Malware Analysis Report

2025-03-15 05:44

Sample ID 240510-apztgsba48
Target 2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118
SHA256 0e52b3782869ffdd821b82e67d7cca9a53f0f5cc42ce9c6b5152f7a2b8e1cb60
Tags
aspackv2 persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0e52b3782869ffdd821b82e67d7cca9a53f0f5cc42ce9c6b5152f7a2b8e1cb60

Threat Level: Known bad

The file 2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

aspackv2 persistence ransomware

Modifies WinLogon for persistence

Renames multiple (91) files with added filename extension

Executes dropped EXE

Loads dropped DLL

ASPack v2.12-2.42

Drops startup file

Enumerates connected drives

Drops autorun.inf file

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-10 00:23

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 00:23

Reported

2024-05-10 00:26

Platform

win7-20231129-en

Max time kernel

145s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Renames multiple (91) files with added filename extension

ransomware

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

N/A

Files

memory/1688-1-0x0000000000220000-0x0000000000221000-memory.dmp

\Windows\SysWOW64\HelpMe.exe

MD5 91b0e0e8a69f91e7e8b70b1193f39aaf
SHA1 883551c9f9aa27cd60357be4a489f85d80029831
SHA256 6e28f8650a197b3ae0473f036fbb7920d60056dd93324dd3aa153fa274575601
SHA512 b9b4b3613a70d3c746ae81e97cc15e324e71e3af89d5f3788358dab44d8574c5ce4b47a183ea79057dabd057749aece557e17623059ffff76067d956cb5c36f2

memory/2124-10-0x0000000000300000-0x0000000000301000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini.exe

MD5 b80589163f61fab8b0c06b060b0eef76
SHA1 64768953eff5a893a48ee0c7f6366ce1077bd59d
SHA256 afb6cf80f180892301e409f1aca37e41f614dd0cfc184ce26e5ebac003edbca8
SHA512 42735ff488bc76168ce0a2497f91ce2fdad7e46ff633ba5c7a057ee0b708b8892f3bee596b5d4cb65a24688768367ecf192480b507ff2e301ffb14370cf46452

F:\AutoRun.exe

MD5 2c6ce11a6e292b37eaf19b3795a00813
SHA1 8f18d29beb3b51970a66f935f3d0d46652149713
SHA256 0e52b3782869ffdd821b82e67d7cca9a53f0f5cc42ce9c6b5152f7a2b8e1cb60
SHA512 55ec7dbc4cb0e82160f8a0f8971b7c36d7cf712ac7834cc3c2695442bc8efc7297b666028459dcb115c5bb0d8e5784072fea0b26ca74ce0257ebe46f8349c61e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 789b71e6b1a824d5412aba779609040a
SHA1 1e15d6f14d71159190f3844e2dfb2b0de529b10f
SHA256 e8a24f15ea7d13ac4e89f0b3c9cd9173c5ddfb77864bd960ec500c02e652e4a5
SHA512 28bdbf4edbd6b5b36c54855ddb63b36de74a735302f46cebdcb5d9f2a8435ed22877e30667882f336393fe1ace22c53fcbc158352a6a56b0c7ed9abea4f38041

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d8464aa55f243b7d4667d78c8bfbcd39
SHA1 d5f4d9b5105794220aff6bab44d0d84c080c24cf
SHA256 c76d779cb528bb0ccf3cec178a8b2ac7468a948666466c7335bb12ef8848f178
SHA512 02aa1d408138c3d36c97e54ff9a53fada73d6b8156762c0ce0b316576dbcedebb310e70dbaeb53fae0af498b3dbb816ffc5686f925569daac1be222fa55867d3

memory/1688-228-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2124-229-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1688-238-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2124-239-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1688-248-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2124-249-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1688-260-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2124-261-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1688-270-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2124-271-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1688-280-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2124-281-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1688-290-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2124-291-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1688-300-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2124-301-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1688-310-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2124-311-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1688-320-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2124-321-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1688-326-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2124-327-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1688-340-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2124-341-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1688-350-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2124-351-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1688-360-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2124-361-0x0000000000400000-0x0000000000478000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 00:23

Reported

2024-05-10 00:26

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2c6ce11a6e292b37eaf19b3795a00813_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 2.17.107.122:443 www.bing.com tcp
US 8.8.8.8:53 122.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/3756-0-0x0000000000640000-0x0000000000641000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 91b0e0e8a69f91e7e8b70b1193f39aaf
SHA1 883551c9f9aa27cd60357be4a489f85d80029831
SHA256 6e28f8650a197b3ae0473f036fbb7920d60056dd93324dd3aa153fa274575601
SHA512 b9b4b3613a70d3c746ae81e97cc15e324e71e3af89d5f3788358dab44d8574c5ce4b47a183ea79057dabd057749aece557e17623059ffff76067d956cb5c36f2

memory/4060-5-0x0000000000740000-0x0000000000741000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini.exe

