Malware Analysis Report

2025-01-22 20:18

Sample ID 241020-dh1c8axbrq
Target 600afc997d421b9ed14064b2759879de_JaffaCakes118
SHA256 bf6acb4359d2cc3d8ee27fb9093bcbb478dcdb919a5a05dcf80039aa21c811bb
Tags
aspackv2 discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bf6acb4359d2cc3d8ee27fb9093bcbb478dcdb919a5a05dcf80039aa21c811bb

Threat Level: Known bad

The file 600afc997d421b9ed14064b2759879de_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

aspackv2 discovery persistence ransomware

Modifies WinLogon for persistence

Renames multiple (91) files with added filename extension

Executes dropped EXE

Drops startup file

Loads dropped DLL

ASPack v2.12-2.42

Enumerates connected drives

Drops file in System32 directory

Drops autorun.inf file

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 03:01

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 03:01

Reported

2024-10-20 03:03

Platform

win7-20240903-en

Max time kernel

145s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Renames multiple (91) files with added filename extension

ransomware

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File created C:\Windows\SysWOW64\notepad.exe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

N/A

Files

memory/2544-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

\Windows\SysWOW64\HelpMe.exe

MD5 5d112b6fdd48b412d4b24ece28eccff8
SHA1 0750b253cc5b881633bda691d527d39bc20fe993
SHA256 884bca3eb7d1121320baae9f5f5d30a102d5a62d42ce958979318ec687af00da
SHA512 1cefbfc316692bf0cb1ae4d60617c889cf76021bf2cd7299030b6fe92ba89b96204faec607f6d0ab4b73d95d8671939470672cd28e226ec728f05aa1a63556b5

memory/1684-9-0x00000000001B0000-0x00000000001B1000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini.exe

MD5 5965e6a105ffb1cf34657e7cd142393e
SHA1 3bdc31bc78d468b338f3bee9e5fb4f91716c5a52
SHA256 a826d0ab38a3297bdf87846abc6beb7fa9a80b91e15f64f74592ed8011781569
SHA512 55ebc7347f1e477f9421979852ec22f81907a3c13f3a21466412bf97e974e0b2d0afdc9c343d345bcf813c1de019f157b3d4c07eb9ef014642c918e7656556f4

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

F:\AutoRun.exe

MD5 600afc997d421b9ed14064b2759879de
SHA1 3f83c2c1b304b7269fdd2bf6963b738ca19c74b3
SHA256 bf6acb4359d2cc3d8ee27fb9093bcbb478dcdb919a5a05dcf80039aa21c811bb
SHA512 1ff25a2ec275197e5177ab5331eb5cd3eced7f40908d33f643e292fc051885cc6d6b16d1397ed0cab7acce25d8165ef134d1b5b94aafd5b1ab30e5b2df0d353e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 04c202d5aedc1521efeac1e387323963
SHA1 89fdc10b0bc37ba4bb3d77a0a40779de1be6156c
SHA256 8df05738ab0c1fa81b918a437d00bf1342ae0182a1dd4bd8687a6754f90ad332
SHA512 b1b8620da01f8b54e4d7488485ba0565c0f2aa5e2c47f7c55fa5bca3d4b44821f49b86658ca70a25b5276712aebcb03484804ed34b00b28a32bae28205d3ff8e

memory/2544-229-0x00000000001B0000-0x00000000001B1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2146c48d7fec3978c9a5d48a05e7bfa8
SHA1 6244e6a22c649012be78135c6668fa037fc21441
SHA256 026206717600f8cb2c6e1be95df417628a703f3684598ee1ef84ed2464467037
SHA512 723a3246672f839e6aa8737122f2154249931e584c91de831151f6b2f819de8f2de1aad68af6b33a3beff22d9f85275c5898ad768c448e6729946cbc67890fcc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2544-235-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1684-237-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/1684-236-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2544-248-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1684-249-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2544-260-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1684-261-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2544-274-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1684-275-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2544-286-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1684-287-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2544-298-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1684-299-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2544-305-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1684-306-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1684-323-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2544-319-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2544-334-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1684-335-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2544-345-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1684-346-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2544-351-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1684-352-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2544-357-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1684-358-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2544-363-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1684-364-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2544-367-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1684-368-0x0000000000400000-0x0000000000478000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-20 03:01

