Malware Analysis Report

2025-01-03 08:26

Sample ID 240617-drr37swclq
Target b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118
SHA256 842d328d3fbde83c400986ced316ef6ac256ea3501590bd806ebb24949fa8b80
Tags
persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

842d328d3fbde83c400986ced316ef6ac256ea3501590bd806ebb24949fa8b80

Threat Level: Known bad

The file b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

persistence ransomware

Modifies WinLogon for persistence

Renames multiple (91) files with added filename extension

Drops startup file

Loads dropped DLL

Executes dropped EXE

Enumerates connected drives

Drops autorun.inf file

Drops file in System32 directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-17 03:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 03:14

Reported

2024-06-17 03:17

Platform

win7-20231129-en

Max time kernel

150s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Renames multiple (91) files with added filename extension

ransomware

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File created C:\Windows\SysWOW64\notepad.exe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

N/A

Files

memory/3060-0-0x0000000000400000-0x0000000000477000-memory.dmp

memory/3060-1-0x0000000000220000-0x0000000000221000-memory.dmp

\Windows\SysWOW64\HelpMe.exe

MD5 6499ed619fb94a2d9ff5fb3995b76402
SHA1 6652ba03faa7b336363ae17dd94d640fb1c0c6f4
SHA256 25b2e2689874320f0b086ae8c8014e9aae9e894046c3b3cb09808416cc3d511f
SHA512 470db86685da09e26160a611c745d5e0d840c79280f7494776cb789f42ff7380572a34e4a0498fc71e51347dba2180d04d1ffe12c6b5924f627c8f01d9a9c06d

memory/3060-4-0x0000000000320000-0x0000000000397000-memory.dmp

memory/1188-11-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1188-12-0x00000000001B0000-0x00000000001B1000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini.exe

MD5 1cbd147fdb813e843c216ae935f643ff
SHA1 48f2ab298c7c723f4e225aa36b62fd0a18cef158
SHA256 27daabd6f6e3b73a1a9a713601d2b05c2d7e90841477b841beb9a3e6bdfe3e21
SHA512 fa144bf79e033c03109e191461c45acf2edecbdab5de762524bcb6021a1fb824b5917dc38914799406691200f0228868eef81df1bd500cd7b168d8a64e86b1ea

F:\AutoRun.exe

MD5 b683f61f2c3d5e3b4aa37b4f3e947e78
SHA1 ce042e2232d191e8dc2d61e8938f066a7e6aff90
SHA256 842d328d3fbde83c400986ced316ef6ac256ea3501590bd806ebb24949fa8b80
SHA512 197ea1bb91fff4e79cbac382f89805ff7e53359577bf0909fcbf2d1bca66ef2dd9d8ff649283d067df840bd6e604794da0a668901c80b3ee29534f6ad6a5e983

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3060-231-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7d0a25c3218ea5e799e150f73c025841
SHA1 a64398dc461b185a4bb601346bf2339cd815b42b
SHA256 2576d2930a9493c7a83173aee793ad5d33341598a2ece274a013bffaeb9539b2
SHA512 1fe7cf550fb239f15d1c6e45a0811464bc29bbd83baaa35e73436debd94ce33fd5eac43367cd08dbe16f1788a1061fc268de15060b40b5f83c3e19d52e2260ec

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 93c505880201780477dc0466b25aeccc
SHA1 27e131d3efe158b674032687aeb9a7ce7c7c9ce4
SHA256 c4f65828a07d7a169e7358c504e2f2e8d9a4919ec6e1ae88a0e71e02b48b4224
SHA512 ffdeabf41fa360a0d3c637793b9f28186828021ed8236f4d5e9728ca03cdbb72d1603207821a8248c7f6c0f946d01bd99d3508cf60b0dde6d731debd017dda5a

memory/3060-236-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1188-237-0x0000000000400000-0x0000000000477000-memory.dmp

memory/3060-238-0x0000000000220000-0x0000000000221000-memory.dmp

memory/3060-243-0x0000000000320000-0x0000000000397000-memory.dmp

memory/3060-248-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1188-249-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1188-250-0x0000000000400000-0x0000000000477000-memory.dmp

memory/3060-259-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1188-260-0x0000000000400000-0x0000000000477000-memory.dmp

memory/3060-267-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1188-272-0x0000000000400000-0x0000000000477000-memory.dmp

