Malware Analysis Report

2025-01-03 08:25

Sample ID 240617-h94beazfne
Target b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118
SHA256 c68f09f188aeb65d6001571f7882009084ce27ef915b154f781635378b6d0b40
Tags
persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c68f09f188aeb65d6001571f7882009084ce27ef915b154f781635378b6d0b40

Threat Level: Known bad

The file b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

persistence ransomware

Modifies WinLogon for persistence

Renames multiple (91) files with added filename extension

Drops startup file

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Drops file in System32 directory

Drops autorun.inf file

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-17 07:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 07:27

Reported

2024-06-17 07:29

Platform

win7-20240220-en

Max time kernel

145s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Renames multiple (91) files with added filename extension

ransomware

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

N/A

Files

memory/1636-0-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1636-1-0x0000000000220000-0x0000000000221000-memory.dmp

\Windows\SysWOW64\HelpMe.exe

MD5 dc07e9ab8f299d656ccb86184b1acfb5
SHA1 32c24fb13f1e60d6d2a60fb19fb1ff9477244040
SHA256 c16108b15e11821eafdaedfd28c9d5f3f612b656e0a1b9e2e3b10c4f5932a6a3
SHA512 4d74294f50a378641e8e8e50413eacb3b54123838be2f4283c91f5db15c1d899fe1899c7afed1c1d8cb6c9cb332bb92dc3b42fd2bfac362b6692bac11181d0e4

memory/1636-4-0x0000000000380000-0x00000000003F7000-memory.dmp

memory/2972-12-0x0000000000220000-0x0000000000221000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini.exe

MD5 082c57bfff321a3aac210289f32e4e45
SHA1 d1870bf89682e6e8b8b68e356dbb47b5f54f3f29
SHA256 fdac8659f87170090f9a8d0d9848bfe552b3c40c21e52fee42955943cd8e21d6
SHA512 4374a61328869888de8c5be8cdf4546ef0de9545c346ee3f25c99dd084c26c552193e4b2464eb8748f6603915db093c65d45e40a2b3945f877c11c34e417fad7

F:\AutoRun.exe

MD5 b7627865ebb11f7512bf13d1aa0deab6
SHA1 a7ed0db06d85193426dceb71ce7d38988f39420b
SHA256 c68f09f188aeb65d6001571f7882009084ce27ef915b154f781635378b6d0b40
SHA512 fb6d7553dd4a63eaaf3a4fe27f35f8207988b6c5ebdcaa6c8d0135139c3136306c2921d8e237ab0a0710d9d06a31b1880767e8af7ebc7fb401601f4ce5e3edf0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b32a644b635822ca16a6ed146a8cc4e2
SHA1 253863d8a13054f2148b2eebe88d19ed9d4e82a9
SHA256 4a0889778f3a75762230f08c17562cb614c92c6161442858f4b7f5dc2ed3de88
SHA512 cd67e4a83616e5fccb894b179237d89470095090c39b11880617fb9e6d55fc442f4cdff93bb02ad2ed6e1695cbc8b2a57f04b56448e5bc79e436d0bbb9792380

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0381112327105cde94231152781be38c
SHA1 2446015bf5ddb0c099602b189672307ea9b76207
SHA256 6eeb429e294600f6ecdeeea57ae6ffd6aef18b48ed2f69eb2f890259a3d26a3a
SHA512 c89ac5b0f907b417eb592c893066af3962164ffd53c255755aa860cee8b56199b9805bbce5d17be1dd49343a67123784a2323c3d1fc4fb35e33fe870023a3754

memory/1636-230-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2972-231-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1636-240-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2972-241-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1636-242-0x0000000000380000-0x00000000003F7000-memory.dmp

memory/2972-243-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1636-252-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2972-253-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1636-262-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2972-263-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1636-274-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2972-275-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1636-284-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2972-285-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1636-294-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2972-295-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1636-304-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2972-305-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1636-314-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2972-315-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2972-325-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1636-324-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1636-332-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2972-333-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1636-344-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2972-345-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1636-354-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2972-355-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1636-364-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2972-365-0x0000000000400000-0x0000000000477000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 07:27

