Malware Analysis Report

2024-09-23 05:02

Sample ID 240613-h8fhysygng
Target a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118
SHA256 b4c2962817c73cea80fea11858bf85e95cf67dc9841db7d065b6e074acb8a07b
Tags
persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b4c2962817c73cea80fea11858bf85e95cf67dc9841db7d065b6e074acb8a07b

Threat Level: Known bad

The file a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

persistence ransomware

Modifies WinLogon for persistence

Renames multiple (91) files with added filename extension

Drops startup file

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Drops autorun.inf file

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-13 07:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 07:24

Reported

2024-06-13 07:26

Platform

win7-20240611-en

Max time kernel

146s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Renames multiple (91) files with added filename extension

ransomware

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

N/A

Files

memory/2404-0-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2404-1-0x0000000000220000-0x0000000000221000-memory.dmp

\Windows\SysWOW64\HelpMe.exe

MD5 2f0aa0c8fc33b59790905e3055e7b06e
SHA1 e7e677f71d66bdd7164008c6008ad9a77236f606
SHA256 a506cb2ac40aa6fa7b94b75609d64a4c0cf742b03c5c057cd099d2aeaccf9d25
SHA512 419627e76a75500ef359bda8883a521441534c3103c97184a62a60a5a0c0567d8dd827ad803b3649e9703c0d469971b83eb012f6cfbadb0e93a9ba668d2ac385

memory/2404-4-0x0000000000360000-0x00000000003D7000-memory.dmp

memory/1728-11-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1728-13-0x00000000002A0000-0x00000000002A1000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-39690363-730359138-1046745555-1000\desktop.ini.exe

MD5 f8ec60d01c7a09bed1dcca34eb2ef6ee
SHA1 7a82fdcc7cdfa183665a3239c87daf7f0d2b8b13
SHA256 77f6e3256309ded8b3eb6ca8c4c8ea59820114f1eb974b26954561371258c409
SHA512 9b22073895525721c7e55f99c5fd5651ac0a838ebd5fd12fdfea4c5111436ebadca523e099129ea3dd129ae3d6940e2d5f73b62b0007fd8524a14bdbebd5c4a2

F:\AutoRun.exe

MD5 a468565f0d12d68c0d4d6b8db12dba00
SHA1 5e66f38eb03a9e5dfa91dad278ca58a04c0d0154
SHA256 b4c2962817c73cea80fea11858bf85e95cf67dc9841db7d065b6e074acb8a07b
SHA512 d1f7978843d9569d9706d7ca7f630398610b8145c99e6b1bc26e0933f3b597cc12efe268bf5eed8263adb2f152b8f4226c9db78e4aef2bd394a3d98cd790eee7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3fc1ba78953b23286e0e4d3cac403d86
SHA1 b3e01fe1fde04e81d755c192fd518d858e4aa1e2
SHA256 69c367bef9f68504966973b0ad095157a6d86ab794d362d812e67bd8300d90e6
SHA512 5dfcd45d039011b9af9e917b077b94a1c71b7ca149f65e3d43c4d9ae7fc09dbdc807e4be544f1ad18797ebb006a856403c45fed28f3480a139ffc6993d62b5ce

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f21931a4a384d59b20f1f755e64c4090
SHA1 03da4da757a687085086fe157147405560dc5139
SHA256 d2bce407f6570cf5ead9c9beac2decf46b6bbf5690257fa41327969bf0a96faa
SHA512 1b286a7bbd48c77c44b7cff80fc501a024bf99316560df398e8ade7f864abb2991a04c3b28f869927c83742a87ef7c80c1d9d6cb888f56a46251beae6ed0ed85

memory/2404-93-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1728-94-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2404-191-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1728-243-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2404-244-0x0000000000360000-0x00000000003D7000-memory.dmp

memory/2404-242-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1728-245-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2404-254-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1728-255-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2404-266-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1728-267-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2404-272-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1728-273-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2404-286-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1728-287-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2404-296-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1728-297-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2404-304-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1728-305-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2404-316-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1728-317-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2404-326-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1728-327-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2404-336-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1728-337-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2404-344-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1728-345-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2404-356-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1728-357-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2404-366-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1728-367-0x0000000000400000-0x0000000000477000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 07:24