Reported

2024-10-20 03:03

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File created C:\Windows\SysWOW64\notepad.exe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\600afc997d421b9ed14064b2759879de_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/552-0-0x0000000000670000-0x0000000000671000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 5d112b6fdd48b412d4b24ece28eccff8
SHA1 0750b253cc5b881633bda691d527d39bc20fe993
SHA256 884bca3eb7d1121320baae9f5f5d30a102d5a62d42ce958979318ec687af00da
SHA512 1cefbfc316692bf0cb1ae4d60617c889cf76021bf2cd7299030b6fe92ba89b96204faec607f6d0ab4b73d95d8671939470672cd28e226ec728f05aa1a63556b5

memory/3104-5-0x0000000000730000-0x0000000000731000-memory.dmp

C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe

MD5 1a87748775fc0aadcca5d970cf1c9acf
SHA1 85b3965ac02fd5735d36709c45058b01be7c468a
SHA256 06cd7ff6a9dc7228a710d633e75a11b973ccce59839dcb8cad8161734d76b55e
SHA512 57baf5808f937f16a024f5526e1a3db3bc77e553fe526a99d08bc8f5601bf05e451a10c20c493165bdf0adaaaa4e7b2c449f4e53637e3539745dea9dc237df1e

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-940901362-3608833189-1915618603-1000\desktop.ini.exe

MD5 b055cc0e1bba00fdf1921d561ce3fd4e
SHA1 6a927bede07d82f7f360b17f05ecf032e1c29357
SHA256 33dac4a597cba46ebe99163340781038857aa9e25000b0f9e3094d713a8a8f13
SHA512 7efd458defc16fd7b4c521ba27de0cc505890d40c5f469ea6e902e32115fe5191ee99beb77ade0d7bc5f414762b108fb88ac526f037d3484c50893dea38aa4df

F:\AutoRun.exe

MD5 600afc997d421b9ed14064b2759879de
SHA1 3f83c2c1b304b7269fdd2bf6963b738ca19c74b3
SHA256 bf6acb4359d2cc3d8ee27fb9093bcbb478dcdb919a5a05dcf80039aa21c811bb
SHA512 1ff25a2ec275197e5177ab5331eb5cd3eced7f40908d33f643e292fc051885cc6d6b16d1397ed0cab7acce25d8165ef134d1b5b94aafd5b1ab30e5b2df0d353e

memory/552-48-0x0000000000670000-0x0000000000671000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 27a8b48302acff316920a3f99c7d3418
SHA1 e8b155391e8f5c426ab60cea1a0a3087c8d01058
SHA256 2fe815a4d8657d9cbd11ece2e630feeb5a623bfaebe19a6e027d6a1de9ca0fe6
SHA512 326001e275155bc276096cb84d5be6c3eb190cc6cd6b90c0c40ea4c6c951eb83fa7807a071ab5ed898553df9c58c81ec7f4b4a3e323067ce1d95a45620c20321

memory/552-52-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3104-53-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3104-54-0x0000000000730000-0x0000000000731000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 799d6cc08ec3a0395e4be5655771a515
SHA1 0273eb0d30fd741412b8904d8b083e630aee1588
SHA256 9436f79542d8d8e4484dc35b248dc7f1a96daa37f71077fb9cf41cfb8cf41fbd
SHA512 2fe1f9a57c3e3468a5918a5847521fa5bd56b5b5940afb07a95d58a9e3956f8683acef622acabb0e5fe47c5d6fea9f2fccb2b351e94b737cc066fba62a68c281

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a3707278eae6ff10d6d17422f36568bd
SHA1 9ce9335cb35c939b0fab60174680026acd52d41d
SHA256 9ca09c23bfda117d349ab0267f8ca17e07cdce0356ba68d76fa6843f720a96d1
SHA512 e62114647bde0a7a11b49b984fb32762af5fd03287246c09117d2f5073120793fae1a8dd19bfd7db0d15470678383469f5fb5034f9c6ec9da297419c0498a5b5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3a528cdd7ff8ab9582e141889f101c4b
SHA1 7e77ba9bd1d3811bde92cb372df7e9a4644680dd
SHA256 c6940163781a9db5d25da91054f77f7767902dab938617afbef41f7c3e7f1611
SHA512 70fd8278e1743c33bc854a625c1b15ff5acb51d0b30b815bb2503f4c6906d9f8c08d71752cd1f7103ff206022b2a75e4b193fcd171e27adc861d860383e84762