memory/3060-281-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1188-282-0x0000000000400000-0x0000000000477000-memory.dmp

memory/3060-291-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1188-292-0x0000000000400000-0x0000000000477000-memory.dmp

memory/3060-301-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1188-302-0x0000000000400000-0x0000000000477000-memory.dmp

memory/3060-311-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1188-312-0x0000000000400000-0x0000000000477000-memory.dmp

memory/3060-321-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1188-322-0x0000000000400000-0x0000000000477000-memory.dmp

memory/3060-331-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1188-332-0x0000000000400000-0x0000000000477000-memory.dmp

memory/3060-339-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1188-340-0x0000000000400000-0x0000000000477000-memory.dmp

memory/3060-351-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1188-352-0x0000000000400000-0x0000000000477000-memory.dmp

memory/3060-361-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1188-362-0x0000000000400000-0x0000000000477000-memory.dmp

memory/3060-371-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1188-372-0x0000000000400000-0x0000000000477000-memory.dmp

memory/3060-377-0x0000000000400000-0x0000000000477000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 03:14

Reported

2024-06-17 03:17

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File created C:\Windows\SysWOW64\notepad.exe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b683f61f2c3d5e3b4aa37b4f3e947e78_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Files

memory/2068-0-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2068-1-0x00000000020D0000-0x00000000020D1000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 6499ed619fb94a2d9ff5fb3995b76402
SHA1 6652ba03faa7b336363ae17dd94d640fb1c0c6f4
SHA256 25b2e2689874320f0b086ae8c8014e9aae9e894046c3b3cb09808416cc3d511f
SHA512 470db86685da09e26160a611c745d5e0d840c79280f7494776cb789f42ff7380572a34e4a0498fc71e51347dba2180d04d1ffe12c6b5924f627c8f01d9a9c06d

memory/312-6-0x0000000000400000-0x0000000000477000-memory.dmp

memory/312-7-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe

MD5 8aab655f17cda6b238ad9ad961274667
SHA1 2896e9606f148c19ca527fd1bd107cdf298ab701
SHA256 a3656b816126ab33d7424795b6bed54eea8a4aa7079bbb79f272b749cf2fa08c
SHA512 5f2f6dfbe82a2fddb3668f139229df12db26b1ed9e713ea2e1f7cfdfe722075175ca3bde1a8a8ecf43a051e1e89f7af4ef26d7a0599438009dc240a0e00694da

C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini.exe

MD5 644724b8a1bd21e23a1d22a22b7cb4f6
SHA1 902a711eef76e6c3cdcf5f9f3a2e6a6575c371de
SHA256 5559bee4949baeba10e6599af2023d0635a995d6430dd11af3cbaa90e9d37ff5
SHA512 0a27bd21a4a85981ff6a8d6c8c37a2f11e03a836f6696b661d3716a6372136aa6e59c15c4be6b65571c516bd5e00ed1b92e8124c7d8e2a1ede1734f04f34426a

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

F:\AutoRun.exe

MD5 b683f61f2c3d5e3b4aa37b4f3e947e78
SHA1 ce042e2232d191e8dc2d61e8938f066a7e6aff90
SHA256 842d328d3fbde83c400986ced316ef6ac256ea3501590bd806ebb24949fa8b80
SHA512 197ea1bb91fff4e79cbac382f89805ff7e53359577bf0909fcbf2d1bca66ef2dd9d8ff649283d067df840bd6e604794da0a668901c80b3ee29534f6ad6a5e983

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 37d15599a640410fcd9146bb99a4c354
SHA1 e56425ad3e8a0bf21c211e975fd98a9f13d4c306
SHA256 aec58d6950d3400a8a819b39ee6f75d2fbb52d0eeb59c28836df4ef1ac2149a1
SHA512 82a9fb37926701187337c1045714a0be80aa4868c0abc19ba3d0d07d7ed11d66ff258b2dc8b8cb23854a42e70b0f319de54ce506a2b273c39ac356c373563004