Reported

2024-06-13 07:26

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

52s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a468565f0d12d68c0d4d6b8db12dba00_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Files

memory/4360-0-0x0000000000400000-0x0000000000477000-memory.dmp

memory/4360-1-0x0000000000560000-0x0000000000561000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 2f0aa0c8fc33b59790905e3055e7b06e
SHA1 e7e677f71d66bdd7164008c6008ad9a77236f606
SHA256 a506cb2ac40aa6fa7b94b75609d64a4c0cf742b03c5c057cd099d2aeaccf9d25
SHA512 419627e76a75500ef359bda8883a521441534c3103c97184a62a60a5a0c0567d8dd827ad803b3649e9703c0d469971b83eb012f6cfbadb0e93a9ba668d2ac385

memory/1972-6-0x0000000000730000-0x0000000000731000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-2804150937-2146708401-419095071-1000\desktop.ini.exe

MD5 4a2e23e80a8dfbe38945f96a6f846183
SHA1 853cd1f3b281bb9fe59aa323e5ab6cc278b0d538
SHA256 37b55cb39cf5e52f795e99f5bc7b8e3de4594618f1cd038c337a6f22f2686097
SHA512 ad8ba054a571a3d920b6359cfeb9b20bc9a90aa6f2e35eb72758822bf592f5eebf8c009bc6c700728bab994b73e18fd3f61673c133beebc09ea4abf5f54db31d

F:\$RECYCLE.BIN\S-1-5-21-2804150937-2146708401-419095071-1000\desktop.ini.exe

MD5 34aa6ee9f4a9483a2cea343cb8607030
SHA1 872919b4105fa95613f48c93055c6c8199643858
SHA256 0e5abf111542e3c7c19cc9b3c6565efa68e9f50d82f68bc565515fd985a294f6
SHA512 7ef78ea8c17c6647392fd0b9e1fbe90891c6dd0c15e0de16edc1ed55aa58e9e6a41fea4d3b19c239dd6c2f8d5cd8282c9e6472b737232b407daf75d45590f182

F:\AutoRun.exe

MD5 a468565f0d12d68c0d4d6b8db12dba00
SHA1 5e66f38eb03a9e5dfa91dad278ca58a04c0d0154
SHA256 b4c2962817c73cea80fea11858bf85e95cf67dc9841db7d065b6e074acb8a07b
SHA512 d1f7978843d9569d9706d7ca7f630398610b8145c99e6b1bc26e0933f3b597cc12efe268bf5eed8263adb2f152b8f4226c9db78e4aef2bd394a3d98cd790eee7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fff39bf5e5fed88694b5d15564b2638f
SHA1 7decfc8d9a32c5010b84758715d9e5cec98aa1cd
SHA256 86fc17afaef48ef2ecd0921492ecf83648269ce3893217054528f7ce9ae3a77e
SHA512 b8f568a65c1d35797ffde1f752da5d8efbf0c06d0d9b20ee17bbc26da739c29c6d7bb7139bda23ca87d8e1c7446863301518d8a17ec58281b987a47e5fdae400

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7ca5bee22d9c680119372a1848f55aa0
SHA1 c1b71b0a7571b566436f9d86510668fc8faba042
SHA256 2b79e1d6b3b34e691a9bc516aaa8ba021f783476d50ce380fc69feb5312987cd
SHA512 6821cdce7fcec4f7d3ca89227124f66dc4ac7ed3cf87289c04c79d8ddd0fb176a4d0ddfee758fa1b1bea2030f093135925cb733e34c1befc91236b3380e79b3f

memory/4360-49-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1972-50-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 68504a9d5a809a6095b9729963467dfb
SHA1 fae4dece8cace3d0af5e8ef9b92cd99ffc87821d
SHA256 28e02f504baef4bc9200892619b6044a69d69c840d834bc80e12215efcb0e94e
SHA512 67f3369cea7186082447dc9259603ccfce1531ba18773b45ea55b03b857533347d5a83fe0c124b0cd5bf6a97311df2dbe21a06b03e9758ea53dcce7a4ed7c600

