Malware Analysis Report

2025-01-03 08:37

Sample ID 240611-b53qrazeqj
Target 9c9e6f867a9cc8d19b78cf624154b84e_JaffaCakes118
SHA256 0a40e2551a9c6650e021b1983120a67a6fa4445ba2e2aa7b8f71bfd03461f913
Tags
persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0a40e2551a9c6650e021b1983120a67a6fa4445ba2e2aa7b8f71bfd03461f913

Threat Level: Known bad

The file 9c9e6f867a9cc8d19b78cf624154b84e_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

persistence ransomware

Modifies WinLogon for persistence

Renames multiple (93) files with added filename extension

Drops startup file

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Drops autorun.inf file

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 01:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 01:44

Reported

2024-06-11 01:47

Platform

win7-20240508-en

Max time kernel

145s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9c9e6f867a9cc8d19b78cf624154b84e_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\MZ N/A

Renames multiple (93) files with added filename extension

ransomware

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MZ N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\MZ N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\MZ N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\notepad.exe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened for modification C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\9c9e6f867a9cc8d19b78cf624154b84e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad.exe.exe C:\Users\Admin\AppData\Local\Temp\9c9e6f867a9cc8d19b78cf624154b84e_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\9c9e6f867a9cc8d19b78cf624154b84e_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe C:\Users\Admin\AppData\Local\Temp\9c9e6f867a9cc8d19b78cf624154b84e_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9e6f867a9cc8d19b78cf624154b84e_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9c9e6f867a9cc8d19b78cf624154b84e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9c9e6f867a9cc8d19b78cf624154b84e_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

C:\Users\Admin\AppData\Local\Temp\MZ

C:\Users\Admin\AppData\Local\Temp\\MZ

Network

N/A

Files

memory/2196-0-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2196-1-0x0000000000230000-0x0000000000231000-memory.dmp

\Windows\SysWOW64\HelpMe.exe

MD5 dfd46a99c44a327d9d4895054c697d3d
SHA1 82fe63839e9772bda927b9a49e10d090b518bb86
SHA256 0f77971c5c858bf224f1f57ee18c595f7f1a231288b76458593902a0960df0d4
SHA512 0d76a918bb430781c119cd59539381cd9153d70e35fdf81145f229a6389595833770a63295e52327cf1865644d43875cb1063ec0e40f2fe0a5302a793fe80331

memory/2196-4-0x0000000000480000-0x00000000004F7000-memory.dmp

memory/2260-11-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2260-13-0x00000000001B0000-0x00000000001B1000-memory.dmp

\Users\Admin\AppData\Local\Temp\MZ

MD5 9c9e6f867a9cc8d19b78cf624154b84e
SHA1 c3fc432125cd17a816305ea8e3cf2e5ba3235ca6
SHA256 0a40e2551a9c6650e021b1983120a67a6fa4445ba2e2aa7b8f71bfd03461f913
SHA512 0d85d9a341390c3eb27560e26668f5da02830043c0d6ab149ad21c43182446e8133afac2300913d1b1ce9e47a1f4c9c17035f0b795317a2dcfa1e7a9dfcb0fbc

memory/2196-25-0x0000000000480000-0x00000000004F7000-memory.dmp

memory/2628-28-0x00000000001B0000-0x00000000001B1000-memory.dmp

C:\Windows\SysWOW64\notepad.exe.exe

MD5 f3a450aadaaec6ef01675c0c08635b8c
SHA1 a3181918c6ecd12e46d308c4cb544b4cf436a45b
SHA256 5eeaed018babb508f9d71c587bdccc748cece6e072deb7a8c83ca4a9ddc904e1
SHA512 ceb9095c5f83811d2af4e6f5215e3e290436da67a66d130653b6f9285c72f5f2e5a7038b6046ecc070469c048557335fd1e58d0bb461a5c9bade652ea382211d

C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2196-35-0x0000000000400000-0x0000000000477000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-2737914667-933161113-3798636211-1000\desktop.ini.exe

MD5 9011ee7f9749c124a0247113f020fbed
SHA1 5552636626b563b0a4b67d3841303f0ea61e370d
SHA256 56e6eba8f63ac897af71a44d0d70ea9f8673dcb43640c11bd1981a2055727bb7
SHA512 2aa15be0a5676ba690e603245ceca798c775edc9c145825e6a58c3ecaff72519691704d71195f0227bafae6cc64d39e71d03f12b6642ead2fab132580eb83644

