Malware Analysis Report

2025-03-15 05:44

Sample ID 240509-evzg5aab6x
Target 2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118
SHA256 041ff3ba97f4fd796fc6cc7148c1cedcf4ce4fbb349c6d1d8c2057b77a947238
Tags
aspackv2 persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

041ff3ba97f4fd796fc6cc7148c1cedcf4ce4fbb349c6d1d8c2057b77a947238

Threat Level: Known bad

The file 2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

aspackv2 persistence ransomware

Modifies WinLogon for persistence

Renames multiple (91) files with added filename extension

ASPack v2.12-2.42

Drops startup file

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Drops autorun.inf file

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 04:16

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 04:16

Reported

2024-05-09 04:28

Platform

win7-20240220-en

Max time kernel

145s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Renames multiple (91) files with added filename extension

ransomware

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

N/A

Files

memory/2360-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

\Windows\SysWOW64\HelpMe.exe

MD5 f0a44ee998a882c3e4c678aa3531ead6
SHA1 a3a09f6cf6c279b9de214f66fbdd2ec83c1b712a
SHA256 61c4df611a34b71da7ff55059ff188f35515ea13965caf6c02d9631999007090
SHA512 db0c5dc49b3ab0b1fa95b45cafb8daccd1a8a6009c16db6c6f6186485b7bcd62f1bbcf36598644a4fc39ebdbcc016c08ff2e255c8ec5574dc3584d8d3d28d954

memory/1312-10-0x0000000000220000-0x0000000000221000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini.exe

MD5 7af4aaa5060f745023e1bd2c3c85ba78
SHA1 ea10eaaf3faf13c1019aeb74b2f5ef5eceac5e79
SHA256 be8888114d1e8abd85286d2e405e8d93a1af1c15d268a9b46163f08e9db5df69
SHA512 1023880a38a395341d6769aa8c69ed643388d84ec0c4d3dba8083714c4b1e1184ae8d9b1b57476512a09a8b6ef201a9b02a7b2e534fec8d78f0ea1967d973193

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

F:\AutoRun.exe

MD5 2843c6a46eeb3108c0edd94dcf6bf6da
SHA1 bdf32ec22c66b3a95b4d72d64af9ae6403fc36b2
SHA256 041ff3ba97f4fd796fc6cc7148c1cedcf4ce4fbb349c6d1d8c2057b77a947238
SHA512 18bc760f41ff4b9093fb4020959e66c696980943ed219dff6794d0c36ebc0a461dc05485c5ce8f2ac53632344e1123e9902a5aafd58dc50f65736ad065e67057

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ce1b4fcd9bf0e3e40dc86efb390ebc12
SHA1 a3bf680ace469dd91b64c34eabd960ea7e3acadb
SHA256 359f5858a2cf0afded14f2f95286377d58e2efcc048c4e1e9c2058019b577661
SHA512 a89e13695bce326051a30f24c6e47db7fc1432a37c9234b54a7939ef0efc563fdd28d8895669577ba4963d7391b127d25d2f317c88a9623ef972cb0a3720b37a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fbdebe081c144f9cc3e76dbd2a72981b
SHA1 977e813c1c034a8533e2021be6e342283d98d39c
SHA256 953a906cc03f4dd3ecee748538c8a0c48b47bb034cea66731ec6a33869c763f2
SHA512 f24ec7f2bbac1a3d22d67a20889f44c71c44afc0a09d02ecfd2ff8a7f069de2ac11deaabd7b1c1d7ccbb54f5be074f19774a21077f7cc396d6bd444acc84b701

memory/2360-230-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1312-231-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2360-244-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/1312-243-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2360-242-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1312-256-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2360-255-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2360-269-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1312-270-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2360-281-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1312-282-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2360-293-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1312-294-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1312-306-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2360-305-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2360-317-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1312-318-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2360-329-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1312-330-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2360-340-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1312-341-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2360-344-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1312-345-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2360-352-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1312-353-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2360-358-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1312-359-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2360-364-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1312-365-0x0000000000400000-0x0000000000478000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 04:16

Reported

2024-05-09 04:28

Platform

win10v2004-20240426-en

Max time kernel

145s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2843c6a46eeb3108c0edd94dcf6bf6da_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.196.137:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 2.17.196.137:443 www.bing.com tcp
US 8.8.8.8:53 137.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp

