA512 d9661d8dd6a2be9270b346b83eb796fcb2d1b343d6d3cf7567c0694f139d463f3023979d0ea25d8974b128815e913d99730b9e744ba17e616488f76e2b8f27d5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 87d899977526a54e3eb1cb274d0a177b
SHA1 8e5ca96f615fd4e62d7a3690c3ed2064c7bdeb82
SHA256 f186439a36c665c5ca9966a9f644556d06acdff5156789c9bd1f4f57bf3076d8
SHA512 13fa3a7b16cd2c10fc8ede75ccdaf167325e98837f42a3f1dd041e0d6a34ca3dd46f5791983017cbc0f29937ddf007a06148cabacbea2f679c706c418721bc0a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b7591b925f1d0ecbe1c04431ebc34752
SHA1 64f253946b8b3c2f09b8cdd67c0ffc3f102c0dfa
SHA256 f91bb47f47c10685c7d3b15618b58f0f25cc93d29cce0be5b5f34d9524dc92b4
SHA512 ff659737397d1b0cf0d16a8aed749443b4ac7cce6be71adcf0b77574ee3fb3531c2c049b89bb8be4c43b6c4883faf0c6ef9c58797bfc1c550c7da8a181084fc7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 40b337a9ad5be9c0d66dd68e3f21b8a8
SHA1 fede90f58eab5ee164108df6951191d895db5587
SHA256 6b20263cb2469ba71e516a6e4c76982f3e494344755fddb335db3397495d7f7f
SHA512 6c5e7d8b197b1bf0bf610cac704a2560410eb99220db05291de25804738884e2059856c0ef34dd02c502ebbc28937fa6a397d185c129354c849303d0beebd853

memory/2996-80-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1020-81-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3c2686e2cb49d48031fb519be23cab38
SHA1 860d22f3f84f3d62e79fdb89faa6d4467acf9488
SHA256 4190d65a40d6a6ef7287bc97ae4d0738dcdb57bc49ac71a04910ff5621d52a93
SHA512 fe55163f4c5f28841648a9d063e35db6955b440bf52f5f0d4e2eda14d957106df224053f5813fcd8633b885dd721623883078d4c11ba20bc2aa9cdc2749ebd60

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 41f6ebd76a861c89d95d0d13dcfacb1f
SHA1 07cd69292048bd39a92aca25804a98ef0e44498d
SHA256 72babb699aa1c7c916f463b5f40b5b037965ed619a735a8eb72c0d4a354271d3
SHA512 849a0936a6c4e1ed197dc1a962df8cafa5beebb4c7c978b7d88ab3f0ba8ecfe538a1f2cc1b01d9ee04eb399d29e2c5fea6ac26998b04790f8592a97132e75250

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7753a2a9c2820e0f324e41290e4c045f
SHA1 7e7ee17bde54162566a721a7034359f9bb5e32b9
SHA256 57f5c800ae4794ce41897a95aaee6d3f7c0483e23c15ba91e3ea878205c9b018
SHA512 f1caed580f29d03039d710d84beb4eb2fa91cc51d67f3b9c488412b42f952476630d14784bdfd0bc8827b3903a337e1cefeed9b21706aea90d4774c4b5345d3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2c16cc121aedd9a24f615c61612130ee
SHA1 ef070fe8f908e04f7fb8274b70c7560d4eefc5ec
SHA256 6741eeef2c5558328cbef72232b39fdc4d527b698e7a40b5fe6732f08106aed1
SHA512 3b51170a31849c43db97d42ba120a00d15e27f6a47bee76881cab8573aec18ed491b81790c160068212ef1b96eb24629f010ae2c4702164bc55f19def427c9ef