Reported

2024-06-17 07:29

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b7627865ebb11f7512bf13d1aa0deab6_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/4016-0-0x0000000000400000-0x0000000000477000-memory.dmp

memory/4016-1-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 dc07e9ab8f299d656ccb86184b1acfb5
SHA1 32c24fb13f1e60d6d2a60fb19fb1ff9477244040
SHA256 c16108b15e11821eafdaedfd28c9d5f3f612b656e0a1b9e2e3b10c4f5932a6a3
SHA512 4d74294f50a378641e8e8e50413eacb3b54123838be2f4283c91f5db15c1d899fe1899c7afed1c1d8cb6c9cb332bb92dc3b42fd2bfac362b6692bac11181d0e4

memory/3520-6-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.exe

MD5 6b7fe1d98979aab8fea6df118b1c9d60
SHA1 c7aaa13ef5d4e304876da536df1198a9c6beee37
SHA256 bad3d23d84bd7f20e5562a0f1b0ed6730cc970e896f18ab16ef74878fd68a6ee
SHA512 e93419dc614bb8972d822de39b5b1e91e5336494dbcaa46fd770e774b1757732ce889158b43c9e0b158bbcb14829d88cb5af1af125685366d3f90868efe5b58c

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.exe

MD5 0ec4bccdec473c8268366b00f5100930
SHA1 404c55df892e8824398b40e296b1ee3ebad81a90
SHA256 74da8479b9893ca0c1700f50c07122a9a9c40773241e05a35081b144156b0f65
SHA512 f687894231545d97d06100b9823bd4875c7c3d377b7daae76cdd3cbc277e2cbd0f9141a34216f51e49b3536c8ac75874b1bfd768e20fa2e8c9a3bc1172bf7acc

F:\AutoRun.exe

MD5 b7627865ebb11f7512bf13d1aa0deab6
SHA1 a7ed0db06d85193426dceb71ce7d38988f39420b
SHA256 c68f09f188aeb65d6001571f7882009084ce27ef915b154f781635378b6d0b40
SHA512 fb6d7553dd4a63eaaf3a4fe27f35f8207988b6c5ebdcaa6c8d0135139c3136306c2921d8e237ab0a0710d9d06a31b1880767e8af7ebc7fb401601f4ce5e3edf0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1ce313dcb19b1afd903e85d685f1441c
SHA1 de0be9d316ed4e7496fb5ce37a525f29d2a1c87f
SHA256 58dd701615a618b0cb6f3df0dd077f3f7a1b941c409eb38b96239f891be3cef1
SHA512 1fe6e249e45a692c50d38bea5b295b09013b22a45cfaee1631c35e84f92daa9e954c527e9bb7f6f3fff13060811f26d56d9fd1c51b17754d2539213420dc9874

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e5f5cc0d5d4fee94f12efb3fa634a5d6
SHA1 1c427a2764380bc32b5b6a486f2931a718ba5360
SHA256 fa353f79e20bf35382542078faa5fbe997424a93a17b249a88336c5ce4e7128a
SHA512 92498a1bc50bf254fc707f8b3c2baee80ee0f0e53e73e9f5dbbaff0125e98c59eb4c350c91d0ea01f9e50fa7e9a8948e291a4a20ec4ffa719b2fe9df2d5d6c83

memory/4016-50-0x0000000000400000-0x0000000000477000-memory.dmp

memory/3520-51-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 16efc8fd55e6645282ee2a29dc3f7203
SHA1 f25e996db344b9013068f68395593f34fbc0df76
SHA256 50a29e620fd89f5458b4db16d8f02af8ad7af3009d0de1042c28b9f23983b0f5
SHA512 6b3f2525d7fafd97dd36ab9cc5e3975e85f58dbe364cc54ab5f9224a1d6f560159b43328cbd7184ae981af1ea25adf599194f258e44ba9940edf0f708e6e3898