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 073fb9c520a3a958a3c69a27dd808c01
SHA1 e8b8aae4ca322cdb71c0d5f21075ed641e8418af
SHA256 9182c8f021cddb7d233dd7b815a63c57a41e6a3b004d56ec3296539d42274564
SHA512 21fa0e3b162593668ce3aeaef7e88376473d0ebe5b88fb27c9c441f44fa804469b25948c4e389e17b67882d3f79a83eaf871936948a061ad8d974b8eec1a7d2d

memory/552-63-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3104-64-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 730db7e1a0de239a15498767d8c0af2e
SHA1 0731773d14c1dcc0c80e419e82fe358c07fc43da
SHA256 688bfb4ed5384ef9480ed66e4466df0f79ca85d6894e6aacf093bf8d551eea1d
SHA512 79fcda071435c7593df07bf3c49c89f6994cdca05f683621073548f48c2349f4f7469b83e2395a4fb8054d3ae7f9f93e61396c52bf7461175d70f9c5a63019eb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3461f80f5553c40f6aa8d4356f9e0c7b
SHA1 1726d6cfc21c3203533c6a3b18c5551d29d76ee4
SHA256 ec7dc9e25eb246d025e124b58af772c5f0ec39acbadfbedad493087e582adeb0
SHA512 fa53cd55eb6d377874d299defdbbb36f462a2514840cb2e51196cb91ae1d9c8e4e8451b4cc1d5d809195a569812a9cef144e7134adad82ab5078bb991946dadf

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5ef3ddc53e29fd997d2cc5a37aac6f9e
SHA1 edeec82e9b2938e2bd0802924e62f830447cf318
SHA256 a80d747ddcd78cd258a75987789e9b8ca74fc4098078bc37f6ec6dec1497793f
SHA512 e11f33f9e78ab27dade2b2bc2e03866a141d1f7a31cb22dcf2265ff8e12829343d3645e2b8fa9d47a36dd2b4b0e9aeed07e457864c8ceaa796137677ed171599

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 be5513ac613f3569dd89c79d83a08f08
SHA1 923f7064dc47e161aeb541dbafeb54b75ffd2ca8
SHA256 8ab827f55aa44f0c37b13adbd6b809dc6682f7c7f8c88f9e8d822ed5129bc2af
SHA512 cbe1f662722341ed0c410c869fdcfc051987d4cad7b03a7acb0d5682be395752b59dd8d7c36771b6eb72d7c3e2151bc8d23190526614e67aecf15a32b29381b2

memory/552-73-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3104-74-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 64c5d630b977089e8b174262885cef45
SHA1 03e405352c672f9ac4cb0f3c68495abe929de3fa
SHA256 d66a0704daa9e7bf6b2a08646c2152067f169d533c87571e78d023e99ac67522
SHA512 e70f6bd21682c30d729089f978648ea3cf9bf685846e8ce860df357d95764b4c2ce24535ab5969d64961538316d9e4ff89d0ca50684f839d57d7027d8b575366

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6728e765145ca5f35f6d50e858f642b3
SHA1 db77e18b7d342e786501217c4a2cd9fcb928fd3b
SHA256 1a47613d28158657757f292377bda8381f29e699d0c502c4af2fa7b2a0aeb682
SHA512 dbb1738b864b312c25e54d3dadbbe081f9db2619620d3d210ca1aab89f8233bbda63628e34d803b5cf927642deaca8a0c40117e7ecab5d96a5686c3a9dd2638c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ab34ec61d0b6e18af3cbaae69b7c2052
SHA1 2973334e6782331dad85906f4dac1e6b53e4e860
SHA256 833a8a52e647dc9ab5acbfe5c55e09eaff1d327f5f32972fb7dda0969ecb945d
SHA512 ec762259437b13bebae50472c52060873ef6fe1cd53925e4405e058cf867025df39b23764ca8488426b9257b64fd1749d5c0e61917b5a327d5103eeaa79d1663