memory/2996-90-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1020-91-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 db729441a638432a839cf83c6ed68328
SHA1 5ef936879322d73f7c16e320e0317e755588f10a
SHA256 98c7b97f88eff35801696dbc4cffc08a01a84da2a91c6369f15614ecd6f66e96
SHA512 632bd69f864efb03ff3ce8e1b1afa6bb16dceb596dfd5a24a4ee1a19d844eb1cd56b711e7369edbbdcc8c9e3ca6cf17d2e4fa5e1859e613aaa84871a815348cd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0752c880cfb6f0b12d9dd541e4208e98
SHA1 10b36ee77b4b973f136f0c7966896a06928c5216
SHA256 825814597b11f96eb98eec8d76e8b395a9f966c822952ffa71789fe684c5053e
SHA512 4c7c77a0e9ce1af9b1804f9dda4c52b555f0565fb12685cfc52f9098dc90a45dff2c3052bf9976dace46faf61b12d97ad2b6baaf9c93f9ee0b0db39ddd23d25d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 96c7df8083539117019b590e4fa5caf8
SHA1 c40d38f8dbc4069911cd70913d4783a4b7446071
SHA256 e7ff34dbf4c4ec7836f0904c09cd292dbc2b506f1782aee3b9c6c8f09e667290
SHA512 cb5ef5d1c978cda9eaf2cae05b200092a0891ae880e0f05962aec5e04d3a63cdf335242fb8c33ad0a7bbde4a6ad03f9ee36abcb93d7fa13eff09d59659f190ff

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7d8fe93cf51d1c723260b2e720a5d7a6
SHA1 1b71760f27ab7779f4284a5db238abd12151800a
SHA256 dad300a2452d1d224672bf9a0b80df011fd781b53f2bf211733cda8134a2da99
SHA512 49970e981e91e20d116eb2298c12a0dfd2073953aefb1601799c5074de29d6611b361a85d77b00be8405891f5704cf74cee29c7f82c3adcbdeb4f4ec818fb7f1

memory/2996-102-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1020-103-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 559d6ac0f75d8870daa485834c2c97f6
SHA1 bf9560b86ca034476c4f1e7146232e9034e003e9
SHA256 d81ee1f1143cb69a5e9b205e4d859d9f806a12b5ac193cc45a968d4904dcb90a
SHA512 84aac005595673f1b549c7e652fb233c8f7954c1d08e00bc1d57f2c44f342dfee633571f3ba0fb93a7389aec04f2d1408ff4d3b2ee56afd347e1c58e31e47589

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7867f53dd6574b6240ba4632a069552d
SHA1 b1fbb25b629c2cde6f2fa9d70d164b497048c011
SHA256 ebc23688b8a6dae16c20a810816654e518b33b25e3fc639b55e4c49348e7584c
SHA512 03e8819525a4d964bd580ecf4f90dbd0faebec59f639deec6cd1d8532effd01a81f85243c52b0cf349284bf17e1024268e9204a01a76303654621c818fe8b586

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c39a88dead668dee687e70839f68cb57
SHA1 e276c0d930ade64ade86d4b504cfa463ebd884a4
SHA256 156d7471d9fc40f2132e136cf10800a0f9a64e4c9c840e8b723cf6bef3c78de0
SHA512 0378c822b37fd2ee5d610f7fca19fefda7ad8bc6ffda19129fea1f555d8acdd9dd7951f4f7a06be7ce70fc6baa4726ca9a50df0f171d8098c6b6ee57112eaa37

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 12d8a732ff84b25b7b5085a4a7e23935
SHA1 7b4c068ad5f8f9f64545ce0cf97ac8fc4ca5f92e
SHA256 d75d78785e33281fea5ed80cf924e029160b9b784ba70dc1e2592ddd866322b3
SHA512 95b1bc2cd9819b081d0804d3c7d2f4dc634874493cc1064c75de42635ba36fe0fedb4d600c2770e723754c4d05c831f152e476afb210cc401fc3fee22099be64

memory/2996-112-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1020-113-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3231605d0ebf63a9135dc48584e28053
SHA1 4f94dc71eb6714a9a8402ca0da524b9c7c38ebd0
SHA256 ce30c5e3d58b078ef2775335da47d824b96fe5955826b549f83a8ed8b7ad4d5c
SHA512 a323898f062f3fc73b854297e16689086a90709da159615952d11a436bf9b3e078c5ba8e09f182a2115f1257fefb0593277bb205dafa99ab536fc68c2f1bf1d0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1ac762b82ac4996538847f014d175670
SHA1 850e50a3545938c8d9ccc3ce62ef96d34d910a6f
SHA256 7e627b3e46b3b39ec6fb2bd09a3e1322445aff1ad410f498e5ed423d07fedf51
SHA512 2cd93b083662bee49a039437fc582b1361d1f65427863e4dfd9a46d65c92612ca836f98516c046c5aeeb57cda2660ec52a234d4860fbe6274e8902809a1dd52f