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9491135f0aae6afe4152e6cb0ee3eefe
SHA1 20aa77bbdb76c26bbffd2d94ade573325bdeb867
SHA256 b3742adf590ffb9bd41ebd0a74b26b1b68040bbcbcd037a8b3374704676b1229
SHA512 7bfc1ee234458dc0034436adbca3a4a5e7452f9be28402211a33b0dba7a34a53a47213fae86acbfd71b8c8f83dcdda3114a8c263f8c1af19538ff1971ccba862

memory/4360-55-0x0000000000560000-0x0000000000561000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c11f349655cc4bfa598f30be703975fd
SHA1 de0134c471644e958b45fdf4ee6e1de6893f031b
SHA256 1cefd140eb2a6fa2830f21648108fdf1f1e9086bd29d5c056fc93a53435557a2
SHA512 a71f709a5700f8945e37f63a553174143f7f87b773c63f9f5037061ec0e1e3bc7749d7bbd3f08666b22be1035b3c010dd698c6221cb3bf98ef0afbf9370032db

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 86ccdd278564429b2e30366cbe251d3b
SHA1 363e8e3f0b4cf885b616e0ce58de4d762d632ef1
SHA256 eb0909b2c16a0123394843f0d2679b2fc47e063ad48595c1377928328bbb18f3
SHA512 44351079da5e21e5cff645387fe5b38e3bea0dab8bb553f1b9fdf5f792c4310b364d233f8c2a80cdb2c7b537cda8caf5a4ff9c773353c6bf59c758f43a597a5c

memory/4360-60-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1972-62-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1972-61-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 27b0b88680a6b116c897fda6562770a8
SHA1 1e1869ec98a672e594d3c8b80296151864b1f80f
SHA256 6db8c90e6c4b62e16aca3aaa3e291ffaf3d97d7a2302868513cb24ab70b78bdb
SHA512 2775e9a21c2ae79cab4d17059a0214ea06e991a0540f1777e2ed9bff137914087f0a7a143d60cf42d7bc67210845f5d96219276272e6151786988d02d01cd625

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 554baba8af247ebedf233942e6648e02
SHA1 92fda74a93a5fed522b2f72cd4b5ea28bf2dd46b
SHA256 5ad8db22e8444d7e2ceb252817e20ddf71a39416b70a11b029430c0387c711ae
SHA512 d5e431dd75080a4b01331b2e95c94ae4fb2f3929f1ee36b1ca56f277a32b6bf7f28cbffaad57d4223e487e9383f95da78eaf795a74780ff7b88b38f0b50274df

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4c753bf74acda313db34cd02e9a60859
SHA1 4378f006561004e47f2f83bfe6eaad9c93996653
SHA256 26f72c98bfdaf70e8e6dd07f395d348bd19f261c1ef43bd2ec34e911c7332aa8
SHA512 a1336db2dcafa093a33653020ce26dcbcf50e0a1ef91be721df6ca316021c749ba74a49efb01b8a40bff60fa85981f75ba1e826768febba2490a78893eb2e820

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5233d4a9ed0e2b1affc2c7e111a440f0
SHA1 40f9b98b986a0aefdc33695abf89dbc53f52acf6
SHA256 2266b6e96d758174b038acdcb8ac54d26459ba34ec8ed4cee5cf57e40e51dbd5
SHA512 8f3ea92c37dd3119f378154790a2741214dd3b80d7297ddd8687fc90ed9cde6440571a85783f39dce627152c362d50a98a4dfd8d9005c439cfdfb56c3877a879

memory/4360-71-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1972-72-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 41eda814eb07ec7562e1771de44f36dd
SHA1 4b697b9b26479d7132eaf3b7531bd7882b4042c1
SHA256 a2172b1ceaa2cf68016b135b6aa4bf60a4309ab70d7b6994823a989d00fdfb4d
SHA512 4a425ca4d2d423482d608a727f0eab6c58e73a269e684b5a8245ed9c94fecc8ffd497d3de555e6213405e8635411b62fa2f60c507dd5a5944831e4b76c75d347