MD5 a0d451bf08bcc3879f6c32b28068b024
SHA1 1e14500963762bde91f2da1b704aaf5a2df0b212
SHA256 f6a2c6da6246d18daf5d2383f2c43595cded7379dfc2a0abc83237207e47df90
SHA512 8fdd66a10f24fb143135dd3cf81fd7b621a127eeafaa3007fe9f185f69f83ed97268db69017cc10c832c02b0fc460958e858a93922ef52aa2cb08c1f601dc631

F:\$RECYCLE.BIN\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini.exe

MD5 4a00b789ed23c1ceca07284eb8f97d9c
SHA1 b8bb140fb6a9eee9148741756affd53f423fe160
SHA256 dfe8dd90a323424092a0ce4970841b27a81524c132d38c9c62ed01948ad03007
SHA512 045e0ae4a8713f8cc18852681d86fc730948f47a920da11724560e546bb05f77b3a2386d082a004103c9ffc5d0dffc78cf0342aa86c1b8036cab906524b5036c

F:\AutoRun.exe

MD5 2c6ce11a6e292b37eaf19b3795a00813
SHA1 8f18d29beb3b51970a66f935f3d0d46652149713
SHA256 0e52b3782869ffdd821b82e67d7cca9a53f0f5cc42ce9c6b5152f7a2b8e1cb60
SHA512 55ec7dbc4cb0e82160f8a0f8971b7c36d7cf712ac7834cc3c2695442bc8efc7297b666028459dcb115c5bb0d8e5784072fea0b26ca74ce0257ebe46f8349c61e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bc9cf9938e16948d658e79bafab26fce
SHA1 10e58b503074523c907825c0d461bfcfac16586d
SHA256 80847249216c81a9d8fbf237082db3cc209ee32c76092b166688baae0e148c30
SHA512 d6008328e7571187945a73c70b7bc1b72c53d86ba1d4fa997c9f4c226ae3d2ff252f32c7f30bbd2319e82ab0c3dafc763a389bafa5244ede7666da4279729823

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 332ae88d5fb716a743e10f6629440f91
SHA1 9147e80cf4b9c1f130818e20f68c7d30e05cf4e4
SHA256 7226a3b0ba48bd1bfb616a881eb68bfebde05a4d0045c126c6eac25e9429f28f
SHA512 08c6bb0549b776736d52df2fbabc295b8767c203ca4109d6d5ec34aae757168082cab981c3812e4ac987001205fe51ebc725e815cccbf91e0f150195c05e6c4f

memory/3756-49-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4060-50-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ce6c4286ba44d89f89ace24396ccb3fa
SHA1 8e559c87053588daac05cf665ead8c6edb8564a0
SHA256 f429419d789bf7451887bdc3b709b6ac04e9aacb53564429114c2ece5c48f672
SHA512 a5e31c1cab3a9a0f59bc42311117bca8433e40e592cfcdc2b4cd6be76dbb846e7d6d65ca562a4d2b59226f37875cd12b7688407bba2c24fcfd948fb7519eaa5a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bacd2a1891595c7e15d95376fb283657
SHA1 9ab2ff652cbaa665f583289e5ba62430674f9536
SHA256 2fba810b5402a924be8dba1b61a5c12fc77755caec1cc754a5b832e99af0630a
SHA512 10e69e5dca7016da551ebf5d3b64512bb6e38fcb12ecf602239f77f96d30da85292bebe3a1c9e7d5f179516939cb2c2ad1b849fece48932ec5ab68fa954a0d3c

memory/3756-58-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3756-60-0x0000000000640000-0x0000000000641000-memory.dmp

memory/4060-59-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b51b65864645df61cfd1b43b66f0de7a
SHA1 b08b350f55d14461a2decbc03771c40c159579bc
SHA256 6e6b055fdd7409a62ab6ad239aa2c61b8e738c701c4b0e4e22f31e777b4cf6a4
SHA512 ab0b71f982b9137a237fc00fd6e796406e787763e921a36e2953e876b02b0e7f148ee6fd7f9e9d81f716a04ac205ffdb7074436558269b3d40e5846ade2c3ec2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8ea2a2fb881d3f6e2d30c822dd208251
SHA1 c9fe36aefdfa1c2868c9efbe65678f8564dc4722
SHA256 8b119d04b39866fc9eb138bcc36886bcb626dcb3c5a04b8a928c4d538b647b58
SHA512 870be510cb226c1869caa60b14a3da6c49fdbeae70220807384ab113736de549efbc91e76912af73089fda01d4624be19fc41eed1ec4c32118c0cda1a69352a2