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a19f6dc279b178f36d695211d0b30587
SHA1 2842788a56577caf5d6950b0ed2c96c28df09a56
SHA256 8d70fafc755486067e282a08f8bb039334000b6af618a2e614dd776c01c2f50e
SHA512 5576a40994270534d62c4f6b805349bfae11579bc7c1087d222fce6b2b306f347c08d835ec2dc81edd931f6ff723a07328aa0c12418872210229f6c4b48ce424

memory/4016-56-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fd8dc46ab2acd1304e10e8302df59d4e
SHA1 792bf88b00a36cd6b1283ea93536d90efa6c2e08
SHA256 e5bca495dbcc300f633d4c210fe21a2f48eadb1824230f3b56603d05fd9ef50f
SHA512 265a4d45124a39588dc8d7bd4775ccb901463ef53be585704b5547774f990c6aa08893edd7376a05a2eca66cf6c28ad13d8fcfe26f6d8df8f85b2ede0605b0a7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d3493b7199a6ad83c711d78f2b0ef290
SHA1 f6bdf4eba5707f2f0d084fee3d723eab238c2f05
SHA256 abfe6fdcc654c2ef9ff9878b883d39a25be867fa9a03221a68f6589cfd171542
SHA512 87637d7e269d6a61ade18c6455a67e96688b158afe10b1ab4d87a365d4224b0841d70f584da80dd38ddf2e0044551421a5fcd317031db63f204f82a0dfc262de

memory/4016-61-0x0000000000400000-0x0000000000477000-memory.dmp

memory/3520-63-0x0000000000400000-0x0000000000477000-memory.dmp

memory/3520-62-0x0000000000400000-0x0000000000477000-memory.dmp

memory/3520-64-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1b4afc5f4bccac148f904f9ce23dc4cf
SHA1 3f782de92421e082940076dbf21d61d51803f1fb
SHA256 69eb787d6077303141438e242362549843e0d8c533688349fea5b5500ac4e003
SHA512 3bca80049cc674e8b4416f56598b1fe548325c345040237a202da9bdf5d06279c326640ce3e6889ff471fab57a9e68844b0be63ea43b3a6117da4e63a36cc18f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 08b845a31c9cdb81953645feb2256f8a
SHA1 1a97226fb49e5d58f3df769f0542f0920882aef8
SHA256 e76d15fcd6c058af72a611e9c8eac42d7321743b964ef7e6dd409673d3db73da
SHA512 7fddbb55d314d1bdf9ab76f7984b7bbb9af7e326f0b5fe97a2a2cd410cfc1ba0132fdd25c039d1249a93b93cd98a1b03dc3fe8f52d13f88e466035c2d29761b8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 546576f75a0b8ab5aad099d74c45f6b9
SHA1 aaf714154ef1d8390c4691899f7c5c9c2d023939
SHA256 4afc9c164bd53d43074748927abfb33227c60aa409b850fff7b3a801ed7abd2e
SHA512 2bd266c9158917d04992b3a8a7b9c87580aa9a0b3054c2e925f08b9826f8947de04e4d2bfa68db17198d42cf1882df93736fb6648f6562588d94e46f467d7025

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4ad522d40488b95be16f6a7c6185bd4f
SHA1 1c834118c1e544fa87bc27670b83a513c498e5bd
SHA256 a2321d4a2c3bf0b1754f37177ec2d9c14c48a2d7f67f6716ecc9619baad1b88a
SHA512 96d1b095033e022404a2f686347428c84c6f652dae4a3197aa4f02c1b6f5278863aec40a63f41a57d439abd7f8a21fdf6db6caa5b2f2dca8c8c2e9b4235a1ead

memory/4016-73-0x0000000000400000-0x0000000000477000-memory.dmp

memory/3520-74-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 013fd072cddf71b626ee0e7dbaf00973
SHA1 728344f4cc8166a7d302a32e762bb2fe157d7d1e
SHA256 a376122d8632b6772a0ae0191a524845bfb495d4a76c98d200b21de249b2dd73
SHA512 2d701cc64353a093d8403b2edc6507738ceacbfc5e96275a17487d7a4708c51cd4c00fefc36865c4f6fc8a91986d1c48a31ba9d57fddb844a924c634363dc574

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 99209c0050017a6e117cd01df536f7eb
SHA1 7079e0f4562472f1ef314859894057c190d7b22b
SHA256 d3bdf82a024fdbaf85326b4f07c8414e9f6be947f3eaf7de71f1242f37b05a3e
SHA512 61207b2de59ee947f2555c2d0cfb39c774983a1653adf1c3cd217f26afbe07fcd9a6cfcdf485f9a1940c71d7b1d51150985d95a8d041a27d6afac1262ce58ec8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b4b69226ae3ed3a69edc74983afb25fb
SHA1 25c8ce21803f607fee8340eed1d8ed9971ad16c4
SHA256 8b683e4f76d9be538d59a18d6a0004f08de4d866defe69f09c7bfb8b5c52e002
SHA512 0233cc280a9fcb6a60c9018733bae4f10719ffc344a0303a0522b4691a414c9866e3a5ce7abaa2a85cf2b4cd8826ee90cdcf85f504642b8d2a1fe415aef93937

