Malware Analysis Report

2024-11-16 10:54

Sample ID 240616-bs8fgatdlh
Target b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118
SHA256 963ab093746ed145687176ada9884313fed3556c3db15b63be93b66c12ae7fdc
Tags
persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

963ab093746ed145687176ada9884313fed3556c3db15b63be93b66c12ae7fdc

Threat Level: Known bad

The file b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

persistence ransomware

Modifies WinLogon for persistence

Renames multiple (91) files with added filename extension

Loads dropped DLL

Drops startup file

Executes dropped EXE

Enumerates connected drives

Drops autorun.inf file

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-16 01:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 01:25

Reported

2024-06-16 01:28

Platform

win7-20240221-en

Max time kernel

145s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe N/A

Renames multiple (91) files with added filename extension

ransomware

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

N/A

Files

memory/2180-0-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2180-1-0x0000000000220000-0x0000000000221000-memory.dmp

\Windows\SysWOW64\HelpMe.exe

MD5 8252f492de4c56fa0ee6c066538fa941
SHA1 49e26af020222f69838d79e29f2dfcb14262a0b3
SHA256 bb9a3c615fe6652ba529fcc6ae21d5c366a611b174e3e04cf93d09105548e430
SHA512 051f3630304822201db56fc2fdd110c4bf47b636df9dc84d522189f588d367b27eb85c11cdd784c161cccf165661f4e5270555fbd324f75d8d290b370bf0a955

memory/2180-4-0x0000000000480000-0x00000000004F7000-memory.dmp

memory/2724-11-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2724-13-0x0000000000220000-0x0000000000221000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini.exe

MD5 8683366085af5a0b52df3dcd6786a283
SHA1 882a1970722f36b55030b07144eb4ed21df4ab1a
SHA256 176acff6b58e817f71906e949298932d1b53ff94f484b62d19b572bb7f2ce31d
SHA512 3d4d93bbd3efc436f6364e122e344f7655f57fd23c74efed382f3ebad078152fb406ad8f749f6854107cab2d9e24f65216117efea00dc255a02719edeff06e76

F:\AutoRun.exe

MD5 b118e616389cad55b0bf1bd07bd6956c
SHA1 8d4d8413aa4a2d0dda4250697ef47486bb102230
SHA256 963ab093746ed145687176ada9884313fed3556c3db15b63be93b66c12ae7fdc
SHA512 17a87a3d9d34d74edab85afb5e9e5196e7edc91191a5d90ef167b6854b1b5e8289b0f08b237f52d61896d0e79cb14bcdf167c5da95586e22335ff07628f5989b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 43cdc66f06f2dca0be5133be3e6bda0e
SHA1 1cbc7476c10876b95ff8fb279d4e33a00cf0930f
SHA256 a12b9865f31060162c6ca9c5043f4d3dca7224dcd7c971dd99f309c69ffc7037
SHA512 0b2b2e1aa20f9935300e9142dcf529cb81bf7242d810ff984239758c211efb5eba6b4a588a4a188a7426a0a268fb5bc5bb3f1f9ac92a281e04dd15c6aff370b0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2180-231-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2724-232-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 59b3f2e11cdf2dea0e90e7b6ba7bf4aa
SHA1 3cd7166a577ca7834f8e44479e45691997f21cde
SHA256 34a7647a1205956fab2cb6c1e4ddffa20f232087a59b6ce852590904ac028c46
SHA512 b108e622b1e71cfbad6297aa200fcd747139889e81570fdcb482a827b8a96d2885f793edb849af46caeecd4c2782fded8383c3948db8373383ebd6a941ed8946

memory/2180-237-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2724-243-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2180-242-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2180-244-0x0000000000480000-0x00000000004F7000-memory.dmp

memory/2724-245-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2180-254-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2724-255-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2180-266-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2724-267-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2180-276-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2724-277-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2180-286-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2724-287-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2180-296-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2724-297-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2180-302-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2724-303-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2180-316-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2724-317-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2180-326-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2724-327-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2180-336-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2724-337-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2180-346-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2724-347-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2180-356-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2724-357-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2180-366-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2724-367-0x0000000000400000-0x0000000000477000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 01:25

