Malware Analysis Report

2025-01-22 12:22

Sample ID 240518-km58lacc44
Target 53e74a9803323f11c2d02307c3748d7f_JaffaCakes118
SHA256 6c74f0f9a8b3082440a8ab2d7aecbd17a8551e55c5bde23d1d8f8dfeb19db356
Tags
aspackv2 persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6c74f0f9a8b3082440a8ab2d7aecbd17a8551e55c5bde23d1d8f8dfeb19db356

Threat Level: Known bad

The file 53e74a9803323f11c2d02307c3748d7f_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

aspackv2 persistence ransomware

Modifies WinLogon for persistence

Renames multiple (91) files with added filename extension

Executes dropped EXE

Loads dropped DLL

Drops startup file

ASPack v2.12-2.42

Enumerates connected drives

Drops autorun.inf file

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-18 08:44

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-18 08:44

Reported

2024-05-18 08:46

Platform

win7-20231129-en

Max time kernel

145s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Renames multiple (91) files with added filename extension

ransomware

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

N/A

Files

memory/2268-1-0x00000000002A0000-0x00000000002A1000-memory.dmp

\Windows\SysWOW64\HelpMe.exe

MD5 1d449fef10ca8e68c6562fc47b80f101
SHA1 049638bc77c332a3aecc760f15f70bc774f1e34e
SHA256 9bdaafda7bfb9fe0606b154e61db3f3998ef69637c8f1e5b20250051d1268498
SHA512 4c5e68ed2105dde78b915fd3ea82b7fe67bb66da137e7def27226c0b6cf5ab27ccda63a0734c39929302cf9c8f6409ed548f7fbc77c230bfa98b13dbebfb0d04

memory/956-9-0x0000000000220000-0x0000000000221000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini.exe

MD5 4100c86708cb4631a68844d0b1c1b43f
SHA1 931fbaeda664375554bac652b36110a06cccc189
SHA256 92366b9836d6ccab8dd9bcf391c32b08427b4ad8e50ba3dd613479db1ff84408
SHA512 8b839dc53a164c65f975b92775bf6039f9b1d84309ba9fefdb0a3a4b7e246723c744c7382fdf6b0c61cadce256d453db11c8ac9416c6ac73745697189e6f9174

F:\AutoRun.exe

MD5 53e74a9803323f11c2d02307c3748d7f
SHA1 160d33e67653f4924c4ec3951dbe9806a2ed2db2
SHA256 6c74f0f9a8b3082440a8ab2d7aecbd17a8551e55c5bde23d1d8f8dfeb19db356
SHA512 cd3c5bff2a9650de4f51fad9489a68d42187b53ea4a0ab61865aa26f07d9cc7d329d3d3419b7fbd5edb30a1170ef31e990980d0271ace3b60e48225660b3fdb1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 769911edfedfc30a0e98712d44d0f352
SHA1 6a8680a91022e7aff9c68a68e04b1bddcb4559ae
SHA256 164f560af21c7056e38aad8a4464f42b7b23d6b7b5c8c5f75fdb755a7e07cdd7
SHA512 c1a1c87238dae88b6bf2de43ae36b5cfb31087dcc53b11b1390207255ed890e5e8c9ef762ce03660c11d5a189d17b7b2e382978d33011da81335509a46f77ea0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 559251b79716099b27d942551e49303c
SHA1 ba4d13ab00c2961c354d131392b0e22f6a3a16d3
SHA256 8849e88e0ae6cbbc52f4df8f69e689066f476cc40951cef08598bd468d4c0ca6
SHA512 3f0d0d76d98caea4f487d90fcd61cd6c11990a2109ff753737eaf3b58899cb3d0914983df9f0beff9499a099935616b1b172513f4a9bf4799e5b3691c3c36bfe

memory/2268-228-0x0000000000400000-0x0000000000478000-memory.dmp

memory/956-229-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2268-238-0x0000000000400000-0x0000000000478000-memory.dmp

memory/956-239-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2268-248-0x0000000000400000-0x0000000000478000-memory.dmp

memory/956-249-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2268-260-0x0000000000400000-0x0000000000478000-memory.dmp

memory/956-261-0x0000000000400000-0x0000000000478000-memory.dmp

memory/956-271-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2268-270-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2268-280-0x0000000000400000-0x0000000000478000-memory.dmp

memory/956-281-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2268-290-0x0000000000400000-0x0000000000478000-memory.dmp

memory/956-291-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2268-300-0x0000000000400000-0x0000000000478000-memory.dmp

memory/956-301-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2268-310-0x0000000000400000-0x0000000000478000-memory.dmp

memory/956-311-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2268-320-0x0000000000400000-0x0000000000478000-memory.dmp

memory/956-321-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2268-326-0x0000000000400000-0x0000000000478000-memory.dmp

memory/956-327-0x0000000000400000-0x0000000000478000-memory.dmp

memory/956-341-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2268-340-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2268-350-0x0000000000400000-0x0000000000478000-memory.dmp

memory/956-351-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2268-360-0x0000000000400000-0x0000000000478000-memory.dmp

memory/956-361-0x0000000000400000-0x0000000000478000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-18 08:44