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e73d9586d8a04596e92a2a77cb9db17f
SHA1 3b569b149bf962da70ddebe63a60fc517e531f5d
SHA256 36b3be738c9e893f48385156441706e2decfe0e6b18c1b785cff3e9bd2a8827b
SHA512 a3dd5972154074bc353c7a5b6ad8929dc42e7bf9ce31f4688eef7e184da31dba98804dd0fb7f8ea5daeeeab790b922db4e900aaa3dfc1ecf8afb49efa584aa9c

memory/552-83-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3104-84-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bec9bb427fedbf85e9f5e897aaa314f1
SHA1 ebe55d6f8a04cf5b288d3c207e5a84a7055f2177
SHA256 37245e5cb4f707ded1a1c8565ba1b68424a0f99e0eda25f1d7099ed76cfd88da
SHA512 7cf7fd61c3705b4619d593ad8db6602de3f613b7aa450da38c2d0ed000cd0a24a94d055ef2550f8499d7228eb8010a075be3e008ba189fcaab04522829541261

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d58521b79a8582323fc9418009e82817
SHA1 b7b837ffcca04f070cfb7a07291a73ff9b9dac68
SHA256 d160d64112f3ac35a74192c6120d3f6e102ece11fab9d6bca7827a84b6053d07
SHA512 6bdfa6f90ca3c97aaafd0d6596660c7470b866f789fb32452eb5b23ea945e7418a35697f63065ac02bce79af50925eb40d4a8d04981a5e4bdce95bad01bf3c73

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2428ec81c06c3a775e22503ec1f2f3ce
SHA1 2ae381c31af20db331bafd806a716cd4653565f3
SHA256 da225dd8aca516dd6664561f4116e232f0840ae1f1612f70ed1828bddab68ba0
SHA512 53804cf934bfce76c15ac03e333087aa607450dac60db72e0933dd02a5a59a2b95c0ac24541dc956dd38336c271242c89c8658fd93db44cc51f5d0df8c3b7c78

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 efe1cab1fa28e1b76d3c5b354f807a7d
SHA1 42fc81c2660e7206bcaa2823c295aa3459bd17ee
SHA256 9f604bf7be603917037be24261d1d098315cec9adb3f6ee3d356e7d696049826
SHA512 097604aa488d19dbbdb619a61892838592cdeebc2c2774acf3e2da48b95878e592a7eef9b40f135baed4abef0be6f1d8e294decc26f447ce4a57e47c86832f94

memory/552-93-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3104-94-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 340e84ba05c0efdd4992c9afda87c0e8
SHA1 a74f1d23fa19ad0c3f89a4a4535e2ea974015c9a
SHA256 ea718c117c689b30399cdf92b4b151f9f5dd7054a9fb578c8c2e89fdcda6b8cf
SHA512 ec1b70dec1fbc5f56d641f6df1a59a081774cae834c0c9e28bb11ed7735d7554cdefc27755b40d677e5c2b9f98dc1030a61fa430ede72d7ef9bbe8b31d532809

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8bc9c22c5cd6ba778fc729200fbbd464
SHA1 1b05455d1264873f2f717780ab928f3bc27caafa
SHA256 4af7b9d39947429454a8dcd3987fb8901024dbc13660ad18e50d3f6321a0cc59
SHA512 ab3dd5b36d385d023a7d5f7dd88fc51c39b9f7d84a7808a8f217565e9fd16811dbf988bf362a7bde2a939d42718fea17fee5125c5c4112495e2bd443869bbe0d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 23cf91867e92beab3609461c4a637b1e
SHA1 aaffc181a0093c0c81aab5982e5eea53c529ee4f
SHA256 77f11f77d0f41733a039cad73a7dabc1f9506adcdaa5e12da8302305bfe80390
SHA512 8d417890769e38991367bbaeb797628c1c095963f249050a2686b18a9ed163259dfbdc3bb95ac2f48203e2e9b0185f24bf466750eb8737193d06399bd417825e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e9da9fcfc69f122542d27696f89fb22e
SHA1 7b4df224df766db902e6c0eacc2f41e54a8adae9
SHA256 46f2d146c271ad892f87a8d28681394acdefa1f53dec8344608785216fc003b4
SHA512 f218274345c543e801d02af407af28ca604a120ac35dcebe30d4c62e3b920f08b74282c1fdf63aea5271dcb2366ec28bcca0e4e972f039dbb9d41fb0ba41428e