Reported

2024-06-16 01:28

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b118e616389cad55b0bf1bd07bd6956c_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Files

memory/1316-0-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1316-1-0x0000000000600000-0x0000000000601000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 8252f492de4c56fa0ee6c066538fa941
SHA1 49e26af020222f69838d79e29f2dfcb14262a0b3
SHA256 bb9a3c615fe6652ba529fcc6ae21d5c366a611b174e3e04cf93d09105548e430
SHA512 051f3630304822201db56fc2fdd110c4bf47b636df9dc84d522189f588d367b27eb85c11cdd784c161cccf165661f4e5270555fbd324f75d8d290b370bf0a955

memory/4196-6-0x0000000000400000-0x0000000000477000-memory.dmp

memory/4196-7-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

F:\$RECYCLE.BIN\S-1-5-21-3558294865-3673844354-2255444939-1000\desktop.ini.exe

MD5 53b479de80f151da56518ae4074e013f
SHA1 3090c31e624e528c82cf225f36a79a11042380cf
SHA256 231c29150ff3a04d533ccaacb805d56a74c37739283b1e42a2afce0a8bedcf4d
SHA512 70a359b590f61edb762c62a96bf27ba41bb9d9d1feb96f1fad13665cfd69e02c0c0b4d5e34743cb9b47e87c7862e552849e08cb35fabf6117393af27fcef6e8f

C:\$Recycle.Bin\S-1-5-21-3558294865-3673844354-2255444939-1000\desktop.ini.exe

MD5 773e07687b980a8e11b851a8673279fc
SHA1 5f75183fe9c1ad72301682b58c8423a7f4f05f05
SHA256 753da5cf897cdfe77055d665f6c56d6973699fbcd8b204d06d2efa92d37915de
SHA512 f82b07d38efd6b110d56809ade5d9021e53f2023960db5b8d84e51653a2178eaf30b7f53e3a11aadbe489f2f81505e748703edb391b5bc282ed7ebbacef31349

F:\AutoRun.exe

MD5 b118e616389cad55b0bf1bd07bd6956c
SHA1 8d4d8413aa4a2d0dda4250697ef47486bb102230
SHA256 963ab093746ed145687176ada9884313fed3556c3db15b63be93b66c12ae7fdc
SHA512 17a87a3d9d34d74edab85afb5e9e5196e7edc91191a5d90ef167b6854b1b5e8289b0f08b237f52d61896d0e79cb14bcdf167c5da95586e22335ff07628f5989b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 71b694d50714e6c9a528d71c3f6bccbf
SHA1 8ca0384120169b2c0309b99cf8f7a2f100c4cf11
SHA256 066e1cd2a20856d108034cb876285651779e169358cedcca3fb8c20e3dd29a15
SHA512 5fd8d6bb9503984bdad289012401f432ff1af96333ba332f138d0cff576d57d4fd74a903e8e8bad8b0c5d603eca45e5421f81f8cc6d2da0ce3388456d93e8549

memory/1316-51-0x0000000000400000-0x0000000000477000-memory.dmp

memory/4196-52-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1251b7a5688fde5a5945afac1df17c15
SHA1 b5e100ecc75c5e51f837c3effe7d8a59fc04376f
SHA256 187de3cf965397f0a50682aa91e0793605bd5604ffb926a1ac69d0bd0e6a8811
SHA512 b8107935c8fba6120c74274c266f1fa5d8ea19cf45a7faa94b32d648ceda65e288d5f3c1364fcd0bc41e949d5f7a8c0ae6c6530903be618c3e34d08c3804deb8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1b060698a1f3a21b79e0d3fc9a5b44c9
SHA1 faf2a2aae09118c3fae9bd37864b18705f9445d3
SHA256 5184cf85943e10b1d54e609239306e9f94f3706f6468ecd8c79fb7c97ad08015
SHA512 c84da9ea76d75f435f152fedffe4dff4215f8900241bc7430dc7ed2859bf3e24f9e224f9eaf39c1354f4beb6a8fe38bb1a69f19d1a7a3c7e79b66665b0d79d99