Reported

2024-05-18 08:46

Platform

win10v2004-20240426-en

Max time kernel

145s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp

Files

memory/4180-1-0x0000000000730000-0x0000000000731000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 1d449fef10ca8e68c6562fc47b80f101
SHA1 049638bc77c332a3aecc760f15f70bc774f1e34e
SHA256 9bdaafda7bfb9fe0606b154e61db3f3998ef69637c8f1e5b20250051d1268498
SHA512 4c5e68ed2105dde78b915fd3ea82b7fe67bb66da137e7def27226c0b6cf5ab27ccda63a0734c39929302cf9c8f6409ed548f7fbc77c230bfa98b13dbebfb0d04

memory/1524-5-0x0000000000640000-0x0000000000641000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

F:\$RECYCLE.BIN\S-1-5-21-1162180587-977231257-2194346871-1000\desktop.ini.exe

MD5 79688e887a23fd6fbe17a3a840e4e789
SHA1 86151954de77dc670abb6c38297780cedf983523
SHA256 77c48ca61271c2423b5e61b152ed6d078974ade596f813c3d0feff151cebad9c
SHA512 89af5dec09304b316d4852018fc71b3716cd56e8604444363ba08a062397533278c324d2c45d16f27832f9ee53843506f8a8791a24c37c7618493e5481aae00e

C:\$Recycle.Bin\S-1-5-21-1162180587-977231257-2194346871-1000\desktop.ini.exe

MD5 bd775d687060acb0bcb9dcdfbb39f74b
SHA1 edb0d0ca4aed2824253718e853f935b09d1c41cb
SHA256 f98dd8a8ab02e4ced33285807e9cf90355333dd0bda995d6e0feefd2a6a864e4
SHA512 90221b1de61885d0b9904febec6c05e858adde25269309b01f558b8a98ba5c81ba4d6a99b34f6e13a20bedea6eaf8ffbb1b612ca1f15beb597b2e94ff1a27aa3

F:\AutoRun.exe

MD5 53e74a9803323f11c2d02307c3748d7f
SHA1 160d33e67653f4924c4ec3951dbe9806a2ed2db2
SHA256 6c74f0f9a8b3082440a8ab2d7aecbd17a8551e55c5bde23d1d8f8dfeb19db356
SHA512 cd3c5bff2a9650de4f51fad9489a68d42187b53ea4a0ab61865aa26f07d9cc7d329d3d3419b7fbd5edb30a1170ef31e990980d0271ace3b60e48225660b3fdb1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fa7f3aac16cd42adc37f23d8f338f011
SHA1 30bd573f976de12bc0b5d58c6169f1448607d977
SHA256 a3c4b2e849dd3ea9bbf2e911fca88938c7181a52f24f1172e70139173a5ac466
SHA512 2068f4ae79265b90048c2bf2c9837cf4ccb0b3afb19a1a363456275cd34bf20f73e07adf6d80c1cee8c77018226ce5f0d9d54a583d7228c378f5d6d498c7d85c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 525f1fa7763644c3044ac1c0eaac66e0
SHA1 a351ac4756d6dc009e3d0ab67e4db2e304a82d93
SHA256 d3d52c06edf94ce01f5c29675268acac74e7480beea6375617467619a6bf59c2
SHA512 e86de7021ffc142013a945453f08f6a327d37b8a6ec297ff19327973ae376f4e9be9720f217270e7b7035e07d89d5b74c11be07e2e8679992167138b45329fbd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9e3a34b13f701d0d238415ad25888402
SHA1 8290b12ecfd2f7289bd3511b0c416c297a9dc949
SHA256 7a445d7218760b63e176fa5d7b9eca75649372ccdfc41c7b875036375aa39732
SHA512 130d53afbc62a7a2ae5a3e62d20e292ed96bf4b274d44d5d94990b435c04763814a3b628750eca766af5df5536cae889a9ad6519bb7f26a631cbbc3ed4a15b78

memory/4180-49-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1524-50-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fe103c2baf969bf0eb6232b2fdb5b9e4
SHA1 0c949bdebd0537ae71b459a6fb2edd14605f0799
SHA256 7c452b88bedb6c99986ddd9a63942dc56d7fc9321c55055a361c91a3c9a40937
SHA512 27cc734d0915965ca15dc7c5f6ce86707fa37785e6102acb854328d59d209b51e4ddc08d34843cc4fbe4f07920ba3bf9e8a970480da1448b199b9d85bccc2870