Files

C:\Windows\SysWOW64\HelpMe.exe

MD5 f0a44ee998a882c3e4c678aa3531ead6
SHA1 a3a09f6cf6c279b9de214f66fbdd2ec83c1b712a
SHA256 61c4df611a34b71da7ff55059ff188f35515ea13965caf6c02d9631999007090
SHA512 db0c5dc49b3ab0b1fa95b45cafb8daccd1a8a6009c16db6c6f6186485b7bcd62f1bbcf36598644a4fc39ebdbcc016c08ff2e255c8ec5574dc3584d8d3d28d954

memory/1528-5-0x00000000020D0000-0x00000000020D1000-memory.dmp

memory/1436-1-0x00000000021C0000-0x00000000021C1000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

F:\AutoRun.exe

MD5 2843c6a46eeb3108c0edd94dcf6bf6da
SHA1 bdf32ec22c66b3a95b4d72d64af9ae6403fc36b2
SHA256 041ff3ba97f4fd796fc6cc7148c1cedcf4ce4fbb349c6d1d8c2057b77a947238
SHA512 18bc760f41ff4b9093fb4020959e66c696980943ed219dff6794d0c36ebc0a461dc05485c5ce8f2ac53632344e1123e9902a5aafd58dc50f65736ad065e67057

C:\$Recycle.Bin\S-1-5-21-540404634-651139247-2967210625-1000\desktop.ini.exe

MD5 9b55fe4aa580eb34caa169c736435d41
SHA1 2ab5a56b0d4bcdabbacc97408f3f6471081c6b0b
SHA256 60aa69a4f33e106164667fc5998548596aef54787675b19603d9599fe2d1395c
SHA512 eb3fd04994bb95c3264d3af84abdbb7e685baae3f109590319499be8cd3b8bd0d7165237352919503a022e44b12dab6a0801bee924e9d5b3473da4bd5a57cb63

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bcdd2225c78fa65036bd68efac9e395d
SHA1 630af814c5e897a588774348ab33b1373be04290
SHA256 db2baf33fe04726210eee0539932145b5c1e207ab64f5d99d97437bfb322667b
SHA512 10200364817e82982bfa49a6175e2a95bf2203aefaa4d9adc9ff1ae410dea80831d2d608fe1433b2077444e3e76ab3df87a876ea0fb3bf59982b91bda0173c8d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e741edda99be2c7e927e7e216e4b34b6
SHA1 0b19a4cb7f99d723e1afcb6112a2c66e23e94fc5
SHA256 8505ab43de109246cbd4a111a27adcd050997941ed5a63575a533ce8ffa411e8
SHA512 e1bbdf1ee85d354d8e26eb7662cd7833666e255500e6b0dd6b091ed33c01ee19786b09cba7d9949ce4d5fbcb46861fc7f80014d1da8ed315e3865a9c7aacfeb1

memory/1528-49-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1436-48-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 da5a56026314234eb79b029416a0b958
SHA1 e6ee7f24bcf069776b85977fe199d27ffdb789ad
SHA256 09ed0bb7da2842c6e13a33fd7c855974e6db56fb5057023cef76cc639e21fafa
SHA512 c460350a8aeb7fe1a2011b13e73060238a290b27f9a84867f4699f8bab060dd85be87f6310c0f58f99ab2787019c4256dd409e95d54ed1bc245a10f09ed990aa

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 51287f272e20bbf7017d3a2f3a5deb85
SHA1 0e8aee7deacb5033f29d744823b69184b1fac79a
SHA256 cd386bf7436830c4ea054c5de45ceeb17a84b41ad2627eadf9e861848fa3e47f
SHA512 d1ec080d8e5dacba24961886e20fa1d7fd35e9e9d3823238d7d15b64117be322d0f8ec5614a2449f7281eb238dd19f46326042e17aad700a3972b8a4a1f906e4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1528-58-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1436-57-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b77eaf748f11117ed7c89d79d1826757
SHA1 ea5a0d05572211fa729dd685443d916a84a4ed9b
SHA256 ff8d03aa26f50d92d59fb07bb3c9013c05839221a535bbe5f0211dd2bd3bd82f
SHA512 9c3135015af01c4c383ebe55af608d91d283eb0ee918ea93b9fcbe73edd97d7003e6981a377576159fb154d5c5eaaf4e12c2ba138f1beedce2423a03fc7b3012