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 621f433f37efaa2a2787c44158245628
SHA1 e51635f1fae718eab768a88d2d78874a721bce9a
SHA256 f755a66f5fad4c344ef27b22ee3e16ae510b902f53ce85e882846b2fb93d046b
SHA512 e9f6439a5f2d6e900e46bbdd44698c0defa0550c1895f090b4e4f8c34fcf354664785417525efc287294fa0bd5ded59682de067a7b5a4db7e7e627d43311da54

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 009fccdd8eb49097ad04c9f940a43da9
SHA1 5d24d6292324008ec00c27289bd1b8de81ada22e
SHA256 74cf3a380fa8b5a93dd526a2b0cfb3be345b20b971af3e77a926d8680eb9a661
SHA512 5094a0c98945b24ea1ccbad1a5fde076732b14cc8bb0359ed71255747c2b8bb9739e914a48f66c62c008a9ac6fb8af38a07d2e8bdb09913f77723e036632b380

memory/1316-61-0x0000000000400000-0x0000000000477000-memory.dmp

memory/4196-63-0x0000000000400000-0x0000000000477000-memory.dmp

memory/4196-62-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 61d42b6135e52b3a7aad241ec3e56e0a
SHA1 112c528a645255aa20cdc7050e74a6b2918b4d41
SHA256 b6ecf03f9b1ff091d687bf8e42329cef55d8f5aaece03e4a15ed6d39e5e7e4b5
SHA512 d82da71cd33505d6ae836b0cd97f60518b3a9f28bf0c4947602675ba2de65decec7c2a2ab6cf2daaeef51e55788a96c962bb70c82f4490c1825ffe4fcf8377d3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2a308d368068bc47cde54144c1ee41f9
SHA1 9486e2fb2a5cec76cfc9155927141492a7209161
SHA256 56af5ad0646e6b20e2ac02ef036e82c9ef2ec5deceb4b9326c03a45e7bfafd89
SHA512 e78eec83e55390fba06428350ed35b88bd8dcd76073fcb29d5542c1c8c34f99b10e16cbc6108f33a76a594d03cc71c0159386da6caad6b8c3824812252d0a46b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 dcc2a09728b062416fb43d35f8a115b0
SHA1 db6ed052d25186e0a26995c7f27d8e83cd086f16
SHA256 87de17f1f7dd4dde5e01351f2b915a45548e7cea806334747ad296409f2c9797
SHA512 c0edf9e7a88327fa9da210a9dd5c0e1940abfc1836c6f79a21702dc8fae327b27da370a38b9e91712377c26be8ad1fa0a674385b8b91199a8ac26ad537b55864

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2e33fc6504844d025e51249486d775ae
SHA1 aa02354f805b0af4ff35148c0a69d8f0eeb1d47b
SHA256 3282b8505d545462c992f07f4933a048efc90e85ef97eb3704510aeafabeb993
SHA512 8ae2aa40141ef42d4a511d3ab25c9fab40387f0c4e97cd72d294c14f113ebe57987b26ad0d45ff999003a115f5aae92cb6dfe3f4508df150296f4abaa9748c2f

memory/4196-73-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1316-72-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2f55e31c5d870b466e1bcb6b433fcfd8
SHA1 73172a859a6a860b26a9bc190739d52630d52cd7
SHA256 3288a7d77ecedf1b182b17ed5cca9bbe326ebb20b6e2719a623e0d17f496b2c6
SHA512 5819f281f90422c8025f15643820c861ce210b88afc7273a539265a2a3fe4dde1d08879b55570412c71477ef9ed426b2b5c6db163396f70f93ef8cba5f350561