memory/552-104-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3104-105-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 27974ac8d8f7390a19bf07b344aa1b37
SHA1 4bd8ad5a488a17016b0e42475d69be46fcf97a23
SHA256 6f1269204a6cf66166f6a354bf95d88394a2185c6f12b6d677df9179f159263a
SHA512 e90677c265018294533b11dfa136e6080c2af25278261acd33409bf260fc2e91259b82e7f171404d503f6a2a2e592b78b4ce03b0d83b99cee445a24236c23168

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0497fc368cf58f74e7d50259f25cdaea
SHA1 408be04d09fdd65fed6a53ae1ead128e70bd8bbb
SHA256 f894637f99088d60c58abfc441cd0a10f7d6d60ce8ad74fd28a2b59c80b71fcd
SHA512 b7622a0ada43807764e04ad3548121f3c82443dd670fe76004d16bd16a8c2bf0bbccff04a9e87fb4cc235d848c0cb345369bb79a47680c95602a6a2657d1652b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 eaf1c2aeb2551b982642a7917c060c16
SHA1 bd0bd53680320aa9eb6ee5c7867f046add8bed32
SHA256 edb0fcacee3b9d02478aa50a0912b19eebdade71ecea608aa90c56b43c584d3a
SHA512 da4816cb9e6013e0ef7a21b0963905ab628067e124a1f716e9cbfb112554c4dac788e78b20ef9d5b8f7173957140d0d886dacb388a179ed0c914fe70f2863625

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 61223f9e40150726941e3de393e73e62
SHA1 48aab6e4b3576859e80b85174cd300faffb5558f
SHA256 acbe9b8c37a6d5c3846da74a845f617e1a3828e5bf7817be180787ab2013b707
SHA512 516be080f32c36292ca75ab680dbc00fd8bb32390ebfdba89763ad939fa88706db937b7c802785e7d4191c3215d5062eb64ea8c71ebf9d3e8593ae9930d07148

memory/552-115-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3104-116-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 950671abc073084ae290ab67999077ec
SHA1 f00bc4034eb422af10a4848c03b003b464bb5269
SHA256 ab5e144958755d4c791dacaeb95a2552adf22add0501384192b7128989cdee25
SHA512 ebdd39f7ca6d67788e657682ede39bfeb50be63cce77268e665ad0547d85547b3bd0f566a1cf2f55ad29be98846f6fd9227f5225d2ab76ddbd47e8657126bc9e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 471349e77da02118fc3ae27f48127717
SHA1 72d29f812e05c145ca3e32eec761035f4e840a6f
SHA256 e5ff67ed7a1ba147ce48f0fdf6a95924c345ed258786a45d2c019a231e1f625a
SHA512 b365f815ad8278aeeffcfb5353af12eb1f6c8d2fe71983337c7555de5f8c7e52ef2e599fd766c1e2a6e9c8fc43b88da6cd44bc30eb415c3195fbbc474436021b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0410d76c71c1db63ed8e1f71a066815b
SHA1 215fab690d93afe7b2ae012989d71b79e12e6c8f
SHA256 b358bd28b83fdaf674a33d27072ccaab8610cbd5d5113acf652500bdcd9b19ee
SHA512 1a8fe26b49e21beb98bc01e2255e77970f846f44c30a2b66b055b3e224f2dc1383174981313270cd05f4bab29c0ad2e5f6fc63fc9ff30c2aad02cc33a4b8b54c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/552-125-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3104-126-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 dafe1b85e19a66315a95730f2ec78245
SHA1 3fb7ee644cbbde6e21397f3b92926d19a160aea5
SHA256 fa9eceefbde103cbdce0857f05ec2512736cb1373df78a7d5d0c9af3cd46af88
SHA512 e5fab877adbf90a9609a46a6eb7297f8b60e8505b9f93d728d4af946254b7b833e8b9437b9047f369bd708808c8742bed2a5ad7f85aee4a6133b648d8c4dbd48