memory/3756-69-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4060-70-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 827bc60911bcd20041da3093f4917ce3
SHA1 7a44a7fdcb1e5bf86c2b676165f0f194919ba42c
SHA256 8d623aef034a59fc803d667d0998b4af448eb856a840aa9d5523c635019fdd46
SHA512 43c1d8cba23ccbcb2b4e7bedb9ab0c3c5607257589dda7a3f9eed0dc521783a014e53c178d6c3af47c855997ccd2045f212d105cb6cc3e937fd3afbdf3a7625c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5f43f022f53c037df1bef9aedca8be1c
SHA1 600cdbd62540b26deb1d1d3fedc9cee6eba7abd9
SHA256 7927da10ee81504c60f53aedc1932617dd34c318a52b261e52ae4867091ef196
SHA512 0dc938d6cd16b8a9dff552c92bff14da60a6d5bd5c32d2d52eafe4a36c2307574ab6d03bb39036554988bcbdeb6afb416af75631fad487a28788d86d7cdcab1a

memory/3756-78-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4060-79-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4bd7c846864900a61cffbff5594724af
SHA1 72009004fa897d8ed17684c336aac50594aef830
SHA256 40edc9aca37d191f48f5655be2ec8bc634dcb58a7a3c63df9fffccb9e7a23cb4
SHA512 d757b0b7a3c567814261ab0a20d7d84a67e0ebf8cdf7ca518f232d91fe85faf19258a01e7f2be214fd50e290d3a720178a755dd6d38f81eff4debc9a9fdc5fcb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 88a83f3d990367e552973660265fec84
SHA1 9854def946814631ece80d3e18dbeca1eede17ed
SHA256 0ecf373369ea1d8c1dc6555e3cc2180f45b50812526c226e451b7004f2b5b04b
SHA512 df5629d80b6c4f13334d38947358965caa35b282c8b96589bdae9e27f324ede69b1d6551b88ebeff587a3d19fa7585fef6832add1f02f71aa85acffae9967a42

memory/3756-88-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4060-89-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9a8c3586877c58009783dd50de1c54b7
SHA1 9320749177bf6a48d427f127fdfef120d4a98453
SHA256 bb786c0faaabedbf031e1b87b36329970e75b49ef73809569d6925668ed25e9b
SHA512 877e8f6fbdbb8622cd6f30b564c006c0d952f6ab329a41f63c8056f97d7eabfd53f3c114759d9abee296e69613fd116dedbfaaac8d8d8848beaa25049dfb4034

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8485e5cc343aab41e02a59575e59a0cb
SHA1 25ece6575789fbf709ac19f86d6e3cb08f150b54
SHA256 a2ab8e201c54fd7b742621a139131867299d32751fb511000805b1626bbedaf4
SHA512 dc566799b825d0453eab3b389e8f562d38071bf284d3221da08743c111edc7ce673ce74cd6f5d4ec2198e96362cd27757d7db4b350d0a8afb47492d23395bb31

memory/3756-99-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4060-100-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e8195844c4b9f739419009dfe22a2010
SHA1 ca26b9e68ff731dafeff5927f5c987a1bfc3faf0
SHA256 67c77ee3b366a596b65d7d1400023ca8c29ce395893c015845540815a26c1efe
SHA512 dd1ddffacb3b4a49956b2b5df91ef7120bd1aab356dd6602c536dad88a64f9541f48b4f038c13715e4cba531160421b932005a8eeb936a00d7f63dab8b521df7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7fcb5a59c4292772b0d0cc8c0e51e116
SHA1 e0774774619a5ac95f2446f8748b31b18bcfba2b
SHA256 1f49120391fd07c9c1e6f8232cd27375f6dc91c531883892dd1874712c1a4453
SHA512 e2d1611af018298d8f97324438a20ee078c2c8c81d3063c7f73e9c289ffcd617cdbd3cf19b52dc3cf83a73b6f55b38523e1683af5e386f8f71f1f25f680b9bc1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 573aba3b48e77b8c933753db414769af
SHA1 e632927f94c484378569516e36bad0893dc9946a
SHA256 071ec25dee4e9abed40486576c414dc6c702644c3503763585852615c1f4f086
SHA512 3c4d2121da7bc8b94b5beb5ef47d89a35d40d17adfc9202399499b77506fa03f8f5bda2bad909def60fce053ef52499b521073f1e00f3e44c94a9afd7d0b5f29