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 62244f45ad8b2462b349d704439bbc26
SHA1 7bf67c87769509d1213e586a0cb94f4a24526a7a
SHA256 7c9853affb90d9428b8dd45e833acd8f490c6592b0706691b86be878264d886d
SHA512 82a646d68eab45e2f492bea0c69c1dcc3bf62ca6b40c9a0341cdea08c35bad32b342d60f2c04898c5fe4cc5613c751f645e99205fb77c95c1e11fa1bcf6280a0

memory/1316-78-0x0000000000400000-0x0000000000477000-memory.dmp

memory/4196-79-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0fd9601f7fc2f781aafee27ee89a6d8c
SHA1 293d72456eb914d2fe4333a794e2bd22b065b53d
SHA256 973f4dfab98aec918c1ad94cd90ecb2df5533d202aca4c968baecdb12cc6f7d5
SHA512 457cedefaa20e0af2d619763f2cdb648bf6bf1c3e1edae96d9da4b4de3e2f2911d859a0756c633ec6d54b190d7c867295c708d4f3668a573f5969c8edda5b5e1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e092e83fc82549b40b19ba54747ec4d3
SHA1 3f696382d58c25dc695302b7f9fb526e4528f693
SHA256 53739f1484208191d21493573cefdd6df8030535f394ffeb53750f05993d50ce
SHA512 b200d130ca8734dcb757d922dbbb5333c2db3a55205eb1d57e9f26c6f3d28f17788406481ff080eb6ce6cc900ef2a4cf58e1b9a98f7ab5953347993e4b8955cf

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e85eedd5440752d6e024f18980c6c456
SHA1 5df8663b7a858c060c4c21098744d7d479e1ca23
SHA256 53eee150c46366c48ccf41dbff6ced504d26f125bb49bc5e47c00767e321bbe1
SHA512 bb1b9087e7cfe895731a879ded9324df368821468338acc3af37e4970beff234303c9e3ef8a0810cbe507b23dfb8d54c296323472983746a18ccd77965a7bb16

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bf6ae2cdfc0ab1e7189ce3c3594be4af
SHA1 9cc09b3af4f601454b5a5ad7cf7b90679b512909
SHA256 a5dca77e26ab00900815db3af79f59f067439a2574aba1e318edfc83c96c103f
SHA512 34503d998015ba09ad4813093426879833225febfa4fe2200e80ea9abdf998ac2175bf0ea08709d8bb3bf829b06f8d66f9b5ee09b5a29e8b3af8282c607e627b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 08f2b6dddf7fcc59105c9e7e67f73b5a
SHA1 a231c90e1b71b0422d415f5da116037be260066f
SHA256 62a1a92cab3e36d665a63d405b62472ed053b47f5e174fbb16b43e995c4786bc
SHA512 94f7083814ca3b441766b57bf9f2791ae18d5717389d602d130368789f96b2e35bd6483c45dea216df098b8712612cd9622148d7f41e8cc1e9cb998902ba7711

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 57bb56558f96562cbcd2405f3e99e89f
SHA1 f336ab74a146a3718acb3a1329f848fbf6c2066d
SHA256 75a6dfadfd0227ea3fc8d1cd0f0e37d6533380e24d49afb87b4f65ddfb1ecc79
SHA512 6b101fb85bfeb9a33d5ff98684f9c9ad862808ee6999b80845c90b3612fee352e411179daa2d22ce3c4706fac1601c57ea3a50531c89e6f1384a2fe1ca3b8ff9

memory/4196-93-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1316-92-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b7776d521cb5a2f1f3a41d97eff2401a
SHA1 f2bd16b23ee04f184143edbdc6937f7702279028
SHA256 ff1afdcb9b691354974b832be8e2618ae6acadd5edb35e69e08a803a58b14166
SHA512 26dc821616e4c168b0605a5f31a6c52bad15d0168e22a6a9b2bf8d02e30e9321378ce95674e77961ad350cedec86bba3009b921a19acef7263c6fc67012795bd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d49dfe1bab371750c5c014eef1242c2e
SHA1 053c477611cf2c62e6ebd96c4befcc4770dc67b7
SHA256 e4c8cddb021bcf4d70ee3e173e4ad9abba49e06b9a4a773c667844c7c48eaf86
SHA512 fcb0a28053781c5fabe5bf43cd5fb79f9f0a2834b807d9b348b5e2ce2197a5e8dd24bf8efad6add43b45754775293346a64c371bc585f79c00f544b2b5470eaa