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1139914cffa5af76b9900c8eaac83156
SHA1 18d04fb21dd9b28694bebe0dbdd7d17c063d11e8
SHA256 81276b1e649f1b8bf409f17b758b12e011524f91c73a3ed9d3d9c9a0f3538fe5
SHA512 e2f41edfe75d5a1dfa40d154f8303f322f0b70c31bbf56a66ec4b10957cca8736550f348110e526065edee8b2ed6b8f014efda9f671f8d1c8d0b30a794e15a1b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 23eb12be365d8d4c417d144d703f2eea
SHA1 dff1eae031158d58424cd07ebb55305f266dd9b9
SHA256 a2f86e35db761b66a4adf0c31e147a7df15d81bd16bcb42345864b95dc263ebf
SHA512 969ca6a46718ae0fc9916dae89261f3cfc1b4784a319805ac6e509f7c7a462791d974e6041a102eca45406faf85fd0e3ba5572b38b3da722931449cba5508c31

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5bd38c8adbb4ccc3f14bdd594e759d20
SHA1 5c2a469a45f5e9f4c0635f966503dacfad2f6f6e
SHA256 69e7814abc16462a54feee24c2084fa86eed84121d30fa338093c28950d45907
SHA512 bb930604885cf2c2f76ead2217106407f320ca2a73691156f84f87bfbe66fcf0d53a6f2da15637ab9b6db4290530809e4e5c3d9b52a564f042a790f9e80133a9

memory/4360-81-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1972-82-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 663b8b83f671b662b016104b8e04a810
SHA1 77cb461c19f0e094d2996ec6cb1be6389146096b
SHA256 ac6c12effe1f4dd92484f2d9d4aa7b9e282702f073d0a335324885577754241a
SHA512 62ecac2f32fbe7eff03afd6fadf5c9cdab9d483dd89bd036945baec29ecc9f4bb72306cc06e21910f649465fc50693866af3fad4f2015ca6fbc09c64d0b564e6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1693a521be3bc9010636e32d236136c3
SHA1 74465ef7cb9cd35acd73886691583a31cd0c633b
SHA256 3fdd6a9932e555bbf9695d3d9c86a5414074dabca5365a59f3b6e69456be762a
SHA512 50d1edf094e189d1166734267de180b6028c5410b8532965b12c5973cc8a62fc480919b71a537c32311e2db9c1f3190fd55fcf7274106223829a4185d9941bd1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 28735029d84f5a12a4f1b3032d943669
SHA1 48361294f61359484ed56f27e566b9b8207f544b
SHA256 f91dc07c763c4a148a2746e96a7decdaecbc1957890271693b9113d8bb1718df
SHA512 ce90f3216f0a660f4f05550a8bfc4c3815404207ead47ab78e1d2ddf95e5477974285108cb580f880918e951d2edd168c56adcaaa2263b640a972f03d24bd0db

memory/4360-91-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1972-92-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2eab747d6c8a123b015325e0d5f8c63b
SHA1 93c4a5fbf1f79937dcda737caac8c47e6f72d22d
SHA256 04649cd8c154d9764ab2e3f0538dfdee2ea060cb509681697396105fc400c507
SHA512 75d1ad92de32039e340c4a9aa9abd728b6e4bbc8b5270b363972327742f843662bf94e245fca321a55c853d75cfedc110f082b7862662deee237c4073cb6c201

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3fd75d9baa12a4fa8069413400c09599
SHA1 d929aa892f495186b266a221e5061f2ca37bb30d
SHA256 4f6ccdb7a234113464904677b6f19c662e97606ed91461514ff61164726cc9b6
SHA512 faa2620da0f94cd870ebe900c978e78a7d73c80f01ac4b25bacd65feb5ae0c97be4ff8b874cb31d57040a1faa610ca2ac179b6eec79b11a442d3bcc4061a5e15

memory/4360-102-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1972-103-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f2ef6e72e1a51cbdc3b8186deab99e6d
SHA1 e5a8ae4f5358920b3995bd697aaa6f0a754add9d
SHA256 6bf1d57e6c37c9e451bc5406b5b752138989c6f6d5d7d64780429d4eeb268490
SHA512 7049e93c8459f99388e9155a39682634e6e83997c1cd4331b218593d892185fa57dcf7bf1cf6c8490c0cc9b9546fa9285551b3c2641b6e60ba27585cfe501392