memory/4016-81-0x0000000000400000-0x0000000000477000-memory.dmp

memory/3520-82-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c32bfe4a4311284b111c10b1ae4fdc4b
SHA1 f2e043a049deb19a45a332b654c1bf787e90c049
SHA256 d48ca5549c94fb0a9f780002ed91585da5b8ddf100a7bc483931ba1558d61089
SHA512 daeb10c71a5e556bbef756f5e05e32e03af9fa9db7130e4f31710f1c33e48bbe7df9d3c369f5a98454519d318fe5a6c0de10f2c07ddff0b09b81bbed854d5ed2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 da41c63a09b2abe7f27b5dcbc3528303
SHA1 314ccf324895533e08e4427e2419227f00d9555a
SHA256 c3ade84995db28164e21ec123f325b1aab187da893a5d2af3aee561a9fd22336
SHA512 6741a2eda478f44a75d332cb0bd8f6a6c0a40ed470dc0fa830e5816e903378e10ae40f71175bd1f1df72c0ebddcd330d598453fe09c877a8356d117aeaa43133

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9847ae91afee3ff80950f0cddd3d838b
SHA1 483552a275b74fbf637369c72012181078f99402
SHA256 274494ff9ad4ee3b6c611e3a74e56d9f4323b0d6b25e21ca265e20362a697f5f
SHA512 ff5770d97a3c4d45be009bdeaa92112df5d46848a5cdb3be1b999e115c0b1de0e7298eb40615926d2139cb9cb86bbb0989e888f4c599e677522d25f3c8fea0cd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3913f99b20587815669dcb5c8fac3cb5
SHA1 65aa9a130876b5093bfb5b62146112c989220592
SHA256 432f62c29446b2f3e719e62a888df722411e28d7aa24a41d248d7f8479204744
SHA512 caba269b3c215684cde3d998a2992a8b5c42beb37c9eddf1d79c38940b351dc970adad317d63664debef5340d0616c11bb56b2959f79a9d5f46c7f76d9fc742c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 553f231cac6a5be07817eaee05e66d16
SHA1 3ccf41abb301eb262814c33a8e50934f201a798e
SHA256 f004c3918f6711a3db0c5e0904f0765c2dc240716ca8da249eb483f287a86289
SHA512 649fabe6203d152c6ff7206b24215604e7e73f0b2e31fed5d8508e187e91717d12ed910fdca35d077d5c75c4ec9e18d6598266433d403113e110539ef8577fd1

memory/4016-93-0x0000000000400000-0x0000000000477000-memory.dmp

memory/3520-94-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e9e3a39acf29a5c1ddf9b309244c8c4f
SHA1 f9541f717947c57f549b8779e3d87d0c68e06191
SHA256 078092e7d2030f92d1b207ff54c080c62e799573d69a33bc35e81166ffea8da5
SHA512 38cdc75791d0b6b360426e5e68922c6bd986f7ff4be8f396d52b1a962e089983f62471e9699844bf8f37e4dd1260ed176ecf064ff8af8373d7718f5695f2ff4e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 346870607ffbc8fc2e369465898f6fd8
SHA1 14fdae6f5a83abcb403089fecd8f40e23932e11e
SHA256 e55a1fe94682b2cf0a8867b2c03a40b246f8bd360e6345853fb3a74fd07ba785
SHA512 ca36248a9da3d5e624b508d633e8a041f45997cdd034c20c6bfcff1989282fbd0d594e25ef5d833828657a961fe38b6f38fe9d3d46529a902985fcad64d2615e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6d62b7f92b4b2e8fe28ff09cf0a73573
SHA1 47c28425c6b099491830a6a2ee17423799d9f6c3
SHA256 ce2bf7a186ab69c9ba559cabb88dc27ccccdb8a81c8bed99b46c8d82eea0eaf5
SHA512 a07ccee18595d442e95c1f72ef84391f8a2d2b00aa28dc048a2ee7f9adbf02f1b463428b1d137e7f97c11935ae0a1935ea7b6f71e688c7fe121d6f03112bef1a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 20bbf2d432ec1631efe337bce82e6963
SHA1 032402d486906fe57cc2c61b4a37b6fa82e99e9d
SHA256 a52aa45fdffd802282519c7b3f120d8bd455fa39b3bcff052a5f9319d3a0f741
SHA512 78b1920c097e78f4295d4c4962d0fbe6c844e8236c5c88fdecccd5f7081a5e35678112bfe39a97cd5f7af162185198af509bc06b97c7c8dfd88fe6458208f9af