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 969c3cad86fe05070cf3ba99ff2769b2
SHA1 460873aa8811851a8e64bb2f4e98f8d55cf54b05
SHA256 341e33672518202c37b5004c174d7718806f9f42b7c88ddf8084513d57153005
SHA512 b0a6eb67db2ba2ff50e5cbcca04ecdf3b6d70a0652dfab4a8c53e43377d6150625a93d89fcc4fe83c60c5b230c4acc8baeca09cfcf8d493cf36b73f9d3fe26d3

memory/2068-55-0x0000000000400000-0x0000000000477000-memory.dmp

memory/312-56-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 74771d5f91c3bc171bb456d1abc48732
SHA1 5af9efa2abdaef3caff0fef44a87fce84257d9bf
SHA256 67c91a031dad7ed68c0c222ab984037d0b8dd6ff32c67c8fd8f061c4ca6ac4e7
SHA512 83da0477ed713086779b21db0518d9a92fa8e1abb77e2dc408ad534726a03c73460299f13c4ca848c52cdb5f48a6bd1f94f1e8b7c14fb327c7784ce74d4ef6b1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6920b3080142c670fe4c918bdbaf865a
SHA1 90fc916373894e71df099b91782b8a8b57fc1ae7
SHA256 ad768d5c4b89c317ea9e20762b50df179f2f8ab20f2f31df1e759fb7b05277cb
SHA512 d8e170a25de05a9cf3f475c9ebcbcadc9481f74e432c3eaee1e256a5ebe9e9155aef98aea4cced72f725df9af2be58291cdd95dd5a3e82652e568181e70237d1

memory/2068-61-0x00000000020D0000-0x00000000020D1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 67e5ff958d568da3559e106a0013dff5
SHA1 990efd8c92738f397deba5a3d56aaee2a7e49f07
SHA256 968a2ee3c0567120968ae84fe8c6039d5b592b24705c3d7ee5f1363777c1562f
SHA512 71fcff56e5cb42b311bdcf16646d1bc3b7fce4d1167ee1a7ca5ee0c3b5f2f85d97909b040eb3503eb37dc5504e02f9a40a900631f3ff558643372865782a9bb5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a2df521034f469a62f50a328fe5c6530
SHA1 3103eee0f827f74db52e6d7df842c4b8024d3613
SHA256 4a68b7425064f2e59d852ba469872929560321b88f2eacd4ec1ba18420e150e5
SHA512 c3606341d9c4bc7f7bca4225b02e07ed04f36e4c87231c3129d698e1ecf6075763baa84242f5029c50ee3f7523ee29902ffc55c7efb2ac8e773a13da4cc404ec

memory/2068-66-0x0000000000400000-0x0000000000477000-memory.dmp

memory/312-68-0x0000000000400000-0x0000000000477000-memory.dmp

memory/312-67-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0a9dd2e9bb98204b28b7dc029b1f7771
SHA1 c488ba180de24ab28cd6a20cd1e3701072520cd4
SHA256 4210c6121169ed0e06858b7738eae91e7568b0c33e34859f2b41c630a503a6ca
SHA512 a96f2094a637bc5509557534667b237e07faef30f8a3066dbb398c99fb22216e97f5ca0d33ac87011a8c10b4a810e9816792f2a50393467fb5b8e026a3b1b508

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fb62ba2a119f375b3c38cd56500d2953
SHA1 5a82570bcef0574fb0449801c8877c3ad4602b45
SHA256 2a45c95838e3d91768c7d8d9bcae5fe26448a2fb0cf56d4df6752b2532516030
SHA512 989d72a98bea012ced09416c26db0d4a89be6170df3a14e07d3c893004402770f3dc3d997feda1eaedf4a1ac1369a5a34b490cd42cd5e2218fc5e5935a567bd8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b8fb4fdd95d8f4b035167b2aca9f0509
SHA1 fdf565dd90293c4fdd4e9cf24765435dd7073c75
SHA256 c95c698dc5042cc28b2b1d4431034d7b116954b5d246fff0c8b9421429b02226
SHA512 ef6a02bda96b9dc42742465702047861f95f57ac63b44e267bfb89608c585af076f676b9605697c4ad5e6dafabc83cc74a5c44a977956e759a73000d67ced060