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d1bc46dd58cc7348066a92453dba2a27
SHA1 85b7c6931c8c5dc412d5c56497cc27e204ce9f41
SHA256 d9403e3e701aca288944d270b3e76a7b8e90c34377339ff82ae445ffa30d58fd
SHA512 7bdce4bade7691e5aad316a069037fdac2b02ea6e78f200840c7b3f54eec14cdea58af2611ad5b5c6f983942afc605c5cd8e96734c8c955ab6fabc0e1a014cce

memory/4360-112-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1972-113-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 16a8392f5178587ccd6d9f943108d799
SHA1 bedb1d06127fd74a7cb70a5f854bf8c642887999
SHA256 bfb3ec5d697f16ceb3cb059003a0b54706888928844a37b3c28141ee0405bc8c
SHA512 e7cf36ff14752bc8517c3972b88bcff56f944c3b968d58d886ac5b813fd6810fb313b627157a56a19431551c3c8138d2a7eadd02babafdcbfacb9185d4c9ca23

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a884df28a7f30447150ba50a0521dd21
SHA1 74b84058f350f1b5b3b86203fd936047fab63f9d
SHA256 b08dc538beafe02638068ade5b3f800ec60dc9ac983c33a7ac3bb5732f92bd04
SHA512 91b4ab785845f0f79707abb01f885e41a256857c07496c0bf5ed07a51fdd60fd69c73f8346932fb62822e1c15efc50b74321d18c4e56e77e53c77d2f41f7bffc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7bdbbc1581c27f4d6cf58d420aef00c8
SHA1 c82d3f23cdb4d7968c8db6fd9cafe73abcb62842
SHA256 89ce9ea0f661007a522f87621aa3a3dd55560746036719f9533ee77b0f3177f7
SHA512 6bb984b7341b94768af6804750da0b11de5a3051398a4b3f0b849bc01e0f3b7ca5942f79f0a1778bf3b2474d05381de3df31d7d1bc6ec58d08a35f970f6721fd

memory/4360-121-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1972-122-0x0000000000400000-0x0000000000477000-memory.dmp

memory/4360-129-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1972-130-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3a8d497384b149e1a368be71c6f1bf00
SHA1 778acc76ea09ebf0b2877a9242f1d4d6fe8ab84c
SHA256 92beac59369e4840e21e161fe39163f8a6c3575d38cf895a215efa33815dd2f0
SHA512 1563886750d1c99ff4e431a40c4dc43c6059307c3f5293979197be549a011c7c24fa7cc75e2f5ccfd020e4696ef0b7e0e34ed795ebdd8a8a3bee1dcfce25f326

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 beab2489b4f07e3d128339d169c71851
SHA1 5804153ef4c3f8bcf5f30bc1d6730c3fbe725094
SHA256 c9d1aaa612a1218f21c077c82ade9362cf2b179424e1abf35ed22877e8e1e5c4
SHA512 6b5754311f45ae10ac07bd671c35c8afb9aec892316174247066660060ae84ecf12c5df04ed1323864e8bcaf69f6c1fd0f4802ed6a65396a2d0ff54aa97dda60

memory/4360-138-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1972-139-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 37c6690b4729ff6bb44fdad6bbb448f4
SHA1 82c2e590388822b13dc7384c282e7d40506db557
SHA256 15a550d92fc56f5424b8c046ec707737922c61dc80ccd782a06beb537cd58e13
SHA512 52ba0690422752637cb88d07eafb4f96140005d3ea7e08c8125452b06dd6769656aba716c8e2f8794136693972fcb8e425ab3db860c013c70c878b4fd83e410f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d23b547918afada955e1ea94ea5199df
SHA1 fe10fc66f236a2eb25af0bba905295c97430e7ba
SHA256 212c7af9fd93614234918481f39fd69fd97d8e65b095110ee5838707ea29d8bd
SHA512 d707fdb07ff20c593a6d83d3654f719af313188c934c088eec7ba1466b5da2d1d1b05cb57d0e31aac489fb07e4e6f95c9b6093b8d7098c810ee1183e8a648f65