memory/2996-118-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 09ac57c5ff6a09564d038167efe8034a
SHA1 fc8c8a4dcda0a2694f52d729b936a90fa8930613
SHA256 c0ae9b83da2b233fff885392a928324cd75a9cef3ba0a7f89291f939e4e2a1b6
SHA512 c2f9e7d7e7f746205b2e15a06b29f34e48e8bba3573b9ef38dc0f62267f2e38dc4bde995d539bd052c57370b3a401084fd80657e072189078f33a2b87ae9b2cc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 36b90eb536c28f60dbab7b74df4ab296
SHA1 e8f90af4b50b37cdd2c6125f209f056ec5dff4c1
SHA256 080d0b31084e787ae992ec7940e109c39255a84d35881ff8cb3a9f92244696de
SHA512 db4464e90ba13c576333525eb927a484c491ea8179d276c61d46865b6e40cbab64433d66b9627aca0aaa690a9a2744ec8232cfb522607f0172690d447c423dec

memory/1020-123-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a934ce6ff6cefe82ff34e65b5b96af82
SHA1 ad9ead4ddf7c7ddd471b8c2a89d736e8fa78b1db
SHA256 fe74a6460dff03c2fc047241cf9efa33e4c0617df8ed8461eb423ce41fa83294
SHA512 b96bfe4713e67f23ccffd5b5e77aa62b03ff380fc2729ac9fffc83e2b0cadfe349060ef2b731d8d667e73be5ed226bb343ece85990c8197cb8c0b7789c5e1fef

memory/2996-128-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b884e52846e0797aed86db1f4f461b82
SHA1 459ed875b520fc3160e0e2615929632b92f91581
SHA256 01acefed3f891bfa6331ee3c1087f7aa97bde10326e496eec6a4078ea7193570
SHA512 09390c8c9949cbe873a6c2d21d673a02a14eaacf1428254c39735c75941b2d8817d61fc0dbb59004a711147d97e28f93a43a37966fe5c1ade2146ffe66d75531

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 91d90c064bb39cfbeedd920d20086337
SHA1 9f74df7c99ff490bb384e1ed3c7e1bbe04612433
SHA256 c596c3dcd2eea17070f2d2d0580dbf1f3585daa6b27411cda25f90862cd5e108
SHA512 ebc3d1721d9c41a3ee3b8f78e94d23986506f0f1d229337c523551b7f85e22e0baa178113e783cf683c280cec8d706c5b1435c71e3946a1622fa3390ff605812

memory/1020-133-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b9ef98197d5796edba5d23264416c40b
SHA1 61676c7eff42f0da56ff9a3c7ab5ffb1d328cb73
SHA256 1441d6ac82f3959966cbdd84cc2001fe740c43b878591b9d602cf8403a827cdd
SHA512 63b40493c4a405c0e94d09f4c2df3e2cc2ddab4fa4d5251715acf5ea019e9ea78b60cadd891b4e5483f132f8cd7e5415658e90d61e3f764c400539dd0c4f59a3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9e1ad449208695d1e60effbbc6c8e407
SHA1 a19e59d5570d1c6b6579afd7aaff33a419d596db
SHA256 103e401bef0f500643f6c8c1832d0b3dd35a7644aef472868bff7b7a5658c110
SHA512 e5e35a7e67c729298152d57b266b470d05ff8e37fccd61f3464033d60cf02ab2ba481c0c3392cc44aa40f55d6711512346eaa69f2a3d9e061d5528b3fc349a78

memory/2996-138-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1020-139-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f7db4a84f4b68a6d0a26317b8307738d
SHA1 60b420178786fe219610e7d2b1aa3d88df34ff0c
SHA256 dd8dd0d7f10b6aa9e504ffca3ed7641aed7f320c6a573c5566790265934b5e5f
SHA512 dbf2436713d25fa4ad0213ac369fd4b609d95db58e5b2719da37f0efd679773d82ed3d22462b5dffb13bb121d11f5d19b3aacff9ad513485041c744c17d1a172

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6c470faa8ac3e1fa4968e343c3293118
SHA1 ab52dbe7d85fc5d3de9f35dc17d8bd211c8e3d43
SHA256 643578d3f371934b3d42a2a6d73e034be2c64e74b2f8d4e467998f36f500585a
SHA512 937c258196a08af2a58ae952f95b5ccab9c0cab5fef8307794f273c0c4d56245637d6f7539bae5a47adf219313fd71c23c42a0f1d76d8db405715ba06f626402