memory/4016-105-0x0000000000400000-0x0000000000477000-memory.dmp

memory/3520-106-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 35695ad7b6d6040b8362d6e7c09f3e8b
SHA1 14526d1254da8a32379373a27c9247ad9ff1f320
SHA256 1e2c9a67f513e63211085e9c0072bd21ac48d7509cb70b07d24e0abba5063a30
SHA512 46fabcd89d1e7adb5b9dd3bf435475920ef078c0efe7abd2f508318cb5e2e509e34f2433a5e0825138ed2db965fa19509d1c5d644a3f8ee9a57f8b312a9ec937

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2a7c8dcfe802e92f5cadbe7251d7e5da
SHA1 41bae94ee96de23ec824d5d2bb41469fb2d045c3
SHA256 477d956a5417610b1f0e5677ac29ac654dc6624c0ba7d4e541659e3064119d97
SHA512 dc39d9d97feddeb6cc26e91574143af6d8de4a145bce9137b5b44ff485d9ea35dc7351f5a078e18ff17b665da9aaf2589254ae465d6700170dbc6dc5916140f9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7258842efd2aaab24cfd3aacc5290a8e
SHA1 b7585dcbb3d331a76137ae8ccea60079484bc14f
SHA256 063b071f69a965796769008dc18c7db457b901adfeb20c01440c29c81074e6e0
SHA512 f70e551ca904aac42642bf761e790c8842a95674e334f02c003ef90015d00dc07f1e71db8b6519cca3530bbbf7e86825202751c0645c8a4988bd4b880c178d82

memory/4016-115-0x0000000000400000-0x0000000000477000-memory.dmp

memory/3520-116-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 600fa82733989ed50c5c2180e267c457
SHA1 e4ebc6376b4364b86b8da1d3e486278f6568fd30
SHA256 0381814d09c96e0a7e812a1bda65d06ca91465a61ca7367611cbca149adff295
SHA512 72daffccbad25a2384ac0b5e75be064e42254226c9b404bc3e3140dcf878df3c8d8bcad14cf6a182a35568fe679418fc21a5cdb40ea6dd9a0b3f671d95a47138

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 935bfbf997e97b25572c31ba68f4c6a6
SHA1 9acc7996d15e63760a6ec82bcc4ab4ec21b7b634
SHA256 8ec87e98527a9c0be6fe1809290e858a5d4dcf26027cc19474888b2252f41256
SHA512 227183b9adb568ecde4c72ce49519af0dd979d8455c84cb61da11fcc510f24d48e603641fad39f66f8429088ffb67c5d8755a6b98e5dda50a4dae53bd2e937ef

memory/4016-121-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ad0d60274773bba5010f6ca817ae639a
SHA1 8d6c3175988241fbefea329881035d58b3837e0b
SHA256 c63aa2f9dd92253eda8cf8f9752d2187d061d2d995bb07c4b167a539d50a8a9d
SHA512 5ad1029add1a1b228873a403274fb4d372fd1be1e72ee4c154a844d124ea65753dad5a8aa7aeea51cbedd59521107020dba981cc379744262b4d28e5da42d362

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2cb1c006738be66c3f1ee28218ab28c4
SHA1 e589bf0da2237c24e5fec384cbe2f9d4f0e49e16
SHA256 91753391201caaec616836c2ced30eaa34018e58eaf136486f583a312f942509
SHA512 5ef135586fab368ed938c8488d8d1b820e06c5303845e94eb1591f42a7927ccbbc89b7470007d9adc806301788a34dd0a7c12129838f80e99843535a4e2a1ade

memory/3520-126-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4b657fe096f037efe52a9c9c930d77ee
SHA1 2ae74482680276d661b3110eaf861888eb49b890
SHA256 30db23032da9931959597971218dbbe4ccfb20bc2ce4c6c6757f06457304a9f1
SHA512 739be893190dd3ff079c89abbe4e8b8d82ae72872667eeb163762a484bfaac75366a60cb11d30a43e0323e8e318b839ad358ec9175ffdc3bfe8bddf992ff3278