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a1e6d2945d09c47a56269e2ce3f5e6e3
SHA1 85a8004d984a48ddff44a16abc4945f7929c1e85
SHA256 3a672134d97959fe9801b10d7eb186f05467d9a1401393440af8320672aad7a5
SHA512 6f4cee7b62128962f4f58424c3ff89da11508e1c0afa38cd56c37f667bd3cd725120c94e3263b596fe44fd4f9b4fa839b07695a5af8c0d2923c244659b42dd07

memory/2068-77-0x0000000000400000-0x0000000000477000-memory.dmp

memory/312-78-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 921315884bc8453c7ec99e7787a814a5
SHA1 8298700077c04ab1a64638b12b8e269c6ff52a10
SHA256 875447712d107f067e58449a34151bbfb9c82af8fc294a173c61f5e1d4fc7bb7
SHA512 a5707fe026c54846814bc8e06c093ba9ed13e435838d59aef4c7342b811ee2b7aa611d28af847d9b2ea31e79e657ecec26b48b95068fe1f34b7f3ff0404a934c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 149d72b851038d6fa44c5f0b226e48f8
SHA1 8cdc4e822a8d4c595e605cfc458ec8f5f3476aea
SHA256 7c932aa203cb3de58ec27d58b6710e7554ad67ad18be2a1b000d9839bdd22780
SHA512 d01f959a8da15e58ada01093abf750bb1964d7f98e3f4226c1d65e7c5ecdcd965f44d737d2c5e7e11682d7b4a6d8fe2eeeac75b3d9ee233684f2a72904e4456a

memory/2068-83-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 587475eb4491ffff3cf09de1b8402c52
SHA1 94b3281a82385c894520909287985adea02a6224
SHA256 d525ef245a95f7261d63166e85240f3d64f5cae263ca18bb04d2c92743c21d22
SHA512 626ccf9502b7fe2651e9c5df2f3d3e504929bd45790f7d5670844909c00891bd3da5951ae616a69ae722865ad5a34708ab55376f5c234d41add02043ececdfb8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 75a7d25b7baf0dba998abdcbad68180f
SHA1 84db6922c27c5a74e69368342465f510d0abdcd7
SHA256 83ad581d70fe9981bcfe1b301977dbb27c9cc422fb3caf2bc55e720a0dbac633
SHA512 07455268f9060bb4b0a4b46aa24e3eb80090190f33ff530b8d5b52643845b764848b0fdec52a6934f74a60cc7ac535e3a05cfbbe337c36b7d8406506a9621f7b

memory/312-88-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 cc9860849c4f150af06b8916f5573046
SHA1 8894f62c44d7400bd23e5d9dc4f3b10724631042
SHA256 5c9999bb6fdc273d17fe1768684b1609f6c6f6b113688aa5f525d5ebc4a4fcd0
SHA512 d8f2a9289155b0ada83587e76f00b1bd4d53b7d12473683bfb1ebcafdd97193af133980c03b30651a9559cf1f5e9d1cacb87581f4169b5b6a6294f562225a681

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2fcca27eccb404b6f008d6ad2349892b
SHA1 a6aa91a74d6eebac354a5407e55a374dea0a2fcc
SHA256 71f86ce302a5eb5e0693ac2e880b58599b59dc2a74e003590551d259ec87e48b
SHA512 7e7e5e32e3526432075dd34fdded854393e25bdc4575e948352bc02ac0399b03eead94fe16756d35081a1dc26cf66ca87d593cdcfb6ac04105f3b88529c06634

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9cb591c051926dee4567edd8a21924a0
SHA1 c04830dcc410a273a2a073afd60d2abdf6c42605
SHA256 fcdc8e6a40170d5e1d8e8375745e39f9172c8184f9d95bac1c68c9a2ef8e143a
SHA512 7a08464ed26ea838d383a41153b45cc26c5408a146fab8950ae625c2964e3ada1f63109f2c8a953a4a3ac91db75008878d2dd24081bca82a0d0453433651104b

memory/2068-96-0x0000000000400000-0x0000000000477000-memory.dmp

memory/312-97-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6ee56a8b3a187cdf5b5ef7527f640439
SHA1 8cfed0d9678cd9feee7de60cb6ba7bbe863e2f9e
SHA256 22d43beff131dc407096b5a282b2df5faae6ab223128ed4fffddcdf06ef0f6de
SHA512 04c7c2967773a38c66f18d3e043750d5bc1769e6d33abdbde7030e53bdd84629e6e4d366fb81df1f4ab240e3374ab1d3746bc165c34546e883e5abf489ccfbf0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 57b834c7b9f2737f2d351d38ec56ae02
SHA1 ae45382be58a4ff59ded3baf03e8b965a0532a54
SHA256 b1415e60dd5f80a35bf379e20f2c921d2c0ef69aab7408913ad700ae8d854508
SHA512 0e360a1664c18c60cce7a23a78ceefa5017bba1f32b42e6ce9c7b046f52d78de51bea4c0cbfd4cd2abd1145c6f3ef01108848d71f3bd57f25cc3d121d2bb2fbc