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0071c31e0c6b1494205a720e13774596
SHA1 279b6b002414c3df966b4b866c0a9b5cd4a51231
SHA256 b1a64a6be2ac44ef2cbc4cdf438806425ea67b385af6ad3de3eac10fa8d2aeab
SHA512 ea443945d8590792ecd39524f50ad7ffff761f03794ab8e926c3ee546c3426f420fd9d451e10b96ac5322f807d15c0627241dd78cf73ebd422e0e7f2fa9c551e

memory/1528-67-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1436-66-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 98da4c6fe6dbd418f73d9de277528536
SHA1 6de5524e1df7153cbc8f8854ec5e7955745449f1
SHA256 c7b060b8f4b5ff9028af6b350987e86449845df6d88fba107bbd6426ad144dfa
SHA512 88a15be0b7021fc01b2b674e2059c52e0d4f906eb4fb1e1ec7b27c4f719309c82292642c5d7aed3df01ab69cee4243162d36e129bc8314fe096a63f5847ae9f9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 993b429d58ecd14addc0d2667867d0a1
SHA1 81deebdf0c544ed5ff2dca1e84a5ef29be9886f5
SHA256 f12545e0ae0955cc542a6bc1e6e181f1517468715779ba7c7b63c1f2b09599b4
SHA512 4a065cf0ea93f3887ba3aa1cae0a372af7cdf04df077522d15068f1b735b531c160936633fd59dcae1782f49d14398e854f7430e71958d143db60c006aca6b44

memory/1436-74-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1528-75-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6383ea8478209616ebc243c07b6d7bfb
SHA1 0e6fb9f120b975e7342a0be59361cc11542013ff
SHA256 a6fbd8a83aab8c1258b2bcc02ad070ee2351769683b660d8e0d9e49e0c3e082f
SHA512 1561e4c2cbae24ed92ba1f6c5ec934b3dab8141d5e5e3bba44868273d231f44d86e08296b3e81f9ce7ec232c20431a6833fa91f9b7dfebc70b567cf3afc506ac

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 04de830827425f4f98b33066bf4f77d5
SHA1 c2f084e0a5f760b51df876ee2cb811de0d32a4d2
SHA256 cd21e95ca32ea99196d1e3ba11e1880a30052668b8b2332d5ade824ea9d60e9d
SHA512 553f94243405998a1b8744d2a2703cce0257f7bbfea828db182207950a07c3bd7b25c58e32f976a597d46f88b196c43394d2d13147f6f16bc7b7655dc2fb4103

memory/1436-82-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1528-83-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3a4e0efe326d99df114cba8e7aa05d5f
SHA1 2b230bc1e1609709c89d50106911931e9267935b
SHA256 0681d0a0ddf044f4533ff81d87f0337d6dca94129cb16857c948204694fe9025
SHA512 fe952ff87b7d89034aad0e176c538b5826d73d8312bf43074b5c5bc1e44fb1983740bc83cbc1a496bc757c30b77d83f87a14a5df3e083b66414a8d0ef6cf07a6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 701870c38886f0889f509c8ba343565d
SHA1 e89e8b493c792845f20e7d4a5cc54cdb5b89153f
SHA256 bb968a8a5a8177c5410fc0cca2518b105ebbb817e4c1414eb9c048655d68091f
SHA512 0c58d32fcb9ca3fe77b6a7a5d9b81151da4f3c1cef031b81317c59386afb318b5f7d002ca688e83253d892c69e629a49085272105220a8935be8e42744465616

memory/1436-93-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1528-94-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4fa29c1e5adf2d97ccdcf8f078326e96
SHA1 d3ee2ccbc7fb7cf9ad55274b7480ba77259c411e
SHA256 72da6ebe31fe73b0d9b4090a107bf5f990060c6cb60905dde33f8529ec4afb7c
SHA512 5a907273f90220c850809e30896eea6974ff899c61cc46e74ab94eb118e0e594f7bc285279599c6b149a451f24be7e88b54c1beb465dc53121215f2afcd29b46