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 71169149fa41f18946135090414e912b
SHA1 8abbb3c2fd9fd80d368f88f8fec55877f67b1aef
SHA256 741f1acd3e00245988bb86cc2889bdf94634447fcc6dc11528212e9ea68bb16b
SHA512 d980f64157450d33a20dfbbc3ba31b05eb3f8c16901b56fe0c4be1679789a6e6bc131d7087333b79ba05acd764345c5b26a9cbc9f1f4cfd24fb059a7ba369f2f

memory/2260-261-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2260-263-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2628-262-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7600ceceda576af6a27abba67c596f9b
SHA1 181cd5cb25be40e0435f30149bd54e3e68261130
SHA256 eb81865e379786818a86a8f2c7c69dc959998a16aacae552a7cc6bd743c7f5e9
SHA512 8bb06d9e7d5a9b591979b374be98e8cc27881ee1410068ea9134bf0c09cf926fb5690db93d447317e1b85446fafdd11a3542b1dbf4f0ea664cb37c52e1232b55

memory/2260-272-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2628-274-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2628-273-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2260-283-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2628-284-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2260-291-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2628-296-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2260-305-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2628-306-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2260-315-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2628-316-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2260-325-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2628-326-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2260-331-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2628-336-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2260-345-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2628-346-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2260-355-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2628-356-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2260-363-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2628-364-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2260-375-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2628-376-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2260-385-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2628-386-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2260-392-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2628-393-0x0000000000400000-0x0000000000477000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 01:44

Reported

2024-06-11 01:47

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9c9e6f867a9cc8d19b78cf624154b84e_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\MZ N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MZ N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\MZ N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\MZ N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File created C:\Windows\SysWOW64\notepad.exe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\MZ N/A
File opened for modification C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\9c9e6f867a9cc8d19b78cf624154b84e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad.exe.exe C:\Users\Admin\AppData\Local\Temp\9c9e6f867a9cc8d19b78cf624154b84e_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\9c9e6f867a9cc8d19b78cf624154b84e_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe C:\Users\Admin\AppData\Local\Temp\9c9e6f867a9cc8d19b78cf624154b84e_JaffaCakes118.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\9c9e6f867a9cc8d19b78cf624154b84e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9c9e6f867a9cc8d19b78cf624154b84e_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

C:\Users\Admin\AppData\Local\Temp\MZ

C:\Users\Admin\AppData\Local\Temp\\MZ

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/3300-0-0x0000000000400000-0x0000000000477000-memory.dmp

memory/3300-1-0x0000000000710000-0x0000000000711000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 dfd46a99c44a327d9d4895054c697d3d
SHA1 82fe63839e9772bda927b9a49e10d090b518bb86
SHA256 0f77971c5c858bf224f1f57ee18c595f7f1a231288b76458593902a0960df0d4
SHA512 0d76a918bb430781c119cd59539381cd9153d70e35fdf81145f229a6389595833770a63295e52327cf1865644d43875cb1063ec0e40f2fe0a5302a793fe80331

memory/552-6-0x0000000000400000-0x0000000000477000-memory.dmp

memory/552-7-0x00000000021E0000-0x00000000021E1000-memory.dmp

C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe

MD5 6981c914630370587ebefceed6a5cec6
SHA1 33154ef4a119f63bb384b0d23f0723b1eb33567c
SHA256 1bcca2cbae3234efd17c882870ea4a2391c64c0ea09c66a5d200da8d8072f884
SHA512 1f96d168609a55a28bf8bac53a017193c70cdadc76d5cb3155c499c794b9e60b999b8c8ba22abea374c984c3e4bcdf03619f05df4a40d4694af3f8e542b64f2c

C:\Users\Admin\AppData\Local\Temp\MZ

MD5 9c9e6f867a9cc8d19b78cf624154b84e
SHA1 c3fc432125cd17a816305ea8e3cf2e5ba3235ca6
SHA256 0a40e2551a9c6650e021b1983120a67a6fa4445ba2e2aa7b8f71bfd03461f913
SHA512 0d85d9a341390c3eb27560e26668f5da02830043c0d6ab149ad21c43182446e8133afac2300913d1b1ce9e47a1f4c9c17035f0b795317a2dcfa1e7a9dfcb0fbc

memory/2216-15-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2216-17-0x0000000000730000-0x0000000000731000-memory.dmp