memory/2068-107-0x0000000000400000-0x0000000000477000-memory.dmp

memory/312-108-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 74318f25cd847d57766fdfa5bf57e901
SHA1 4951c6ca032231292c789e2177ffe12838bfc4e7
SHA256 d8dfc7dce0f7b83842e432bc45e0131c833a75e12a07df4877957c7a4ee69290
SHA512 142e6e6de8dc46b1f710f10518a51a377eb872297054918f12482be4a1b7192cad21aab3dcb13f9f273444d1e237ee8715da517202584f537f840e56c7bbe0b9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6937c044a971974a2d2cb591ff7398b5
SHA1 0da28e0dcd026e2c5153375d1af453ba484d15c0
SHA256 58120315c77cc7f563464bfe05bbb26fd2cdecdd19ea9f180b3152e6d4e9a8a3
SHA512 db3510820cd135fc36c01eb6b8165ab2ac533a2fc84b95bd4e12b24eb018c637a77f7b213a2079e077f76860ac72d8923eab98d3420eeb5b619fb2350674f296

memory/2068-118-0x0000000000400000-0x0000000000477000-memory.dmp

memory/312-119-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bee3dfc51f5f1a32637d990437b12146
SHA1 193914c1d1461a173d6b11f102e26d8372f9c665
SHA256 dc10684947afc76b2847e582b53904440643e7de6dbe9594592fd6f5e51fcc5a
SHA512 84957a2854ad707e076068bfcb561bd251204e93cf42c68675e2a81d968eee3065b92cbf4527dd1eac25479233c132fe569fc952855dc2de716e7cecf0fd3829

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9f074e93d1c5e531eb30fb5f727310a4
SHA1 3d0fedde23cb5672ba393b11658c713dd04502cb
SHA256 db210802d974f5562e206b89f9a8ba7b9cbc1faaad3b348317bd3f515c852022
SHA512 591856d29fd3851b325f551ddda4332c37c6ffb0f91efe89bf7911ff32106fe37887c7d288c5ab4a6232f4c7a126415f9cf0fcc11d9bc56fa436335dc785839e

memory/2068-127-0x0000000000400000-0x0000000000477000-memory.dmp

memory/312-128-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 653321f35b9756705240ab61f63f792b
SHA1 5c87a25ec8991edc1996b0ed24b94ae02798b11f
SHA256 eb1605b45ca75af54cd5508d34234c5762aae6f89a240d272116d2269538bd1e
SHA512 6a276d9df86f030953b6c1932416ae3f39c842dcf1cd2a1484ad142738fa39742aefd4ef1802ae6e1262bd8df7a27c972ff87ddc31c819c309496536035434eb

memory/2068-135-0x0000000000400000-0x0000000000477000-memory.dmp

memory/312-136-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3de217af3390476afcb0592b571d4a68
SHA1 bc190b8e2ba1de3d0e52b607e9b75be6be1cfe6d
SHA256 fb457ed52bb03920bd22629354b80a9746b5403d9bcf40f645ea7876a1c8e24c
SHA512 9cf146b626209d7dd7e43823fa4c8ab6c7e7507da2ea2061671d2c9026869ba3d333d81b57bc8c614f1c34420bf2f69a1410030e4ab457986027afb257ea6bd3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a3506cfa1e10064cbae2a6a6836ba337
SHA1 e3b5fa7de7af25a2f4aa30dc9b252368ad50065f
SHA256 9b9f09a88679d5b74fcdb845c865234b588a9c3179d30e4939848c2baed54bb0
SHA512 0adf9b5bd08cdb996e200278edbdfee73586434150446f0864ac88f6780285bfc8895a82e62bbb5d5bf2cb6c423b69ffe9a41d430c1ca41fa3ae7ee5778e9efa

memory/2068-145-0x0000000000400000-0x0000000000477000-memory.dmp

memory/312-146-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 63fc64edc2c7648abc55d3067988a9c7
SHA1 6168f3f3bc366368bb2a4ffb1751c0ac3033ccb1
SHA256 d0f478253cea31b319c61cde2dc4b8d8bcb6be58b4cb102f8a9ced2542ec8aca
SHA512 cabcdbffb83346f12f805bde1cfb84dbf62708225bf37393833d78a6273a8d8c5247161f5499473b494d3278e682d74f11328e816bc23db488787cb0a0737676