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 79990358326dbc32de74d1c30fe3d9b9
SHA1 afb4c16d938e579a1fb1258c21e32aa26640c507
SHA256 728287706cf033449312a945be4b889ef8a16de32fae1c676c4a41bb0ce51647
SHA512 462fdde7e263c3acb2628a13fcf4d1db62efdcc8b909f0f5959a4a537d99fda88c1434d06c791b248176c540e5b033773dc5ea9b74946a86b14f4c90f3790460

memory/4180-59-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1524-60-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8114e14102be39de47f2fe33d539797c
SHA1 8fcd69140e46a625cabdd106af01a858060b5e70
SHA256 6a2832e262bc9d144c424a541d63bf6c2bfb4c418466b9b22f3511201f777330
SHA512 bb5e5c93ebda9f27ad772580b2119c54002b717af3e7dc7974172b70092043b6e74c687db6482f4704079d7c5997b3b126de99abf6d0f749f227c73cb0af232b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e10d8185250ea3821b13d92001b0c1df
SHA1 f7473c89c0f00d1c17a64e61a1de1f5be5829112
SHA256 c10ab869c02eb3acc6bcd0544e570448a2c0f9f2cd5935078c103756e9f9ce64
SHA512 00cbb5085e85920b1f117311d29600d64686b8a346c2db74e088ca6588cf87e5120de0167e44ad1fcfeba106c846d3ac1e1053a6dd1e2774532be4acffde1a1b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1f3edf614b262a361f9b694c203a3c20
SHA1 127355076cd2af4104ae2b57ee649e53efb80f0f
SHA256 c47eb1c6f66c73c4111ade84cec4154eb3aa03a5a6cca155dd15bef7d7cd40f4
SHA512 76ca838e83ef787f5927a93cad7f508476c8bb3b087282bb36b6b2480a1610a376f7f2185549fa4f8a70c2a8f28331608be87c4989e2e28e89298bd62a4d7d12

memory/4180-69-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1524-70-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0fa3a31da6a5117ad19d1028cd948513
SHA1 fce47b29e3a7e3eb7203158c8e95f84a5fec89d0
SHA256 0f480189c2483e34913b4fd9d5c3b73feee82d0a05c34fc9d5fd64e8d67207cf
SHA512 53c3901224a63e004af11b9e8c07f392f8a7c53eb0e023ceb44275b92b5dfbb981ced77e51b710b40d745f911483abfa8c7060b6f6c4649294faa5914ce179cb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ae6d116a523f155cfd92fbf34069b7a0
SHA1 aeec059b167cdd4fb6d2e45fe78c8bf2a704eb52
SHA256 b8d00a7a926eef01878ec3d9cb889456988336d8277be4f8be022cb27376f4cc
SHA512 b72eea80ffdb1724375a1715661ef76ad1994742e8598c4487da564afefd44d1d0479f74b70440ad177fe55d3952317c9c220f862d26f1aaf8c518ba6bf7bfda

memory/4180-75-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f2f7154d8337f22084df16f4aa54d255
SHA1 a000002c471a380e5eb130963d3b9fb727a24b35
SHA256 2e5cc883b1597773fdbc5c6d7cd2e795d11afe6fca01fc9308e29eb02844a540
SHA512 bb7a25c4cb792ac5d731fdd8df8c08a95ed30dcf8836e0125ed98945b467aa6fa6b3de0a704a780ac89279b7de097301b43585444885f1eb5188e761dab3163c

memory/1524-79-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e4ae34f6f432686b975c86b9e5f42138
SHA1 56295d1d6fb9073e479f54877f088028b91f2dff
SHA256 edad1d1bd89ad54307ab30f4f4ba123698205947e443364520e927db33ca7207
SHA512 b0ec04fc6fe7550317ca4877b050edbe6fa8554ee88ba2a26c2b2ce1eef14fd464aadca3f0585ff430269b1bb91ec2d46384b9b0e014b4d4e6e12a0c4445d7d6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 33762c502a495704c84bad7947759683
SHA1 ad2f5edd53a54b10e7e1e1aaeb8046a5dbaedc12
SHA256 b15f910c866048f0914458bd17e73f12af818f68e6c038a8719f1fc9a2fcd1bb
SHA512 05d48b6adbc11fec929e789669c3783f27f81092fc52bea5bf72b4a833bf8a829bd9cfe4d1bd19ff87b9284b15300e3a219b46904337a689461fc35f3ba01c95

memory/4180-88-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1524-89-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6c30d9931f6acdecbe5b7c3233ff4417
SHA1 a110455e3610c248fbe50aaed6d5dfb2d2268f5f
SHA256 8404782c432c6b625b0f4a90cfaba4bfd9e5ddfd27938a19cc1847b4bff0074f
SHA512 3ec18e3edef74281b97f7bc74c547b15ecbbe6506f5324b8286d57e31b96486cfd4fe6268a07975e21761b6074936e69f5c1dbacf0f828a07de5898527296821