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f879bf224201cbe8e8335bb2ad3bc1a9
SHA1 6b9cb5becc8d87283870ce1702b37510f61a7039
SHA256 22509c20f32567db4cb9d53ec30f62bf08af86f996deb6dc7c648acb5f41b65a
SHA512 aabbf97361a5ecc07d0a5b2fe838bf36ffdc1a39a3056e5f8faa3a4cb8db0fdda4ad65d6eb7e3354b1a11bff60f1b0db6c711acc83f31a39113780ce2694fc1e

memory/1436-103-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1528-104-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f97cfa93a5bdcc5baeeb90df39becabf
SHA1 9d3fa103a198b7757f43f4b0c6e7aacde81b82af
SHA256 c887c79ee424a3c073792cb21b43432a4dda54c6a1696dc3f09b072e46a7e234
SHA512 a316a87c5a18f6c9d9744580c56627beafd6af6a7ee0c00b9edcdaf02426b6928bc6e2a2cba0b9a43bb705e651d72a0348ae978eab7357c7af666332a48aa303

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1a890964f7d9c91f9d8ecfd64a1dbe23
SHA1 f874c98d46685b40e54afc1c57343e6f12196af4
SHA256 0b83dbdfbf687ac945a7b5726cf16f6b96d6c2ff0bf664023029057aab07b96d
SHA512 22a726a37b12949dea5c14e34fb7b2f3aafd6a622084b19b20f0c4de9b46391f99aa8dec24374c27a94325eac80bbb5819897217799d63f08fd76979fb3351a7

memory/1436-113-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1528-114-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 32f6c535bb83ddc1292ebd80d933fdb0
SHA1 be3b76b46636c50c5595140b2fb3085e21f1408c
SHA256 399c8be00ffbd8d5c3640158893a52a213dc0a5fa81c8238ea3dd53e706f13b3
SHA512 cb71211a91fd21db95f7cd56e66bcd538e550ca77cabcea47939218cd67a69f3f6c34514eafd0400a916c65a9ee2bbd4a0a216211e828c0081c02cf2ff6bb911

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d1f6b2274a6a596b1e55e05908c72369
SHA1 ba132affe8da648628f3c74f61918b502154169f
SHA256 97191734a16b4385e1ac1488dcc44df92b1e6f793bdd01d85762c83e3e6614ce
SHA512 55ace01efcb2fbbf121ad135680aca89242abbc52742c5ac0457a2415665fa11d1161e69e3443d153ad810a7c0f0571406012c5273f52f9b997473bf43667a61

memory/1436-122-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1528-123-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fd597a7677f635e2b620c1fce64fc6a4
SHA1 450be83795e8dc8f7e8ae3e3d86a86ee8f68d6d0
SHA256 2676a11e8456addf3a8fea573cd71fab878b5a3a4f7d7d41453fdbe3b915c800
SHA512 1e9916d0606b5ba8e6129a082b3a9ede0b6e38410498e5f5b0b7c3a3a4809a78ecd38ca78b45586c7202fd99c5c4afe59f3449b12e16f96be88052a98a2277f3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fd93932738834bdb382112844030a39a
SHA1 e94d64d640adbcd3565008cfb41e6572a89b6218
SHA256 f803ba4ae72224ae0b3ac9c5da4f913665ad7856d9d37432309ec13c6adba3fc
SHA512 f24481eb359ed7e85bf484181f1122a310aa6139dec5bb502df7cea015d2e2d67dcc6e8e5eb7d5ae08f723139b749d3da65fd93cb061f94f83a9e8f9ad2c7eab

memory/1436-130-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1528-131-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ef3151c868caa80bae7e38f7cb285359
SHA1 0e993462058d039b2a2f7f87b08a7f7f40d77b3c
SHA256 fb960d6be2771b89a1c700967b897aa15fdaf757c44b5098aeee3ca34f9aa8eb
SHA512 848fc0230a0ed26188f603fe1d381eedeba514addca5006cc0f4c7d95bf7e0499168cb1e6e34fc40687340915e17d0e97552d038f8a119635d64e14d0b803364