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 34c009a70015924870a64a1bb807ebc2
SHA1 8cb8c5641d2569f69eac51044c786483e18f6595
SHA256 1aba5f4e544e067f1f88503c1d0bb9a7e6073116fc3195c1c20594edde549973
SHA512 f4bc427061c6b79d27dae74df471e1d6bfb278689c1aa548e80171d46309396a5d18541286fddf232a3d918e95b29676eb7ea0b2b4328c842af9f9a2f27af367

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 405fb780734959541c9c21302efa7709
SHA1 45bc1a2c6b8204f925cb22e4bcb1ad831e179994
SHA256 4317cf5d46d04ef8c5612b277af37182d0ef1c48516fb9f64d3cb6f9f0c55fa7
SHA512 e58f3b881a5b2222fb8de6c487be902cd4573e7ef71e35a31f84dc94a0e97fd0bc66a9ff0d5b7520af53a7ed858335b63c63de09969fd7ff86085be8668f0fcf

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7ea8e5f556fce9fa0e0e19caf0e1d150
SHA1 6f38d00ecd403a15ee2472f7a4aa297a87f71f96
SHA256 cd5a83e58d58c8545551af0e4e173bfc54e990bc2a5b66874ee8cbe2c1c51aea
SHA512 a8dcc35ea9bef94cd86fda922a9b8594bcba00db2f5b06d7dac959d53e09f0d91ba7679991f10a00c8ee6679d94c5077e1fd55ccd878b431386d93e66010a438

memory/4016-135-0x0000000000400000-0x0000000000477000-memory.dmp

memory/3520-136-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e745d709184df618a3120e525278451e
SHA1 6281b603826aa93ac73111a92783cedbd4f25b3b
SHA256 b28ebc172df33c2417808290bd1ae9c374845974e017f726b830e7f8aad717fb
SHA512 6a3b942b622b61ebb2d6dcee53de8b5acc1e691f0c9caa1b65dd34f04a0dabd6befd8d7645b69cabd109bf72d540e0d26986c89143b9085984671e25c728ca73

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 82a536c84270510a43d472f913d26091
SHA1 3d377eb4e0edb58859682b5934233ddd7e1d2e11
SHA256 df8f103c81f3dda735a9b01070476d976250eff8316e90605087a769cba9d21e
SHA512 75db43c5f38e8a26673954bb8745f5d4432cb9c15e2d06be774a230702c40d96368e594aa86eda2bef8b3d79ccfeeeb184ad0e27411d8b88915e66a0432aa14e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d1b1b263fb9a478b06034a49c681cb20
SHA1 09a8b98397d97a5ab11955e3a82e16bd1416bd5f
SHA256 665ecb22c90f1d6e7e4f6200ec9b52a4c5f58828908e4f9f73cd584a0ceda9dc
SHA512 28345604cb8ed47d066342e16c23b4ba319f43539fc5ad0f37af1fad9a790794031babf1ea87b9ae8fe659acea3bb459855912b98f61039d3f2a5442c2073c06

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9118d48f9fb826e6fdedc29603ed8c05
SHA1 a39b4ac39e348411b712822a42b32f54231c8679
SHA256 1b8eb59d7a152c0228826cde237ee55931e33a977365c065d0ea178ac4f22b98
SHA512 5e6d418e601f997a937c9a8bb897231a9a7cf6d2215cee82a9f64080cb4acabc8ae4765e8ad0feaeecb91e7f644d3d155c4839bde8d6584de89a99de366dfd09

memory/4016-145-0x0000000000400000-0x0000000000477000-memory.dmp

memory/3520-146-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 94d46b46fdb919a7128ebbf7905e7ed8
SHA1 f69b24f096cf5237ecc9aaeeaf45f69de780a83d
SHA256 02a962d8d6d7f2ee867b0236f271c859c462e9909230cbca5e1e332f927df909
SHA512 7fa0fdf8fa275f9304c19df16df5b5af5c37e936a5cf589859c0bd3cd74461c7592050d1033980218380df7e817a29c0dc7141486bd0e9da4d99ca1c29f34778