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 53f43da4cbeb0b7211aebcfd9f433436
SHA1 d8e0557b8577a102fda8faab71347a4634248502
SHA256 f15eaacfccb0273b030f65d868af83c108ab26995d2375a9e87345df9250bfe4
SHA512 c6b168a134628764fb4ad58d51032fba3092e03e76f1417111608dd81d4108e84f35cca36b4cb2da274aa962a8e80e84883e590af3155e7720666de836ffbb88

memory/4180-99-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1524-100-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 34989bc8b57c1ec60cec6c477ceabd09
SHA1 8e0571abb528392fa8f4bb22cc163960a1379e66
SHA256 03b28d7067e811f4052a56ea83a67c790f66178747ec3fb1e0a034ab90ee731e
SHA512 e38d04cbe1a46319f81a18925f70e2d08e429a44d49ec5f5e3f6da85426d918cf526caa73e85ab045d5bc31c6d159e368a303e93efe010096ea4e7e89e8205c1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 838ff803be3b39ab88d5b5896d747008
SHA1 d89cc4d18abb7da0043967048182cfa4f224f6e6
SHA256 5b824045313b67e09952f5d8c936617366c0367f8d08e90e07c82401a0b902f0
SHA512 8e8e42f105f0e8ea0fe91390f88a449ba61280ffd90da855662f33c8722767758c67cdb18634f274aaf23eba30697736df6619d5b8353892ba79b24a0df7b347

memory/4180-108-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1524-109-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 df059fa4aadfe67d167860995074b89c
SHA1 90d644785a93e7846b6b0edd7a7572e7ab26ea4c
SHA256 02c97e10a8c091f781c458abecfb4eb85d2d34c3597202ee2034eb97d0015c1e
SHA512 91f39b8de6d4c23908f2ffefc48b7419ff62e3a493124fd55777a854e162a06795c87b8a63970a45364748517011ecef684c6fa8b0611c4ad920acfc00890b58

memory/4180-116-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1524-117-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c4c588ac903951942aba0593d56fa151
SHA1 d77fa8497a5ae9ff6eae025fcfd727d872d0f876
SHA256 40a90b969ecc32af0cf96901c97cff92f39375e8d4c34dd734ea8a989e20e729
SHA512 2c80cd984879abfac81367cd39fa2eb50dd2821b5380a21caed041b3196ceaa3c4766f8cbdfd9402ead6ed3146cdac6fad54a707ac1c65359c5b6e880f4d1808

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ac716072d860cf6371bfa2ff19d3c4c8
SHA1 4405d939bcd023e905f03b606deb00a4b76be605
SHA256 05a411e0680184a849e8c1daf84134c613a1fd8be0b12135f006ef6b7da161b3
SHA512 34eee720782e9944c51f3c28bd5597836cffcc35915a94797cecc1d3e79d54804b95f9f9a2a4f30d43d750a254234844ecbb847a831ff1b863d8d85b9c2f9528

memory/4180-125-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1524-126-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 81024999c797937fea4bfa52173963f0
SHA1 be0f9bb5f4adfb3b332c84d5dc09f4db891ccdd7
SHA256 f39d750fdcebf564d97b0b27ce759eac0ae0b843e9681406d633623c9060976b
SHA512 95529747ac2f74d6c0039fa39639b26250acabf533c05b75cc4ce20dcdba68605475cb804852bb7957e5a3dbbd3746595161e96ca47ea241fdadd919bb9fa5a3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7677705385ba3514efb161f2fbb2bcbd
SHA1 b13c55fe2b7e6a69675880ea7f435032614c0216
SHA256 ac53d62607cc795dcc913c39c8a9452843f2d7e3bc806ce6d85e939849ed32ab
SHA512 db307b0f558e5b313d8426afdba32f1c09c9c0d3f7f5bb189297300621be1a6893a9832071d9a8969836ebcf7a1a2fe54cd86d6f42091ab5598f411d79c83993