memory/3756-108-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4060-109-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 301e1dbac8300b244d3cc6de5374315e
SHA1 1cce84077fd9046ec7c9ec54863dbcc39012a22b
SHA256 3440675a90bda6cdb05d0c5598f0a90ed8814ef84cf4b9456fb037300a905dea
SHA512 923c2b9d297a234f73af3c785009e6b05eab60fb74360513c8fcd85f11c7eb582bce79d83ebd3215de7cd5492b166718fa60cad521f31a4d8af010050624aac6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0cecd16f7bd7fc817c27bca15a9be4e8
SHA1 af8322b8ca6fa5126a633883b54724e905a43d42
SHA256 965e5ec7f3f824921a1e358362a157a989d23af3711993f723a8f09bc368b95c
SHA512 43d86f9cb504cc7c76d15d6dc64845c6baaccd3f87d71a5311cec837023500d05c217d54cfe6a07bb54252db7fed336b64f37e158e234fd6648f9eae9fd4896d

memory/3756-114-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7e49c04d59cb6a50bd085fb8743cbf68
SHA1 e8d044d7d9300b880dc97cebdb1e63811f64dd43
SHA256 59e6db7fb988853c9aad2042b680a73a835272b3d78e7e3495029263225df39d
SHA512 743fc0a238440a772f956b9402784471261b061e07a634bc95be7ef350bb07afc46af09565a58d73bcfd2dc2ce45c68acd0c035be567a0c56f8d3beb55ee9d3f

memory/4060-119-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6988031874e41d55d683e24a851efadd
SHA1 c01164c741a3abaed4c33a84f4c927ab55c28e97
SHA256 a3b6fe3efcb4a06a465dd84b46f65b66390ba1556a12c1ab737e71b3df53497a
SHA512 b74e45efecf8717ab6facae23bd3a4c4ed482ded3fedc423ea32a8b716ba09d1ba2df6bd2c272940fbadf1602c21d978e903f7b9b7f26e0b275204eda8eb5dd5

memory/3756-126-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4060-127-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5fe62280d0ba6774753b049c0d50b1a3
SHA1 e46c8217c13bf154743e612947cb404e4846a3b7
SHA256 e6d285e20949009f39cb82422085c64e016ce10af27516af424b2835991e513a
SHA512 f5bef0c23b5c3f3d3e1e7f7971db2b478790d2454779dd08540e6b47dfb8cff5307f1045b5a6d51cd42799c373a475265b132230c45fabb41f6f3ab711ab3bac

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 163a6be74af79b1cb104f019f860e70a
SHA1 68c80f876ae84087f452a645ff85e4deb8ce346b
SHA256 6ea801034b6bbad1b868361c10d97f984cf8d101b2e8a10999ec594f555bb833
SHA512 0bff78bfe2f0a06e38c766526739dfccc660170b4ba6cb3fd6e29a8d7aa219eef40220d4c8d8b2206ee811cd5b490ee650db98b3ba34859df60fb6995105d8d8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 28af92954477292aca3ad666ac7df0b9
SHA1 d5bba45375cc4288e53db81ce216b63120bed4dc
SHA256 85d436baab405bc798127ca664cc441839cc9f09678983f833d2f93f4490ebb2
SHA512 d479ed55c810b5fc2f7e1c088ee7fea85a1514d2145a33ee3d0f127cf5ae655a4669f74f407ac4509a96bea58bdbd5368aa7e41ffaabe34e294d402d896d0766

memory/3756-136-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4060-137-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b888ac94cb807e09c2274322015b9337
SHA1 590520aa7fe5a945c7fafd72b8db7bf3d62bd849
SHA256 5aea6bad044d6efc4f03fa6df2bcab443afdfc9922d44cce1d0716152e6662d1
SHA512 eb04ddcb4ea5857f5087f9b7690b51e78e710436b673ec13bf62d82fc4e3466c4d3ad1748ffc99c69efe4b8c9577388044c911e082d1406f838ffcb442c6990f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4d0a63eb8159dcb3d0053e44b2e3f661
SHA1 c18a4406d8cecb4a952197125d1c773ade0c6f18
SHA256 1c9d8c0fb17927ae30b223de944c0b24c83f717a0920f4d01047cb9721456286
SHA512 177475f928e31278ff0e1fd308a6190bddd28469b5ca3d891743ff5ad1153792b09add27be3a2449be7416f0ef73046ce084a95b9e2205c3083dfb5c02065df9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f1631e9f11a43e052f30c694b77c2c82
SHA1 9054d724ecc9ea6159b16329944de78057f1b868
SHA256 d13603c79ca62307edf98afbd2d4b6216b619252b83a50d35479aa1600968b96
SHA512 2c43564f1f7b2e78d38ba4b1409963eacd301d68189e265ea7ef6a3b43fc7f052225f1bb4672c632c4cbc02aad87f92d97fc3fc8eb33b299368407377bab5754