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 178a65379902fb0225d50cf0c10b3261
SHA1 dde4562e02d4513acbab2efc15096a98d252c197
SHA256 e0c9d9314ad53e7867e9b996848c375d90f3d114e27ccbaea5000cc037d0b8e6
SHA512 60b6834d6c5c22dca5933ffeb0ea253a5c64f6395dcafd90221b034a0a4d1b5b8fb04e67ceafdd425e2c260b63d38aeee5c8e0dce8f95aa0e25e071952507208

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 301ffef52888a95e2b31bc5e4f89727b
SHA1 a50792ff6e46396efc7c886331b0690991c87b73
SHA256 46d6d5820af3ce7c4d63b48a67853b23435c79f056a76608fe99477a555f542f
SHA512 5adf08492b7b216de782f1f50fd85ca1dc282b083a69989d4a6ba50b976cdfd8b0cdd01b4f07bc1e8341ecec4882260a1152a6e2ae01dc3d56533d6ce49a2b03

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0443742acc16dac9c7349bf8286f26c2
SHA1 c1316508831718d5cc5a0d386fd915b3d7326a7d
SHA256 a8c030538fbada060499329f213605ed7ddc406a7be368019901426c30b45497
SHA512 8561a67d6c5473dd043629e39696df5e8dfe9d7ed4560b34ef205897bdc0ac9b4ec274790b16254f636d1aa98cc1c8277130c900b2359ec07b2b21286c5030d0

memory/3520-156-0x0000000000400000-0x0000000000477000-memory.dmp

memory/4016-155-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6d078663a42abf06933dc64b155e9481
SHA1 e7bc7760de9a105e2e5a11dc6d7630bd5b55bc85
SHA256 071d257f306dbf824a686ccf030a4a0611cfb0368871233fb78fafb9e132607a
SHA512 debeeb3add68636910e30807923de591ebb327754e83826c434116c940b937d269021eb3b4ef1b47ac4f3604c7c8f9e4b6581a9bbac037477baa378fcba7da95

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f9d26e5fc2a7f7721d64831c716ee5ba
SHA1 2c40b3f6004339b5990a15480b0556aac6f7db9a
SHA256 aa982f899d0e0127dc5edcbe8101d05acd29800c0142f601fcf84446a98f4474
SHA512 69fa093533a1ec069054caf1c3cfb3ea6f0554f5830349626cb3162511cd2fe449c3b5ef20c2fabad1b3dcca5623c2aa87b6b1ab6b865fcd30582bcc0c123cf8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 667bc537c239114a976c4812cd4d773c
SHA1 a006b6ccc691e70130c97a5b2c5624e794daf342
SHA256 863d69b0ed31fa798fa746ec32b2d2903593a211190e303be7e1e83ba389177b
SHA512 654e4c74675eb15a31c7108228462a414a67a57dad9637886a6624bbd33fd064d9191332ac34ce830ab296435b15118898dd6002da3390a870149bedfeedaa32

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0426d9a7243aac71b226e124e2c48947
SHA1 c9ef9744838301036e4958cdbcdb212818735415
SHA256 801fb9ad7e5738cd6913f9c23da11abb89e5bdef44e05cd993ab2e066489dc15
SHA512 9d0e7a33388a286b9a584235ccffeec40fff071cb5b4c15b61363fbefd422217f8bdc921b4f909c99d8d4c9c45a7e814d02ea96bcf20e1081f791ec53f8016cd