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ff0b7ff60be2c9b1e1e89dafb1563663
SHA1 ddffca4bae8ae52af7310f177b912ee8c06c089b
SHA256 76be7221307a95bdb7c76b33b57bdcd16ae31736503720c4e096de5fe73b9c1c
SHA512 0c4d40a8c6b17027a5034b0109395e6c0bef985e21645e9b9092b995e2e09e1332c81b0f3c5beed37d74cdb4acc30b835423f4859f463d0849f49062fe5c12b0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 eb42d69e56a7945ab947ced2b33b6ce0
SHA1 21796ae6ff901c6df58710aaf108836154f11864
SHA256 e0858cf9b27d1d645c73843bce987b8f0227d76bb4ff0d6a57d0fd336c0de741
SHA512 b78929967c239c0bc8a00633e74a7f6a769766b24e2a3a64c7aa531dec06c70a6bbb2a23b88bb7c3c4e32c0f97f610757cd4aaa4d73f60e14420a6bb4dadb8fb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a9b3d85ed6ea41c8f7859cdcf4446813
SHA1 ee57717d773e9316a738364f2679ffa93f9e9530
SHA256 7f37d44e81050bbccfd4bee4267b2127c1d8ca8a42fe65a8ab575064f9dae1c3
SHA512 6c9c765036d62d9edc103d8402dcb2291d0e85f4edcd9394b98ff81adaf693145dd8143a18921c223d13a045be3ce4d0fb6197d52c3c5c3f2380cf16116fda1e

memory/552-135-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3104-136-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 38dd08fd556061536f01db4e55ee2e93
SHA1 5f3d0ebe4bc802f3543d401a0641ec77f187fa55
SHA256 10aa40f5a08020cfb77e6dc13c55b462a831604d0de691db6178584ad62534b6
SHA512 eb1bf309c4eb991ffb3ade30d0c1f5fc57e166fa098d1ea942a0bc041664f93bdbd61f259d12c61cad6d150730de234ea85c43277f3502d768715598cc2412a0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0233d45a7f8438ee9ff7170b9b5ec8db
SHA1 10a229206abaeaa5c622b575334988ccf279af04
SHA256 3c6e0f70ab38224c930a4b764772d52d7271ded46d656b5b7b5c6a05918e51e7
SHA512 05faf562f27cd5f0ef7d1adc83e5514be66fa615ce9759118569b707f09785ee47ea11408573bcaed8cfeb137e0a4775cd9a814bc8c05c47149789e79c5e3d10

memory/552-141-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 03a43a43008abea17796b7f7f302ddd6
SHA1 80f56974da90c6a3c98978fa6ed9381d3fa43075
SHA256 970d62d0225cabc238639adda9319f85468a28cfcf7effbe87528fbd6d8a5f71
SHA512 efbf278a61d13662390c95292aba331f8fc5b5c081be8cd4eea777d19408727b5d4e70dcda01cfec74a4476b21dc0c72997924c87e9c0ff3841ed370910aae11

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e4ea205b2628df9d18467a4c5f17ae05
SHA1 1598dce1166eaca01db260a90af7f7ba169012a6
SHA256 7b3660976ca726c05f313500314b2642d7af4e12403819a7bbf7efee88053592
SHA512 28dc3c757176f6e679ca9b9df2d941d69151cef8534d3d1a17d84644f3d7cdd9bc5704fb9e09fa2c17fe013510a68758345ac18551679e8c2f59bee12674aeff

memory/3104-146-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6dbbe4d0030837ff8d0037bfa96e7899
SHA1 90ae332b1ef410a44df84c60499ba73d1a0b544e
SHA256 b38c1f1d18664816616bb6ab8f30b8a7f4343573ce29387360bf27da53f660b1
SHA512 c3855c671668d75eedae8c2108d7146c15355252f2212c5522ff04a5886754334be54445a40587b62204a3cfa2ebae70643b69bb86a1585d7fc99b6018e21355