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c8f6dc7957b947fa6bfd52ce95e19f8b
SHA1 d63533005b28d7d6ddc00c7a3c9767793494ee2a
SHA256 654c427a2a65cada31247ca91517a8773297005ea5bb742d6d4aa60778b92e6d
SHA512 e532418b687716eaa2d479b5b07953c94881ded0ebf3f89323b914565370d12fec9cc0cb0a7ab1815f3daf4f0803a159f0fc2c5454e42260583df5b1b2011dd7

memory/4180-134-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1524-135-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 785325298d3f6ef56fd0530cefc3c592
SHA1 4dbf90c781fbc46db73e7e32629de0ab0aec415a
SHA256 f4e845b7eee329da00b4c40b27086306be1fd958e6eced8e7f83637447b4bb66
SHA512 9011dea74a7bed81ce08f28a864a04a6d7fa2cd5747da8351954bd1d3ce8536a6649e9a918e0dbf10aa98b7bf2ba8ff7e27034fc9e2d3229458402fb81d327db

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 df62eea7e9d8b1d801a70ed15f93185f
SHA1 e90629dc26032ef3dcec65dbd7b6eee13bfd6cad
SHA256 3d7ac515354422d75d9f20b07ac7fde26867f15309ae42a0276b4814c1beb1a5
SHA512 fc733d658b54d68b549a228b9dd5e4eb02d4ee0428ab436b2c6b5baffeece87ab949a431cb0fbf2b2e7a631c45dd519374053465ddac57018e62a57683c56bc4

memory/4180-143-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1524-144-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bb3e6d4652287df8cea5b4d670fcb19e
SHA1 b36c2d4281c845421ca55d20febaeb47702f2493
SHA256 f6e21b0e544c247d2cb5c89c2167fc4b0c4dfc03d02a9f6d954c5e4ad5e2f0c6
SHA512 e01676a30737b1c9de620dc05f490c8a7fb8050530d6ff6741542f96dd65ef07c5b9762cdff59092880414aaf3045ce21fe79010d15513f6b8c2ed8f9d9c52ea

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 cb8f67acdc23eb95d77c5f6ef8d3b4cb
SHA1 f047e21829a3246f5b109d8cc4b47a78f5b7ada0
SHA256 742948c5872a6ec0f23b751e26cfd7b489c59fd0ae8320bc18cde8e909ac7783
SHA512 d8648da1f6974485a0619846a7cc9300b13d807966cc99bd528061be10a8e30ad7159305c36eb1a95e52a5d701ef9880a047d4cebaa6593fd39587ce75817b8f

memory/4180-152-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1524-153-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 351f50bed8a7c5254920bcc09425f0fd
SHA1 015bd72cc50d1370bd0cc6c9bb6ca8f5fb9ba43c
SHA256 0e97e9b5c07b8f499603995e75625c5bd9bd5bb2b00cc886b34c2e2e70495f35
SHA512 da3bee713474b4d7beee5196fb15163b6d18d9036ed601dabc31335dafb8fa078f0e5e971dbd8d9e55f47b98ff450d73f228e8be2c6c5e5499942f0a2e03b868

memory/4180-161-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1524-162-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ac2c16c82a065bdcbad51524c2431ec6
SHA1 e256305282d221931f40ba0de8bbbe56ff052d59
SHA256 7e554e18e881ca3f9468812c88f9d30d1a5e53b8da4e7cdb4df4cab5b24e36cc
SHA512 839091fef474f53040c0b13b48be7150c967c897af802f34f6e74ef95d3e38ebfdc7533f644d866fdc7682a06aaf2222ba02029f2804e116e896386abe7586ba

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 efbb303fe7407afbd1d299b5c9b90ce6
SHA1 e1f29fb2a751311aa1b1b9c899a9a7a27d6a9ccb
SHA256 6a8527d9e612ec0067278f5646517111f175bdf56fe46d1f6ccc2204353984fd
SHA512 5a33b722ee38f7be14a0557dc0be737fe73ea693968b91a02e8c6c646173792c8558624c17bfc67b77a4dd68f2802e725b644f3bc383b7c87f8474ef622e577b

memory/4180-171-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1524-172-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7e00766a4ddbe718acdb398587cbd599
SHA1 fbb1aa5de68de703a7fef5faeb4fb9e1134c18b2
SHA256 7b236b0bbe517740c44aad1a0ea5525c9f42bae71baddfd30da5b6747cb49b91
SHA512 52bce651ffcf384829e0b1bfbc5e84b2b5c5ae871b0c1e80dbd7f7053d16485ae7bd4a84f260f5a4456405818fdae545285bec28c4a7867fb44eee934b55af39