memory/4016-165-0x0000000000400000-0x0000000000477000-memory.dmp

memory/3520-166-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fc873bf470238dc01f8e19eb2b870411
SHA1 ab2b2cd02b219d0dd5cb7cb8204d6a61def34427
SHA256 8dea8a5108f9f319c7f6369bf58172be42f24ce80c25a24f96101d7fcbac502d
SHA512 e43ab953cee3282ee37a8348931067dae94363d398e1ea51b184c109f6628483130bf830a1281208964e4b987ea3e5ab88f6d5a97582e072c5b974b9e1d5fba4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3bfe0610371197ff784561004934b638
SHA1 aec99387e2aa18c2dc2c99342e9fd25a813f2ef1
SHA256 5b0ab0afbbdc400f5d27ea8fa47972d9c2c2f7eda0ab13216fe3d3563c89893e
SHA512 ce7e1e7ad36a40e5fb5f96f4ca7cb79061189613aba0ee2ca6c64214c7cb7b47cbd0fb57a23bcf4a40b1b228f5633a5d9c4fa81e1b956037498c28a6a49c25cb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1b44b4f352823ed334fa657d3bf86b97
SHA1 16f230503da5d4d26002948489cd77a24be20256
SHA256 fe22c42c10ad8d6b82644ebdbe594be5fd09c953c2a6c9c4ce7c14e33d64e5e1
SHA512 3d812d22190ace351aeeab5c0cb3ac31e3bc456fd49b8a5ae98d21b3638eb9ae3264b4b4a3c0ad2c7823402a886af16170c12bef76f7a0bb3f3d58a4e43eb9c9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 08a6ec105f729cae75d990620af2d590
SHA1 c13c91037a33732ac039b15cd3cea8a6079b62c3
SHA256 5ccdeace754acbbae1fa356ced22e9fa3fbc869240fe150c63ef11cc5dd92d0e
SHA512 72a588d9a9cfdfca07a597a1852c499765f6bd5170a23ec5f8bb4bc6bb7c92be1474946a1a72394e1eb66af6c609eaa05ec6fa99100e2874093f1ea801223af5

memory/4016-175-0x0000000000400000-0x0000000000477000-memory.dmp

memory/3520-176-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d85a5140324f688922c823f15fcc916d
SHA1 961faa2f577bca554adf04371b44a5084bd9f612
SHA256 ea51a85f723f282bf4c09bbea89980216a8c39fc052d2dd8757e24e0a95bcad3
SHA512 17fd5bb5ccadbf38972b5905a2cfd9ab990354b653c8633e144f045908db32ec2fe964429fcb874e8253a33101040b9f280e497c6a325e184f36f2c876219d01

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3089c6709e8e863cfba4fb3600b1bced
SHA1 e5f46b020067cd868a74e3a1c6d9c71d161175fc
SHA256 e668e39c3fab8adf591036295946311aa4444bceb6c2c1eb8a65d4408713e128
SHA512 8e5448a8b0edafa27dc6fee01cba1d9f3ad0d573b89686b74cdf309e3542ee17b310824abfa22dd374804b13c1042836dfd88955ed9fd8579c66de58c4bce266

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 94bf917f5934ae7fdba49a695d9d991b
SHA1 89eec65f7749d7fa81799cdc7d667bbe5d44dedf
SHA256 fdd9b69f55853dc7acccd6edbfa763751e1f543b42bf3fa71f6ceb1569cc47be
SHA512 b179a49e1b8ef92d37cd2a692da5d12ec196dab7253203e018a351c106f8f8aec41e999e9868938d1db8bea702642b9bfdf968895758152327b6bd2735283a3c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0448ac184aba58be7670af01a72c1bad
SHA1 9e02bd35a5e21121e7abe345f9d8bab8577109a7
SHA256 02a34a53eae681df4b3aba769049a429172e7528ce4d0603f98ec65a5ff8d105
SHA512 4a799d2df8009b4ac1b5dd32a77b2ab0091c1e119fb896e4ed48e76f4506f9df18458def7dbb84d5f9e9e30bed25f107c1b04ce377c054d30f845dcd96d47eaf

memory/4016-185-0x0000000000400000-0x0000000000477000-memory.dmp

memory/3520-186-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 227979ba02c5314b7fe66cb1b0523382
SHA1 7e7e77c95b08a4cfefe0989adc4cca2d7486396a
SHA256 664c1f1ce1dc7d0ff265ac1238b5034294d564815b2e1f5ac4dfe5f98ddef9aa
SHA512 03af98a855182cfe9dcbcd68081faeab9f3a6f26efd6701c4995c1947c9ee9953ba8b68024154057522a4df7c551171a318dc26084b2d2e4422b4c78eb3ffc2f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bd1479cbd85db15f8f37f169693f513d
SHA1 1d5278449220c2d8daa15b264549e5010ad2e065
SHA256 3e960a10fd85bfbe6059dda2c59ad520bf9b444a394d3eaeabe2c63c6d7e7dd6
SHA512 b566a87ff94cd025e5026c4cac415aea302375fd309ec21d07bf04abba95e0d5b2e3955bcb0fa629c0a2a02f17e599ff8f191417d8927b06de5c8896d4ef59ca