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bb9405b5a8cf23093c587afdc646b4ff
SHA1 1383a75ca2753bacec9fefcbc4e5d803ddda558d
SHA256 5feba2f6852258bfd2b2d202085992d8c8623672a3ad75dadf734a76379796b5
SHA512 d0aeace1f17a7da7e0f6031f6707cdb89aaba1ccd9477b74d1dc7ade58798a64a4899be2bead9e9dba40e0d1c8d6ada13d9defe353b20b4e8ab4d7631eeadc1d

memory/552-151-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2c4344d193fd6d7e724b73d438415873
SHA1 63bf6c26f8db2524c467553910d8b281f8886590
SHA256 7d09d6a5c15b3bdc821302f5c9d819b411261ecd3dbc309e67349f4fdd63dba8
SHA512 a6f0990f7ab970db92f3a3bd0a4ff4c3a3b22bf4d7fd7d2596223abd6aeda7bedfa79d56abaf289a18708bda4a59f4e8ea63cfd0385036a85043cd32a572b70d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a53f010de771e666fd78d97cb834a519
SHA1 1cc7183997d297394f389aff08b2a65b8c41551c
SHA256 cf3b21b70403a17086a9b2b0f015e482833a7737e27618280f62f899a37e4af1
SHA512 9fee6cf994786892a38e446ac6caa8c276d6b286e7b7dd32cfab58a76b098ce620375fe9a32497ca76467853b681c54ee151ec026ff9c27b104b7587708a77d0

memory/3104-156-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 074445c40ea9147d1ce9eae6149b7f63
SHA1 2c3bf27dd5f3a797e021f493a3c7200b494a0fdd
SHA256 dd1fbaa40b3583c278b95df52b3a7daa0f415305ba5e0a37f7239e12ebed19d9
SHA512 7cbb52e89cc4b6c2b8399ad9e528b299017f92b5e95f982a59da6b621fe87c3c45dd2ee97ba0d1a72d5ee39af8033be54edcf5abb3fbfa61641f6021b1a1c5ee

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ea7761d0b3e7fcf217c02f6ec77e11e4
SHA1 4ed803717abeb3e0e89991de9ced464e28adf724
SHA256 82f1927dccfbc06bc4e3c38ca197c27dc44c7eaaab24371328480195c8812892
SHA512 bfd977102ec6f7b4e3c880f079c53e70b785d193f34bd7aa4b1cc1e919acd1b30b00051f18efe833e76128d564fca16c070596768ef54077386930da4b002fb2

memory/552-161-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5ca477cb43ca4ebdeefe71899b160598
SHA1 7dc00a7dc1550a79b0a66d01a76a158a9964ea3a
SHA256 f13d3bad1aec711a51814f94ece23ca667648a5893350a52ff1a3c554ccb6cd8
SHA512 9b055cabaf1692d00fc953925a861be5e70aab8329d09c4c4f2d7c0d3a5052704f2d0f31cc6dda38585dfbd9f9a19714756514e76e5692e1e888ef7cfc0bcb68

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b65295dca4e1ec8587f2c80062152e9f
SHA1 8bce607bf27523e19d79ad4323838d458afb0a51
SHA256 097c7b45704d6717e00604b1b6b54f74970be9bd4c2ac0f5b98d576b42fa41d7
SHA512 c91dd21c4405e7b7701e548b689a8f7f4d37be8cdebd894a5a0d7da6d5a034ba2f26f119b4b19cbc78a57964fd355e08c738f9e033ad5d5b2cc7351b72d4e32a

memory/3104-166-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6806de5efae2139bd5babb8eb11ebe2b
SHA1 9d8a26bb2a4fadf81f9c39319e8893de376a1da1
SHA256 98c05b269775e1d3f368acf6877665aecda6515f55b416e0685803dd34b180e8
SHA512 38335834cd45d384decef62f76bff058f92b099b00419a9835ce7ff7859355d89af0623789ffd3e72511c1f4ee170807c71333931f447c4e4716d5ab371cc242