memory/3756-145-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4060-146-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 aa9cd52470d26819ab06d9149817389f
SHA1 9f8d607a17819bf5302977a0def93b6a6ae5a681
SHA256 0e9af9773b4903cde2f5cbeb3cb72c80d87836d884d38454a077440327708b00
SHA512 ee0e7324edea46c169f3ef5b42816583ce6207f5d83bdaebb010200e97fb0796c10521c5bc4dbb4d00da99982ff21eecbae9f13c29b252c33dfec26c66804d6e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 91861b2b764ba9cf7a20afb12a9beaad
SHA1 78a31613af5e92b7364a31722b22f8fa28703ba6
SHA256 3a5289f1a62fea65be2511ae9e454039ff5c192a9eb41b76aca1baec0854b351
SHA512 4ca4f377117d34a5b8fa2d185ca55c069ebfe64647d4ba57e44a80fc8999bbac46d57a5154d3eee55f2e29770681bed0e94233076425378ee491349565fd4b27

memory/3756-154-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4060-155-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 98bac9f49299ac17398ce46e20f04fc5
SHA1 8c7057e023f3fe4694d28bf2da2791fa750df3d0
SHA256 bc6382afc222bc059474b489a0f14d729cfa71a01e64c8a61cc32a64ce03e259
SHA512 642ad565b6e5db890744d0b98bd37e085fa899379e808d6187a65cb0e5fea6c86292bfc663265b06fc5e2ce27954f9a5e905a106127a46ea1d22746b096d6c35

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bcd3ecba4b74525ae1e919e6cd080dfe
SHA1 0869aba14c9644c6c7e15866838d30bfe065ef02
SHA256 023302e4e405bc136d033f611a9ed59fe203b88dcada4d7f0f1a92abac0d8060
SHA512 8ef8296935def108b1efbb2a7e52cf32221e2281ef33179a1fe685ca009116860d50429d6be0e7c73a9077f5d6b09104e24305842e77aa992dbc1e97124d02ff

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 72a983076eb697904765794f6419d37f
SHA1 2eccc8e608fabc9eb1e8545ede6b759264db9a2b
SHA256 52818ac29eba003f0f2ca4499d51f337a9a96caf7d588035a0588d238397040a
SHA512 e470c9bf6a9ae9aa69fe4a616602477082fc7dbdca5478559c986b363e7a82d014da346d7fe1e337ae7b4b3dc4c26ec5a71c98fc1decfe95eefa9bc3bf01496f

memory/3756-163-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4060-164-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a856eb9704ed17ae37b5475e5c37a6e9
SHA1 6165bb4b0e062c25bbc679fbcdc5211760fc7ada
SHA256 108181fd546a7329faa74d232ead3c25b456ee281cc6f1db57eb993d7539e670
SHA512 1bd857ab5d5800558d447ca8523492f429bdc1d7a077fdaa62797b5817b7f6c4250f27a4079831d3dd589f32c6a68ebc10c90fd83671d37f00e3da023f1da00c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8cd8e4e2fd02eaf5dd35a8803e3eb6f3
SHA1 d4f04604d5157f195fb1dd955068815614608976
SHA256 41fe60ac08f37f6ff150580f0ed61ae6e778a98ce6548b9cdb6d409dfc67406f
SHA512 262db02ed7b0a844cb3c4cb796d2b7203a61e656d09a92e8df596ac1a8ec5012b7948d1052b9219cb500187d9448b586f343a0203ba7924fd3fd72cc031ee192

memory/3756-172-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4060-173-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a896d8cfe2795c4a8d8f6ba1a4c4f9fe
SHA1 a27bb734b575ce3941120ad64b50495d6ffadf35
SHA256 04ba61ea5659fc318609223931a90c0ba259a4a551168308a1569d0c215ecb04
SHA512 c3012df7f615460554ace279306c4ea9010e34f2a618f28327b5018d7fb8d028a5823acad8a56e75f167f92fc5cf57a5583896eb81ac510b75cb1adf4baee397