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7fcea2d6720721f6a4474235e835c68c
SHA1 deb8e93311676e130a3fa8b181a77f4ad7769dfe
SHA256 0771bcd85aac0668552af2f46d2a439df0055a8d22df7be75b2efd2e0e4ce0cb
SHA512 70621dba6b5be77170ba963730b05077655ca206eb101ea973f16ddd12d2063e7c9ab257b8702cb2bebddbe7eb1b4448743760480c97b304ce5d2053d6539a37

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 35a2e0cb6680a2d95e9e5fabdab5ab6d
SHA1 e6af525f751e5a2a1134733f7ea7668fd0997225
SHA256 e6835314bd245dd1da83ee93f76c055f2d818121b240d26ca86b88bbc05b59fa
SHA512 9ca35000084e7cf5399ae6f3b9ff9942c39c99f979ee6266378666671fba1ef2c21fd9b5e510a621de703acb70616d300d925205b5c78debfc0fa77b3445c4dc

memory/2996-148-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1020-149-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ca73bd140d2995e5c1f28e4f6a256097
SHA1 fe2c1e39255d8e4c8a52bd504fe34fc783446743
SHA256 024e89e964dbdcb21514ad6ab7476e8a34d9fe92703ac5487b83cfbe727b7fc5
SHA512 421efd3d02a5bf54b87487674a4a619b580d9599e6b2b2bca48667e0c616336f0eb99fd792340d46526d6077002266945daa779ad0d7749933e9c476afb148ce

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3ca233b1982867e1ad62691fc993b027
SHA1 458062c6c77e3a529fc9335b81f7d125f4a0bfa3
SHA256 fc1f8667395060a0ffc741e949d256b94217d6b0bc3a455489ac94f267a2079e
SHA512 63faf71630817701f32b8d0b6c86a37e8e783e515945add5cd5528c2bb3ea87b5c28511a763c1cd613db111f4fb06bbb12f0731f34ad605ae887d7f3c1bb4544

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 aaff66b829a4b351cab282f1325c297f
SHA1 833eb9228f93c9c27c3579c46649241b96e107c7
SHA256 4c2abb0d084fd44c99a37048ae66c381101388d7c23417062aef21ca966a8c0e
SHA512 922802482ac7339a600a8e6466f6645252a163f93c2daeb65fb530f526dc59cfe819a2e130f80a8790f3e27b68db86eb1736911d37727faf263557d99645fb9b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 26716825b2b48603de903480126a7843
SHA1 0896f9ab2e4a86e60e6c93ff8dabba98a43ce8c2
SHA256 f16b0e62cdc0b1fa51c773bd5293306d46cbb8759523d4afcb86091716348250
SHA512 0c183137a0996066f25759c3420a846819891e2c45c594e631e8c7888719093b2c641d795eddcef7ea5d04c8f3db0d65cb7e9a88f816b6293655844ad96897dd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7ea0e7c6faa110821ebf637cae3289b6
SHA1 f2c3f5a243dc454f8a07e3a8d1b95033c88497af
SHA256 3311415db7ebd6bc694c8e651af5121fc561a0f5a919a7b888db1c6a90cd5534
SHA512 2239b196ace58694b4f023a5e191c6cbffc5c5568008fa017c366f73c59ea2aad868651eb0ba71466811e43ee95da9a5cfc34391d29692581f92976d7a2761dc

memory/2996-160-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1020-161-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 de6115a3ec1f6340eebbfe2c39acabb9
SHA1 df9a53d5c41835f8cd4ab11cbaea43a11fa390e7
SHA256 f8f17578fe7600964619a5dcc949a7635329a156eb453591a7103c6579e48e14
SHA512 5c6d4c07b9a7965ea3e21ca02ae38ef281005e97e387dbbb393e454f4d69d91a001322c8646f050af3334c949ca4735328591560a1fe1532f63e5a64c1539b0b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 972f9a343e1faae7abce4cc2e7ab501a
SHA1 f3a6401f21c0d96a9f4b98fa136c97feadd5253f
SHA256 a2d61e5613622b027ed3778ce87b0a9ff774df977473e074a3d7ad3588f31710
SHA512 ecc225d9da5f9a8d78433ab2723de3d75b8409d743e05be0aba48fbd16a713f5ffb682b550c1475b1b0c2740f9e4bd47e1bfe02be44a133c259dc10ebb52e101