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bdf490e79379a9a479bc9d3ff9df25df
SHA1 bf426efc60f699f8518e9447eb7679da80e55bc2
SHA256 e05144f56923d9060066e8c693278f64dec067e8a979db84f06bef23da5f8bac
SHA512 4c434b6d2149b1a45c0b2931efb2101b15a587df52fff4042d8e2120e1e36bfd0f695d5475dfdde384992a3a5ebc1e918765422960a60017c3f9f2e05a78b77d

memory/2068-154-0x0000000000400000-0x0000000000477000-memory.dmp

memory/312-155-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b3f7d2398dd568a90443f17e1b645c0d
SHA1 c1bef67d4c77a94acfa0b972a9ff2332d570fdd7
SHA256 fb91900eee048dff5c37c9c4aaed8106f3888c3ad5082976eb0b397a98705651
SHA512 354be91ca526e1edcec173873991ffe61fd9326889fc1a4ecd2298d570d8cef0aa07726217af7f951f78e16289a69396e0e6374bab43d7bd1ea3c3618aeeff09

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f3334abb1b1193658a20d884117d5973
SHA1 ff88419dd503c38b7b498913c4057ec106e2a4f2
SHA256 169f39a6cde28ea72581fab8652d961fd2105c4d643a0ea3a7273ffb89197fbe
SHA512 0e06afb91a74bd4b597aa78b31b2ed23b507e9321bcf82bd2e0cdb8e05d20b6b1dd32d03ed29a7eebe3a2e8520d97e1294beda0b623741f7a44882fad05b5c60

memory/2068-162-0x0000000000400000-0x0000000000477000-memory.dmp

memory/312-163-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 cba3f58bb0cb06b624a1ae35b0f39f8e
SHA1 59e41a6d2a82110e84b25cadcdb3fac2b2f45b09
SHA256 688d24e8c3c435e6cc1955dc3551cbb0a1d1a90626f7e06b738c1e442ecb52af
SHA512 6e327bea13e46dd07ec1a3e2ecb37a812f820872e390574c3031d28330c4a5905da47e59d9c4e3f33fe7e3164a2d26165e4f77b5d2cf8436f7f6948492953947

memory/2068-170-0x0000000000400000-0x0000000000477000-memory.dmp

memory/312-171-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b6d10b14a1e07b975c0818013ef84bda
SHA1 83562f2e48588ec9c60daf6d300121fa3a1a4684
SHA256 a06f57f458cf81fcd05b36586494b474452fd1c8f51c20ae1052d98f364ab6cb
SHA512 0ba7c5241e8754842ebcd83688c181aeae6b23d3633d52b0f22edcf3cc21f714c60f7a8a23e3c7fd6b6f1f05837e6382ff5311bd5d4237a882a44671f2fe64e6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e08d72cb79ca4830bcb265f3351fcd5c
SHA1 2f1142736433c7f71b5381729ecf9769d27bb2a0
SHA256 b23a0ed8432259774d24b7a4ccdf326b1c7703f5334046d58dd6916102447418
SHA512 aa9a9e65c91af3b391e0ad0a5ee9b4ebf19b4e2d9bd5c593d000d42f6bcce750d4e34d3390859bcd969e95aa3d9f5b29a701930cc2306c0ecd83dd056549139e

memory/2068-178-0x0000000000400000-0x0000000000477000-memory.dmp

memory/312-179-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7e36364053aa4c97a3987a07080dd2bd
SHA1 83af159eecd2ad3c1120334998739ca5d7f24eb4
SHA256 30ebbd5f41b53f881cea4d21ba3f91f3306e8f5c610134841ffee31460c7966b
SHA512 31895b09ee8080891bc58cf84cf211b6125b42a844c3121210bd0f35c04ed2accb47c3af5221e79cc11bd2d51e0912af84cce6431a64798e6a3f067dfbec432b