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 361f8c2dc32cff06e9c726c6989087ac
SHA1 094bb05492f36a0ddb5a7ac0a0bf02765f82794e
SHA256 70cb6b50196da92b102b4f5fa2b5dd72771a117eb9a62574c4cc1c009945ab1b
SHA512 61e0ee69c482234f53b1f3cdd3a0ad26a6efaae48e4a215c4c8139fc0e021bbca494133246749a778e0833af2ad411ac0dffdadf22f3aacd28e88491e601a461

memory/1436-140-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1528-141-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3dae1f0196e35d3303d687940ea0b3b3
SHA1 b3346bf20fe0f8a26ccb4e75ad411305efabff4e
SHA256 71db439159a74389a961ea0ef0a31a303fcf17c4e63e79cd46703c92c0ba9e31
SHA512 817f0fe76303a5cfbe18a83513de7ed7e9b25da91b3301258cd41dc8b78a95c10d9e0afe66717821aab6420cb5fc603b94620b9a0f025f153adac27da9c89590

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 670bb86357d6937fc3b6ba6b7df851fa
SHA1 8f1222311e1a756b644cf88ef79e2db1ade4e728
SHA256 114d07f9e33c47427906380f17a7bcbaa651cd0e85ecbfa58056d8878115fed1
SHA512 a9d2ed3850f133c2f0239341739e139a5ddad128ef068da21ca824b8bbf2cd9e9934e919b595a36ef7e973beff6993d3db7bf31d7dfdc86b02b8ad1131d188df

memory/1436-146-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1528-147-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 cf04d077b052164cbc7f8fe4825ce648
SHA1 713dbbd7fdf33756af088ef64ec694a154cd131a
SHA256 36ba5c4e201d93c65bb5f654e861b424a4385212de5a63822bcec56abf98b68e
SHA512 1f4660e544f80dc3851cccf4db788a7e2707efa63620a9815243a6442dea51e8f9b82ca0af2c860f4a5ad33b73c6253be4d8b6a3862a0cb1ac157116106a3e6c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e658e45d5e8f9def6337c6f311ea98d6
SHA1 2ae96f8fcdd77a703a0af059d662a5ec1af22c96
SHA256 44a73b4df1ad3367b8a0e80fdcd98a8cc8107e705fbb356724dc016c2641af79
SHA512 a2e731ad8259d7487ed926438e4ddb641b8b9b1dbc9e479d88193e9c8e677ab32a81119e89191750c37e77850b3d90b209fac4668bc1cb33b27176a55502e6d8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4d4a94c127398a46368f18f9cbac7a28
SHA1 f22f1760c4668f75e8232aeb53176b560a24a1a3
SHA256 d4c973500e1ba6ac6d1deca72ed981628e4acd2c3175bcbb85f7beb61110fb2c
SHA512 ae3fdeda592171a8ba6def7e16fb68001d800bbf89c24ebdd17673fc527e85a6fd24af6a8ed0f0e389775fa87493ec6300d7c1d180f54ec4af1796ec63d8ef95

memory/1436-160-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1528-161-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2be1c035298b8a5d599d4ca49161ce95
SHA1 16824bb9cfda3830c60cd4c7949f3d6c0c99a545
SHA256 b011b149abb553551ee4cedd0965569fe5963e9bb7034a1048b8d8ca2854aac2
SHA512 2d70fb5002bdf66e0490d7abede5291d32b0cadc9b23532e4f5c4a5c8a8698a41d3851b0c14bcd63b1d78e406d83c35112927e268f76bf030de9fb1a57a9c8f5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 790add92133a41a99582e2fe8cebf34b
SHA1 727018e110391a46a9111829eee9dfc31cfba321
SHA256 d9fdc4504f460e7f91b81fa1677cbf2bd14869c650dcd14dffca3e0caf620e47
SHA512 b1d47c6e8ed3a93d8e421ee26142159b57d4dd4e2b2dc49a864cecb538f2fdc72cdaf7436a5dba261b4cff720ecf1f3dd91d423f8e2f8d5413a316f05cb1c10b

memory/1436-168-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1528-169-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 066efd306e6c8d4f3085e2c62c6edc48
SHA1 4751cfdd1b2dae2f2c356d2e34bdbc6e3d711d0d
SHA256 70e2d381d74fe103c653acc3d302f6e3a8e13089a68e5517e0e1e2a9741847cb
SHA512 c590e2a921ff053732f026559137eb594947626bb403adcaac633025b4ee0aad67c536664fa2e8dc245730c9be4235462f960b23469a505e463d011aea3f2595