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8535bcdedae4df0f930418adff06669c
SHA1 7238bd1f31941b061e19660f5917679513a03804
SHA256 dc001bf803c08ac218eab69d3df464b3ce78461928f52f14345d22fe745f577f
SHA512 06de015eeee3d469de5e952cc9d5087b3244591b486241078ef68e67f0764f9b90a0a056164ab20229e2dcd189c543fe0841201e85da6988354d74d99e6f7a9e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 047f750066076700bfffd80efc57dfbd
SHA1 28f65cff5d7e07a1041b670d193a86e6bce049b8
SHA256 74cc42069fdd10920ac58388d00f348475abcecf6c0a0321fdb1eb5308b09a05
SHA512 32c13b2f955f1a292f0f79a529c1d339a8cccf6682f5c2ef4b0fc554beb435d9d0b65c3747c9c5b7e01bb903e867fe977fe493baf2ab391191ba227632ae877b

memory/2996-170-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1020-171-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7d21c5423edfd5539144a3b8d3923898
SHA1 c91344635830426e8b645b4f4755fb24000ccaa9
SHA256 a4cca8c555598f7af1c721940f7f14663754f8d8fcee7f6f7869f960fe924eda
SHA512 8dfe568d02cc2e9c64c33afcbae84593e83c35f7a8f0ab1defd11ec8fbcc46b9ed0e8bebcbe7efc122234ed95067466202aa84f4e41d54bb50c396e5f701f7c5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e3180e088d61f6212e0b231ff5893369
SHA1 b31a17a9daf98de08e4a4d376a4f50f2d1f9d4e1
SHA256 215f0a0b11f17d872d5104944a78d795eb1b2e3031ddb160a60fbd5347d1798b
SHA512 c8d08df6207325a05d2178a8dc0f6bf9f51e921e6872c6f2f0858b2ec9651b373d9d8b018fb58e495334910f4ea83820d9bb89536cafda2d6807cb6650f53e8c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 63f11c800f11a205f355a6117ce15cd8
SHA1 27901529448189bd2386a553b98573744d3f5bc7
SHA256 408cb02d2d44f42962e7cd86eabe30b4c2838a4a5d81bdac0195963811ee7078
SHA512 ea457ea2d35e8b2dd923e21c6e5acb0085a956b2ffd7be33311f35a234594303d27aa12431495d9b8430ad60635e8378fd17cd1a33de69c7f6f73f58cee3739b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 87a27f5b80efc4b6995ad433df7f5fb1
SHA1 10f87373050e9962784a466762e7c830ebdf630e
SHA256 c4a3e9c6cbca164b7104db087acc38444b18cd4745bd97aae45b1cde3ffbf39f
SHA512 5d101f22ecf7f030709cc371fb33cdf0682f2820a09b82bb09c70d599c1a60cd459320e47abbad17e9e02e2a8971b3f242dac5fdbdd4b21d96b1fb6c45cba6ad

memory/2996-180-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1020-181-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e6eaa2e9e8f7723f8c29bfff63c30992
SHA1 09bed755a39d468dd96de0d8ddd66b116d964e5a
SHA256 9da54bab707a0b10c1893ed37f3b9ff7057cbde0c90bfe9c4e45e42cb5f4eb88
SHA512 f21890c01af5f7ad7856a29698d7be91201f428db65450f786e17e92922ebb702fa5b567d7be0d242402b6d7b08674e7f01f48b10b242caf9a92723047109714

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fffba7c5160f5807d3942d0bb92d5284
SHA1 0e05225930971ff166355442d7ee4c6ad94ac90b
SHA256 0ba9fbd6fb80b6aeaece19e7a5bf50ef2339387b0ac4664b5ea790e41e1ff038
SHA512 886e98acda75c67950db839d0788591caab29911f16914e20211db5da323d3bafeae3ed443a9608e5cc9a8e816c59796e7e6320e591fed4ba248399a4da15315

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 61943a5962950b4ac71d49a9b2a2d933
SHA1 708041c1d36c9043b8d5bca7575966e73699ea07
SHA256 4dfe79003ccfa1d682142854c194e44126d59a17f6b2fb0d803942ace37c1ed2
SHA512 360642ec86d4952b23dd6ee1be27996d7cd7e7c8c1fd7195ff480c1e77ffd12c4bfe660572bfe7e4bc0ca2f1a6a67eb9d06f92e6f9a97834660a30459e991981