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5b204a52ac5bb8bd06f5bc0751976c6d
SHA1 7609779765d8360e10a7100f32646997e99379df
SHA256 9b10b2a0dd118f75373dfb5095456251ce1c10ca405b0bc63b2c53065718f646
SHA512 3c45ab2c8a799592db5e91fa0fb348b9c2ef929cbba32d7adb5a999967688cc523ce3a58605659c742331942f4bccff9003f7c5c2d757d80903ef439af718823

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 596e2bc50070033e9552247d5653dc07
SHA1 115ac72dfc4ec8aa8195b8de077b3005f4786e9c
SHA256 2c6ebbe78a67e346e198d8cfdd3f2c9804a8feef3b5aaecbff04e0fdbae573a1
SHA512 59b0b98970d107a968e10108a70974caa8d29a02a465a2d07781f4628bc030c95864e0bfab27bc65936fb1a217b6f998cafba33b0c688d0619ae8f678e8801d9

memory/4196-105-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1316-104-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5a6ec537287bba9994b345a9671a8e3e
SHA1 1a7fe013759902600c893ae9eea0dcd82e87a02f
SHA256 2fb6ff776d42da1e776517989fb464e4082553cf99b435cfcf7a863d7f4d7d7e
SHA512 d90b4392bb183a5748b59471792d880939a6b7ffbc794c1a4892569964370d8c4f128c73fcc05cd3ab8639ad9e045573be1e805a90b29f128e9c79bdd9e02f5c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2a036ea20fa562bfd857477743faa969
SHA1 ba9f886e11a801eb54d6eace25b81e3d3076e984
SHA256 a105d5036947fc0ca015745f4bcd85de0a1ecacf366f75a283ef75fb4b9682bf
SHA512 cde52431be81f74e4a6aac25301b616bab24e01e035f576e461bc2a59874e666d0adb37e602a994fe20623017164c0b244d3f765c83b413d60aea81ecee32311

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fbc7079b8eef4ba1e72469e1d4b0097e
SHA1 645cd3eda8da08d8403ced0e7a38d4e0ea2432ee
SHA256 4aafa67e91db8655fb97f545c9314a11003a5f2b09008f8c1c551a209676654d
SHA512 347ed64aabc11cffd4650508e54e0a81eb2cbf7b0facb5e14e4edef4a810acde6f5ea09f634dd24dfdc47bc7a9f44d2b7d2f9172514c3930a4882814c790231a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 413834e8bf251742d3fd68661fe01045
SHA1 69ea10da32c82a9e0f93893363d88c4d21222cb6
SHA256 f5f28af77778eed5cfbd760c7bfd20d380255cf6f735a0b3774bdbd15ae0dd65
SHA512 6542199f06e7126dfbb05c5d2899379313b81792c0e7c19067f306e4d6c209696a5d1f5f247ae5439e32ea4cd525fad6763340eba2b07d41e11eb93119e3b804

memory/1316-114-0x0000000000400000-0x0000000000477000-memory.dmp

memory/4196-115-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1640c5a6938d35d5558dc28895711ae7
SHA1 17dc78a48e6fc48e1f27336c1a2d353adf6e3973
SHA256 713d7b13ea0465143663eebfa0fb77fd6b43f4efb5b4841d44105f3ba37acaef
SHA512 ca971981aef0d51919cc4c8f0170e80c93344dd2403b46d29ff5834151b54d6ad3af3e56d568025b7ca2f01d47e9948299f4f1cb61e3b2c9c1390d31842192c0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fd1a0b2a9ddb6591177ab0c1bf285632
SHA1 98aba5b48a85275cae48735660a2d4f03ec2d91a
SHA256 d1f1d86433796077fe94d81f9b75ec624c654cb918a25d92e290bc0fc27990ce
SHA512 60cf23953bd36491f521a0e71ebb20415cb3a92ec8617a0c1ea4bed265e8b1e1f2d467aa902a9c14247d2f851af52954e44271505d201b53186242f633f3442a

memory/1316-120-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 331e3098fddc5f9f40483fa133d1984a
SHA1 a355c5266390d01c560eafc594941b527f75f7a8
SHA256 50fbcbbe33e4c58531239dc4312f770447a048f7c34b6ce41bb4f45b8eb3cf3a
SHA512 3bd5584b55231157acaae3a6adb0fe2f1b0b439ec4275269b04ee05fce85ba31858bb0db8563672415f7a42af02d919791e7a5d52366769eca58873545b2d3db