C:\Windows\SysWOW64\notepad.exe.exe

MD5 9cc88a94661fa9832f94d3f8858fde71
SHA1 9f2d9ec1a7c72bf90b559c963f7b4663310d18d0
SHA256 437203a52dcf91f7297ed01e27ba0f61bb311ad1cd62d83e9b04558e929ddca4
SHA512 f10cddc353d6cfbaafd694c49281b50f088e20f6a385f50636e23d04d36f2a9b9d0c09258e2af9717a7886dcf439d651732f83ecc4f764d7e68925ac9ebd8cc5

C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe

MD5 48dc8352142b5ddeaf631b95303ac0b4
SHA1 7b56b81ca84f473bf92e385472b158a301204fc0
SHA256 29621296a6f81232aa44b7b829a63c242ef9aa1498debc44350e3ebf31c42468
SHA512 f8cdf2c21440b2255409090dec129aab24d94ad696baedaf2d083867f54b25500edab7fe9d9f796ed0f5395ea03394c7085ba3bd4d9dfa8aa27b273646ad3108

memory/3300-25-0x0000000000400000-0x0000000000477000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-540404634-651139247-2967210625-1000\desktop.ini.exe

MD5 909f8514684f25b74538045bd80356dc
SHA1 b368e4086f5ee181d1bac1adeb4d6915cfe8df9d
SHA256 550bfe3069c4c47e33d5e631d743133f153b4d055a6081fd2e23c7ee93501f95
SHA512 103f7ff7dda5076978e7ca9d9b77660a80c1d7e63496293d95d2ea48898367cb99050c4bce0cac9007f42ee64ed918f5eefeb10426dd8bed8ed411c0d7612bac

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 16f74f01e5951e7800f35a4500a485d7
SHA1 9323430fea82b33f79f0bef0b57deb0227e372e7
SHA256 6e20d2400769c8a45852cfdd52df9dd1f430b044beae60e779d0c91c15355051
SHA512 a2534147304fd98f74677c1635455c3be761ec5896b8732b2f226923ca9988be9056345285711726d3126fcf9b6f70e8441fbca166d550f0ea8ade91d3b4c343

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/552-77-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2216-78-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6cb277014c78bc5d4f5a054a00cb420f
SHA1 35267880abac1a0371cedb1357a8e65d71413947
SHA256 c67e9ee079cd3e3fd44d548dacab450316b683ac2fe4c03d63f8f4ff23a19051
SHA512 f1838e7068c0dcd8f73ab4dd3c415a459aa6ea34f8eccd2a55bf2871e1acf868e57584740402f5842dbbbc1f3ddfb5793d8a3f51e9252aef103ad6834832f4ca

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5936925910cefbaa646871937e49d400
SHA1 ebeca01ff5f6ea445f2eca0a36b8a4925a0feca5
SHA256 508784939f82f8b716b6ae0cea92ab4bedbbe6a41814242bb715ea1e19cadd1e
SHA512 26177685133278dbeefe040e00bf054d9091d1c434d0f9c59343be97b1a98dbc1a3d9ded166b2e667b82af3b520c63870b3d75026e01fa3b6b1b78770284f90f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a5250d185fef863ab6a2405ef8df9156
SHA1 97ed1139e458c1e69cf6ae8808eb1600b9eace50
SHA256 57295c9dc99c930b1aeb3413141a2f873907ec27ce2a8337e86e3341f1966d20
SHA512 ac4592e4d7767f49f67c491cfc4cfff896773d47c83ce377f66b4f0090012f540ef06da5ec426bf64a3a09faa3ebcdfd6f5cc650bfd55d221f2b1d6ac0ecc84f

memory/552-87-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2216-89-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2216-88-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a78684942b6dd0ee1ef354949b172f0d
SHA1 dca9ce9042cefc0e20f7281e12d302fca6a0b653
SHA256 bdf08fed1dfb89a6d024b32a294b21afa31dc6c9252c6960034b29540a6b0cf3
SHA512 574f20cb68fca17cec613c49c8249db9593a0a9fb34cae8affbf7f75efbee5316cbdad315851efa6684cd2efda691a4103be5d9d8e66350e4e802ff756f56c7b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fd43bc90f8a3f80d5488728c0cf1634c
SHA1 065db60f1c675226a155e6170ed983fb2d4f2240
SHA256 38f367eb86b07b1c8e4bec4e29d20a753ccd165fb8fd33c42a313a18c354b008
SHA512 5ccf0a0a4c9a54c9351ee1ac3fde642639ec2ab094f4a5ae11bfeea447a2efb014cef84b08606a36475d0c49fcbc8be6245d5af9f4bf70562903018f9d22ab83