memory/4360-147-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1972-148-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8bf52184acd55c89708667718b33c9fe
SHA1 557beb953652ef8f27a70b2ca113dd39cc89f97b
SHA256 5f0df27d33b1576b73633df970a1a79480380ab34f6e97cb00cbc8d981cc7cc6
SHA512 b3aa2603813f714d62fa949f01bc4481216825894dc1b82b673439750ba0d71672eaf70650cd5b2db7a4f7f85d8075ed8c4e0089efde52b3ce9b58a4a76ddefe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 530dc9f9ef69b9dbd78516baac917ed4
SHA1 b15ea3ea2fb0d90a6f50d29db140b46a41688fbe
SHA256 d4f332afda685e83d284f9a4279c6dd3982b6b653614dcff6cfcdfc7b5d879b9
SHA512 3af9a271dd19ae123f95576d038f532243672894b59aed5ab9978690859e1fce18a09877cb9708e352634114737b5079afe20b27874a216f3fe31998f9fdce4a

memory/4360-156-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1972-157-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5942f84f5aeed1b52c7336ce638b1cd9
SHA1 6fb61e09032e3e3dc30908592787ded3c692887b
SHA256 06cd6bbe96df3bb27dbb1a38254d9bb5d37ff5c7e1adcbc0f50be2277edcf3aa
SHA512 7f9cd892586cf923162b333ad8c240b327629c83d25dc819204e16147acc48fc6176671448c214567481ab7f4c60c30f68a2920deced34b656043d68e8d7d641

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 61dc659973127328a5f8b7b169af1483
SHA1 8be6190df25b8a251c5d8aa8274173a58494b11b
SHA256 ee7b5547c829952a9ce3dfee7a0e3c49850736959849ef26fe63ef90a194a870
SHA512 ebd75ca0ac0f1d29e6c08b0e55b67db3ffcb6ba974f670f285db5eb3979bf3c2232a176be2c1ef82ec9a2fa2e73e1ce501c6c141be21a5b76fa67ad16ae70f4a

memory/4360-165-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1972-166-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b283848097325683d05f7fcbf030f658
SHA1 0fe50d7e27e50851498be7a757540a48582c54a1
SHA256 bafe7f7205368cd76af786a00fcb698881998c4a3df2c34aca0a19ad90ec8a4b
SHA512 d07931ba0a3af9b0e38cefcd0daacad1fcd716409b35edc0dfe768ceb82a6d1ac38f470ecd2546256a60d3bd2bcdc846753252c560f28331fe7f0b4cca70dac5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f47ea2e031db6874804ba1a19d43be2b
SHA1 aa0d02b1a569b15f038888e92da7ba4840b66e4b
SHA256 bc29e3c4c4000662a3d5cacef1fed66961b5ecacdb7d43969ca098279c6643d9
SHA512 6618779d657cf5d340ea9cf99bddb1c1d5a85a8bdf7ad97b2f0737198a6f0cec54748794e738a8dd222d993ec230daeb3e77631669770ad81c6ae3d46cec51b3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 16a90f63b65310ef473d9b370c3d0443
SHA1 a49121ba061c19537cad89b9c3e3522b88824a17
SHA256 74f870f74ea288ca7aadef00899c28a51498da40d698bea070fdd9612054ea09
SHA512 a0071e25eaf30e6d9ab38a581dd1d259240d265d47ef37a5aa01b0e01445b805b2e01fd99ad6bac04d311a1a85fd06c2d460356c2dd9e6355482f69a77d8ede8

memory/4360-174-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1972-175-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0bacbe1a77107ffa28f3c52dbbee0303
SHA1 497840a40a9a9825e4ae9b490f5ddeac237e66de
SHA256 bd99c49a538a7900e59002e67826d7c415b6abc345b149ef56948c1d948d252b
SHA512 a9511c3ff17a7ec5f6230700bd0a162367ee44af87089deadc628641da5137bb3576bfc64ccb07b6b4a7f0641ceaeaddf9387aafe3780a6087e61330b3f86b2c