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0e1edfefc315397a33f8bd4a4bdbe62c
SHA1 d2952f211e339fe26ada59a175e66183614d7863
SHA256 2449ba099646e114985ddb6da0e07c8905e4d13b2a022877a682024eba988642
SHA512 21e1a2066cc3880e587a268c16fbfe63af34ccbd95e9581aaa4b98c046f6b1876fea8dccc779e11b4fbc1e6ef4429aacdb881200bad6c7a42c98dca3bebb991a

memory/4196-125-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 33eda4bd14f49f2f771339fc3ff2ca23
SHA1 c693ba5b374aa3bcfa788d9974c19a1dc0af6d5e
SHA256 50fff8fce88263fc83c40cc16411bbc3861d9adae6c028ce762c9f7232c69f05
SHA512 9e00c264c2708f109e662cd942d6beaa9b87824783d5385a7c572a0e34ac9706469d36eb6518d2aa345665a1fa0b53b02b5fde5942f1903c471008eaa9886176

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f8aa92893b14504810aec0d7ab95c9ed
SHA1 04e6ab4bee9a34f5811d1af2206dc5ea1f89531b
SHA256 f536ca90b674fbc1ad20c73c385b2f162c7127d6ba281fd033bfb6c6e57a6fb6
SHA512 a103b29e283441320821551e60160b4431b5b4cd4fd45e52e9334b4e4ee325e57be577323e2b06b4eb03fd915ab5812c101be48fc733c5d87c4bc210ef365ef5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6d888f2a8f349f9ec012085c9ed09ad3
SHA1 9d8afd46918d702b6e17a439c8534eee05382162
SHA256 91a054e1e030958588c00bd10ec6ffd113d39d5598d60abb8ce7ddd0ad080f45
SHA512 2e3ffc4d5eaf8e78bac968193e5511aa27feca984953d76d9f92f5565d5ddad4629b6f66f69a2c94609e0cdef4d22657eee25e6db55557bb12899f343e6f7961

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 78efc07d62c1670d11b2b447cfbdda9e
SHA1 39a1d465020440ffe41eadbd5aad7f7df651e2a0
SHA256 2eed441ebbba1b8bbc98de77ec578821929836633cd4d81f138e4a22e604c221
SHA512 977fbf2daf22398e5e22676a228f0bff302e4761022e64431fb4cc04119587561f32ed270f0ad7ebedbb019a5c0c8468ecb55e095d06be92e101d004ef4de4ff

memory/1316-134-0x0000000000400000-0x0000000000477000-memory.dmp

memory/4196-135-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f871524efa79a61589ed38cbc636d664
SHA1 d89906a1d0ac0386b6b379931777d91cbb66eaad
SHA256 7c3b9d109f33ce6b6f5a1ffa01ca18b1c74a1797d65f5fba8545e3bd3d978965
SHA512 89cae1889d300ef5e34785003312b184794c0071f1f94f428c9060f6874325e216dcc5ef43c912efdb75b863ac9dfc4944447e09d51ac982e9847e03900ef731

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f5ac66db0c4ae9c5373836b179a56450
SHA1 8a42b3d63ed421fa35fa2e191595cbe0b43017e7
SHA256 e3f6383343407a0e2d6fef600fd9881b6abb912a49077d00d80d4dd442e769cb
SHA512 83a83f0b1bfa654002e46c9694c3d7769a9c6f2a9aafadf222dad4f15ca25474a8858fddac3ef6005f21b3a70a8527b3b04c69a761319f07664818ea9ef91066

memory/1316-142-0x0000000000400000-0x0000000000477000-memory.dmp

memory/4196-143-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 baf3cc3c3c46ab953d7433b1fa204e6d
SHA1 cfff10bce627d6d562eed336d0397652aeefa951
SHA256 14fdb132fd7ecbd87c135e53c6ea663b0c96d1ac946b40640d1e90a52172c0df
SHA512 60fe0c8b07f4dec90f7af2599542ed6908a54328330fb439036d43716b13b26ad1ff862cab1f5a5dcc6e05fc1f1936c57084cc914b5b7d774af4785ae7dd58ea