memory/552-98-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2216-99-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 736a26ce9903310cebe690211ca22e3b
SHA1 f9b52e4d84e5237e8bd99911500b469ebafdd067
SHA256 94604dcd8d8b7ac9cfe31080e51091a7c3a0c41b6fe63e77f07d5dbd667336f6
SHA512 49beb4acba8e3625389868fb096008c9f7e3012b90de175692fbc3f9535e165ea8bb397d1cfd0d34209099351e165556614fa02f3a9ccd2f50c57bc16888086b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3e0a251d7a88fece631efdf81af1ae19
SHA1 e126f4e98e708207cd0167c593329e1cc9960ecd
SHA256 bb1d41a07c7863e52aef0d80963353caf3b2f23358516a0f8adf18b5369c7342
SHA512 154e18c79812e65112cdf036adc06ce7c02762cf73a7e1eeab01f659e11ad95471c73ff9dd833b321c428395c4a9388c194455d08d28aeaa4e7498c4c0bfe44e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6ef4c5ed14406eb117168018ef1a03ed
SHA1 e5fb48bccec0d60ce0e767ed5f7e9a730c7f9880
SHA256 48cefa8ae397fd3c200543f46c8e66907a99b423f834ff52b52e584e207a70b7
SHA512 9c872a231c0e4aeb8cc41c99060cffef6cd10e38c244ce0d78d5f614c51506b9dc44c6672f0db16206029aaba587eb273b5777bfd479268339dc99c9165d7030

memory/552-106-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2216-107-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0e449d35e10899d5de38ea8cb1413d5d
SHA1 86d0c67bb4d0cfaab22a7f1141bd44c43a647795
SHA256 56f6f26a93919a1d2a719e6fda99dc674194eccb6b8a44cd8b53faaab1f978f8
SHA512 e46d17e9a73f0d38b45dc645046b5d40b50512e0ed5407f999f3cdc4086a385f2832498f3092a6ab3950a65eaa734c4a7fa6fb21bafc1c2636716065474544cb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4da9f169e5b052d606509d8aa56cf6ad
SHA1 941eacb707cca93aaa3d4314256cc8904eb276af
SHA256 8e1b8c5a128c209a2499e9116983fe77e2565205fb11751828f30e1421972daa
SHA512 3b052e15d2c407c46daab49e488787ea93483c2d46d13ebb57961d2883dd579e4980a22e3ee52d9db8134acd9a0027df4aa089a578a01746e6a059520f850a74

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 579f9e98d6c91b6ab99896efcf27a4fd
SHA1 e9a84316b96fc663060d547516b755a8e784dd4f
SHA256 acc5338f3d4f8be455af93e9cb61edc26c9b14f891e1782c996fd4ea00c53c61
SHA512 3c6f6e421b1b14c369ac11bc36354c0c3f1ca1046861bc4245ffba6139c0510a2e21a97a2f79b710dccfb37910a29ea0ec12916b2b91fc8917cfab0f427c58d5

memory/552-118-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2216-119-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e7cdc5e4ed739486d3c390eed6152196
SHA1 23a21daea7f26bdd2a1523f59105fef6db132301
SHA256 3d9e8cb66e24d9ddf08409ab601a11d56f4430de80ce93a1b4a2412841a4b95c
SHA512 3aefd861234af3670d46f8a81c0da2296afd1aacb6c8c27d2298cd922e114ad15d03c03ef97f06f96af5ab6220699cbf3474d6428db39a396cc136ce6b83147c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a6619e83d1b02060ee2290fa7dfe7c6e
SHA1 bb9c1b675eb526be24880ff79ad59884ac4816e7
SHA256 a1ae733c53f6c4ca137998e1563f4d82211ec5d1880be6623321940647959358
SHA512 c9f0d9ea0647fa20a8ccb59c0e94f29c21abb435c318e880e570975d2ea1ba452d48ad701a38da4160adad5bf088615c1d52ae12670bd114b46811583149356a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c4ef5d263b9a0c349e7dbcd3951b1b9f
SHA1 28ad1df35036a1ec8015fdfa8d28d489e5c6c033
SHA256 4533d25dd3885bb20a0aa30568128f9e0ac520aaeffef007e183c99475cd3f5c
SHA512 a90b32b27cf76b23f4d2b0b1cb4b9981ac70280e9662aa09ddf69a4bb206687eeb546c81ff4f4acd8253add05b525d3a22ed4fd703d08b68c5db0059bde3e4da