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 82266c21b8de41874efcf7a20631e704
SHA1 22043d6b8757aa3c9df0b204dd7e323d1ab6eef9
SHA256 4a628904025baeb43096d4979e4dcca07aea05a1cc06da88fcf5288ce4e9f237
SHA512 8e80dcae5ac6d55585eefc97a8b9ad7a8aa4f73597d5e1a02188c92297590cc20403f57d2a2db9186fe626d57e820c798d29af7ce11657a1df0685ab8a8d9b33

memory/552-171-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3104-172-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1bfbea989c5a525a2b3d295120cbb796
SHA1 26465ec170c1792ca881e13459ab0aca033ccc07
SHA256 3a3891950f5250604c93eb621b74ff55719e2d8cc573892dd70e942ece9ce125
SHA512 482513bebd1ba656b48d868eed728805de463267e5253b36d05031860493778d8411a53c7f64f8c6ada2b4c1202c7af479bbfb781d31c9fe1b8797b95ac0fc80

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0ad01056e92fa9d8ff9064eb31e93151
SHA1 736dc2079071d0002c904be23be082915868026d
SHA256 aa4128fdb83e5085a8960432418b360eda175c8a988d0f1cd8f6766b16443672
SHA512 462bd7be29cecb9727574ea9cf3a0667bcefc720bf83b5b6e5dd1b1e347f4835eaa319034663ce5342325add3ea2c07e6bfbd6c4d06e41165bb611c578411f98

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9c3b6d150263eecb93de868b5ff6fa93
SHA1 7c8881f64f3f91475d10e3fa4a233d7a2f7b513c
SHA256 ded2a9e02b3a57ef95fb4090f085ecffecccf98645f51003da6dde754612d90e
SHA512 fc5e14fce2d4f42d09d040ec0d3ad13836afbf9dea88e6de6edd35513c3c363f3693add8ca24ce15db81eda0315e3251dde21c4b7cfba385a4af109481e2a5a7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e99f0c0f842539443c8763508538c25e
SHA1 4518d95ead821a874ce28cec9000bf776e0fe75f
SHA256 2c706797723f69e0d102a80088a53583d74986302d311c58809975be7c2b0fd8
SHA512 730152ffe3fd5cfb67785d0f7a3c05f863131d78bf83c83b0aa534ac32e411c3b09dc79c48e2ec11beea36cd925bbac14a93df3a9859e8202607c043a18e4d0c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0e7dce8024a92871be144ae2ed6fa73e
SHA1 c98bc3b07451307e22d8e1e3e436159ea6b78b96
SHA256 ef77edc0ce27a7093f2587217f5a390a950e079f693f4790fdac479f9696d4a3
SHA512 6bddfd4f32f1b2b56a19f5dcf5c461b046839a9b394fbf3cbdde17f4ba6884acd957c589c9a22a562fac165a67b53471ccb8066b383284803b12d0478860386d

memory/552-183-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3104-184-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0fb7996518db97178d720bbd92fd187c
SHA1 f7d7f34fe3d93c4d19b3b481fb7c3c07c9160742
SHA256 bb689cfba63f7fa6d570bc2c697e44d15fe1e17171808a146e67e4a4bd183866
SHA512 b2a477394eae4d95a9445a05d7d9b9d65a554059913aa56599aa322c636f917e02608d9dce03678667cabeefbbf5c100de36ae8a398906c346da8df7fc67d0e9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2a09cb6225efb95b61b0735000d73ee6
SHA1 c7fbb9cc2b950aa6b0d78176a0cd060647d5ad4b
SHA256 155df2a3483b77a65310488b1731a142e350bba9068de330dc786de3c076e919
SHA512 879b70b1bf82cb90c4aa1d2c28a5bb149874fb303014348763c3969fc2307d3e511112908313ed9b8e90ec3d5b28dd89a12a73211871361f386b2d0e2ef36d5a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 93a05f24103265d1ddf6d53ec6c1fd6e
SHA1 c303a5662ae5894c5ee246c86e82438169e879e8
SHA256 b06ea2c19cb0d556bdda4b35db3126c4af54a1a465e2897bafe7f8b832f3463b
SHA512 b70b591054b2c90b8b0778efe7f38e94fb17ad4345ae6266a9571bafecfd8c63933723338f644cd3ee4a6f2caa06171b645411a5d4be57b18e790f59a6c493d8