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9daf4e3329b28261b655b70dd26de668
SHA1 f6d852e97975a0956de1c2c840d8ca8a39ceb92d
SHA256 4501f4944b99590780b7bfa31badbd4247ad5631563519b94537f6fa8a514f42
SHA512 7d8334e68b9de6068fae4edc9367b838a8de867729c1a4499ab188f82f670449af033f58a9288cf351d1420775f03c48ba89966052217fc1363f1361a3d525a3

memory/1316-151-0x0000000000400000-0x0000000000477000-memory.dmp

memory/4196-152-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d1994d5dd48db2aba7b09a9dec28350a
SHA1 14643d00118dbccceacabbdf1a323d8ccf59c104
SHA256 f2e52afb4f3aff1c9103cc66a1227df164d5a627ced33a7d841b4c4f142690d1
SHA512 bbb3ab2041169c25915a8769d2de32809b56b9483bcd40a1b110289f38e46b3d2ce23cf4180c8d7e7887b0a57a7633e81103b1b7086185e40b6c08da882c4d59

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c31fe6adde89d6d75c97fe679d8cbf45
SHA1 9f3f35140539bebc1955ddf2470d172540f79107
SHA256 379f6b78bc5fe7fa7bbea62585da1e7cfa402ac409d595533c21bf555910eb22
SHA512 a34b6c5bb9f8ded60022e3352ba5ff562bae9fe7365c28dcc4abebeeaae48773cf7e8c6b04ee2579ba64d0e35a3cef11f26f9106facb43d6bfbda62b37d6ddbf

memory/1316-160-0x0000000000400000-0x0000000000477000-memory.dmp

memory/4196-161-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6d016258c9017e2e647ae92dcf66445d
SHA1 2af325f330463f1eed7bdaad5e7c5cc30845318b
SHA256 364caf9680b6e1dccd8c1187f0db8c0263f84b5f316bd6ea3910b46587f848c3
SHA512 ace89bbfbeeeb82f79945a7ffec6e3dfea0159e200ff2ce714a7e6aaa1c2bf9fa5b87279381e03a4e320b6e030710cfdcae8dda711d307c2fc2ca31364223404

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 db00d1a2fb457619f34a65c90316fc03
SHA1 6719ae0adee52d0961f9df1199ed9d005828eabf
SHA256 de4c7d71eb2074ec84111b8e300fed366a8642719c557b1514faa1774fd43d72
SHA512 a8eec6780e90b49bbc8c0e79cdcfa87f1df6552ebefb7aac3a7eadbe5966d3d108325e0b18e278a606de6bd15bd9cc02ff832bb35d10ddd5ddd7cd879645238b

memory/1316-170-0x0000000000400000-0x0000000000477000-memory.dmp

memory/4196-171-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b69d82f20d49b0b3ace8b2b52ab852c9
SHA1 4913ebbec10a7f509a91bafeda3d66c4ada8291b
SHA256 7f2cb7cfb34a4f75162026247c7027e8eaa1d8357147291beafd564f9cf8154e
SHA512 198192d6db7a18944ee66e5ee13c9cb1ca84cee71e09164c5a2c5675a8ce3afa59fcbf1e60a62b910d9b493f33ac745273907ff92109a8e518ec4182bdf52dba

memory/1316-178-0x0000000000400000-0x0000000000477000-memory.dmp

memory/4196-179-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a86cc074e18764e6a0a64859b663dd0a
SHA1 f974c49373b79d73fd18b4ac7d567ae556a09b0a
SHA256 69bb83603d05259a926d6601e1abf480808e24b16b1dd0eed5acf1e013a47a79
SHA512 1a1ac34d5535e7206abf57e7009c5612b2b182cd88f7d1277778121a558b1784cb30ce2d0cff8551500ff986dc090e9c11f51159f3af064c6a024fbc7c693572