memory/552-129-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2216-130-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 11c1f9cf7e9a405d95314a4c58587d76
SHA1 b8b5ef131764724d04d6f2495015ffcc12a641b1
SHA256 f7962d220b8f78a73e79857669e8f751f027293bd3376f71ae8167e24938620c
SHA512 21d22e0f2ed7e436607b9ee4b0988d0153915cc5e4a552d64d5a71fe5d01125bf97538680569468898ae67098057fd77b556d238b4054021a00706ef98d5387b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9e3b659b0557c21997b32c28ed46ba7d
SHA1 873e9bf736b446e6427089ee5a3122cfd7804a6f
SHA256 427e35b9f9437f6eb23011051bcfa926b2db4f000821b3c3550adc535e66d1eb
SHA512 426b75c6548e86dd69cc5a0f1936cc993a0263a52472d56fd5da6053efe72d8fdc625040bce5ef22f8854d78dcf2aba336c3a7da2989de31ed9a3c9eacfaabbe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d0b74fed6b2eaada25ee5e82a2534aa9
SHA1 c9d202da90af7360dac88bb6efd9a176812d3531
SHA256 b977dfb9f39dc06a6ea67c7c38341bb42dad7f8542ef913786f5e02cfefcbada
SHA512 e3f947d3557c54572bb863876f5bb013c7760b96f5578dfdd4a646f563bd9fc3b2907b35e4d9b6971f68479c2f88cfa4b30561ee4841600db11ba772d2297b51

memory/552-140-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2216-141-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5414887c689a8c20e938cfe500d19f5d
SHA1 e3003fd3a4ced82be1aebf1b7a8e5c42ae23cb0d
SHA256 6a2880e1aece14a89f11c1fb258af57231fde7021d3b191ce6548ab52cc37533
SHA512 5d8950f719497cd1f5deb383c487e0c6211acef7f3644e445e2fee86bac5e10397dbe1eaf29227b15b299bac43605cccf3e25cdd9665b4f1664328cc39dbb6f5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 56c25b32b91439e5bd0fa22789b7682e
SHA1 87e200fe3d50ac1948b39f4a532c76c96f819658
SHA256 20c622579621fd245dd4fd6ab02b7dff6a0b3f636107f0f831a440de993559c9
SHA512 773b7e6b498d5774cafd76e835988e02f24fb164df717c7014d4c8e0fa9974076ec338188f117b9dfac7d2ec72d145d6289f78b720e7304be2ea3a8a944ad17e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b71b8f1e311509d2af64630df60ee733
SHA1 60225e8449ea00fc69f1ed48b8c674041115aef5
SHA256 1a49652564e37b60f27987edf1ea704b6a735318a4b19851819c6666ec4d221f
SHA512 5f0ab071203ac69636fb3431bac550f42ef35c088c84ba0e516b92dbc8eb87a1f73be0f9cb4a14a065a4abac897a459a95d02b6314fde699dad6d8b903fcf477

memory/552-148-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2216-149-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 206a4eba24b2f02941e26b1be2ca804c
SHA1 88bb0a60064e708b36676f5ffc0008195015aa88
SHA256 14aec31432d3292854436351b6b92d07ad7278b3eebbe0464b9d71f7b75d6baa
SHA512 727d9708eff64628fcaa089832f72f13a28f7238128c9f6aa07ca5e89565bfc63078db8cfa2621466ebcdb274c7c220346900fb81d8d062d00790fa8c2e78168

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5470011dc4386a5aba58d93651a882dc
SHA1 24153f3846d961a483f771aad10e1ddd080cb955
SHA256 18a46c26f618f41b4db0ed22b215c918306ea76e362c6d397c36b9822db6589f
SHA512 0b79582bdc59ebd9f8ccae116497a86db819348cf07c0457255bf0ff2aa9c3bbd3914fad91ba27f5f4e415338615d690ac8da3c3a4e56dc009f97fbb7c05ae9d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b00a485c960624329c4eef18c91c1595
SHA1 99cc8095dfe4f580d5f1ae457f7ae0ee0adcede0
SHA256 ab4b3d87a6a9e5a1c175789333e3fcca91240fc56bbd53fa5928cd9ec0b68681
SHA512 8f3b12f4a5f873a0bd1564be234b44f5b8ec9ca81a08ae40314a4a3fcf45fd3ec4c474f9b6d383442319088707e0fc668f3a532389d7c140b407b5a91fa5e58d

memory/552-160-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2216-161-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0145e28ce87516afde10b7643c3b7d64
SHA1 7c044ee43dedaaa576f4c510aa1f248c724282f7
SHA256 9cbeaeb745c65ecf05344ccd91f903f9e92d6d130f0630400b0bc171fff72db9
SHA512 71397e28938f914835527a89a3de9307f9b2181e64106bf801f4c52ad3afb0b1854823d61242fd2fa216137d0fb522eed3e7a91a98d3699acda7bedef71d94d1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2bdb4c03fc2eca2c0ba0c3ade8e8d99b
SHA1 5de610be675c485e6d14a9dd2e8c980282a53bac
SHA256 b0848fcad244a40b249c84c0af6cf86e3241a22887bf8305c5902d55cd639114
SHA512 e8fdb05a78a6b1b61bfe0285cdf3eab182d148fb5c1d7d3f77a8cdeae3f50341bc80244392b96f3784e8fc45281d4f150463561dd2fc02c1a87b38b2eab21241

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 097c350d2c6520d4e441512c5f5278e3
SHA1 43d4b6f6cd3eea94474d85306e04070da4249aa1
SHA256 ad5a6ee24af5dc3ebbd6b03a9da44028bcb7ce59f19f3b98b84fbe7c30b6109b
SHA512 587c6d756d2ee9bab7482f39cb4c9038676baaa7d31811491d810a5cf92eea36a9900530b5d4eafa4d19e45e5b5ed0da42e06876f247ba1507fc9a3bc647f920

memory/552-170-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2216-171-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7f6bbdc15739db258f051a3febab3fff
SHA1 4b38ec035a8b8bf7142a8ac5a0f643262703903f
SHA256 0dbd446aa075ed5d16ab9d14ebe4f164adc4e498e14c5fbe7f87e987fa7d8a2a
SHA512 3039c49257e71ccb33261977f8d2a295c84464889f0cfa19af98bb02a501be6d834ede29b7979ea9e6910594b00591be015ddd9706d3fa7001b18525f7f9e244

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e0e4c311fb5c204d28c7c9edab6a1394
SHA1 3791950270ac11d5091cb79c55cf21a0512a1c0d
SHA256 6819b7764eba67d08a45f9f31db28e492d814ae6b85a76cbb394035f0ef9f792
SHA512 c86cebdccee32cde08d348e57808bf0dd6558bd2bdb55b43652549133335b96bfa96082926108ed7318b43840f93dd3293675aac27fbb0cf7b549de4b8241cbf

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 cd7cc127b8c23338f802d280ff43dc77
SHA1 85464edeadb743c379f95c07826616167884256f
SHA256 2f7a748f2f40fd4d3a97c8907a00f4e355d0c38f5c22e234a673677a1830538a
SHA512 77f014527a29f4c7455787b88b4f4750391ce4c51176eda9c0579b8aa2e73feae747e5b01809131745a968640da4d1640bf71200550ab6e633b49656b159e3a6

memory/552-180-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2216-181-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 579806284eff0063dd2f9b92d2b0842c
SHA1 81f47f3090e4d7433af1b0e8861120d0cbf300a6
SHA256 49f42067e183ca3319da14bf5107d27a3edfcbfb303fae2c9e3be347f1c28d62
SHA512 20908830280deb5932d19245167b710461177a61428d2be2b53293f8c62258ee0763b134593c39c4314014760c74f2afb8affd7428b25f6fc9d2df354e2221ca

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ca547fa43133654856dcb278c2e11abe
SHA1 55ff660fb3847ad435bbdc5ed2fb90b9ad2aff57
SHA256 95cae0afb911106f03ad0e14138ea5b612a848fe12e1c5760c807f67a88726d0
SHA512 3ec145fdc7e77ca66aa2f9132d5ac02541ea5adbe3cc9adb57009fdfd7d66486346bb7531c8e26b2ccacae4c55254f8ef94494a4db20595bf3178ac36da5325a

memory/552-186-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3fb7a86e170ac49e97861e19f37860cf
SHA1 5f928bcd730eb1ea5c0cde8df50ef0a8a4ca842e
SHA256 8a423ef274e933490d6185f44b532e05c4a77601260e2768f88171c3f6b08cbb
SHA512 151c9d7c2327b292b8a7caa05f0a0923d5df149886d8572d6145a1847dd096bca50f8ecae601dd3da803e4f13a3cff46c23256e0334e88befa250312b34936bf

memory/2216-191-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 987d3dcb39cd4a99585b009931975f96
SHA1 7119f52a3bc36d595784c24968a145f56f9644a7
SHA256 339fe4e63d60b3a0ec04f4bff2729b3e2b483b966652ed96b40bcebebab4b94e
SHA512 e345e4663fd13f72c65186c74d4e5950411072dbfc755080d7c84d366fde5d5b46a11027bbc838a78a475ec4d7b9987cafdcbdae04ddbc93970513def70dd92f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4838459ed7971486c88e4685b883fcb4
SHA1 c2724f2a36a3f395cdcf1ebf0360233a283e85b5
SHA256 add83fbfb246bbe36abe574a406a847e5ea00cdd24a48124467b756d4c11fc1b
SHA512 9e3ee13bb07c096c83a063499791fa42be7d67de043de057065b7826150c59eaed387d77926406ea081efca3aeedfcb2284c6064f6d1b21f3c337f169d83e5d9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ca4c944e73181c4773a7a24afeda270c
SHA1 951b5f4523c0a4ad4ba45ca6bfc6c7d3779dfebe
SHA256 82cccb43b06135333e3eb443014274ee3da169434f3636debb67b42aebbc4b66
SHA512 45aa2802af16e6802db4eb4c86c0dd6fc72385ddc3a45ad48b1ee02e10032dfcbf22e3700213f2818ef026c66a7b9df2944df6dcd36f1478e0e7dd10d2464b88

memory/552-200-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2216-201-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 52f1b6c5e9cc666478dd1420dc326cf4
SHA1 4e4ac4afdaff0ebd3eba67598cccac6e63bbd267
SHA256 8cab58e5c2bf46d79bc04fabc2804756e3f01bd530d51d502012cc62a579dabc
SHA512 cc21d56e9f722af6372c11d380ac0f5e6dc7e2a0b5d3ef9c2960a584e4541d3afe054998c3074c09e1288bf4d63e4ac7d7efe8c4adad268327ce0670798a0c01

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 58c076d24a3661f661d977f550523432
SHA1 d6f3822d08b794b009fecb61f7b210bdcd5312b3
SHA256 764553e43d422c4f7ca6626c231c7de79edb1e728c72fc2cd869591e4bdc8b82
SHA512 9e25af6ce869ad5a554b404fc51f9cb3cc4d2bbdf6d8a05552db04f602be554107a069a04685104743abab6978d3fce808a3d47c01743c43c85af5b8995d06f3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 84723f0bf6e266f7ad2c8d89fb86c7a9
SHA1 3b194cef2cbec6bfb6f1fbb9a9be114feee9de2a
SHA256 67f3908df37f6266f4e49408215765b2b14e1f07d0008a3e05f39fa731feec01
SHA512 bb032e16cfe4f758bfb9280254fa4c2b2ddef1bdca7cc2c15f402b6af8f35f2756d543601ff0bda8e8589dadf020870a126d9dbe0eb25ba878ba956957456170

memory/552-210-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2216-211-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4553dfd33ae3122769d6d0178c29fa61
SHA1 1d2759545b1fec293f34d85d49c696ce1b9979f5
SHA256 b560b29f56f19478b451cd1c1001dec86dbe848450bc59daa30ea77ba9620b27
SHA512 2cfd91461482b1984bc42afac1218d9427efafb58e34b2007d88e8866f7cab0a6cf7718168fb90777618378f0e1490b2477d4ebf9cf43716f01314bcc8c43522