Malware Analysis Report

2025-03-14 22:37

Sample ID 240406-1wsxmach74
Target e361b4753d289ec6949afd89f8c03d83_JaffaCakes118
SHA256 3d2b0858e01458d7f7c424022d79779182336e8d99457b385e57ae9fc8a87de8
Tags
aspackv2 persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3d2b0858e01458d7f7c424022d79779182336e8d99457b385e57ae9fc8a87de8

Threat Level: Known bad

The file e361b4753d289ec6949afd89f8c03d83_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

aspackv2 persistence ransomware

Modifies WinLogon for persistence

Renames multiple (91) files with added filename extension

Renames multiple (5584) files with added filename extension

ASPack v2.12-2.42

Loads dropped DLL

Executes dropped EXE

Drops startup file

Enumerates connected drives

Drops file in System32 directory

Drops autorun.inf file

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 22:00

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 22:00

Reported

2024-04-06 22:02

Platform

win7-20240220-en

Max time kernel

145s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Renames multiple (91) files with added filename extension

ransomware

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File created C:\Windows\SysWOW64\notepad.exe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

N/A

Files

memory/2924-1-0x00000000001B0000-0x00000000001B1000-memory.dmp

\Windows\SysWOW64\HelpMe.exe

MD5 d4e53ff995b62db58b4fe58d3e013928
SHA1 c4fe01bc630ba321d9cee775ba70bc9945f15308
SHA256 c5f101d2c71dbfa4b2c2a44fcc917bcce925734aa29789936d55149d5000206f
SHA512 536f4313c4b2af5ce12a8230deaab4b30add154ef15effa614d8e42e14b02fb2a1cbb49f327f62d95d0be542c1e2b1e8cbcf8e498a7701e8cee0613ad87c6412

memory/2980-9-0x0000000000220000-0x0000000000221000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini.exe

MD5 783656e02920d330a36738086533cb3d
SHA1 f7ebf10df3da3a24bede3cde13a3ec7d7bb0ead4
SHA256 285871653509aadbf55cd9d174c7977e44b7b2e2463763515825042679b58230
SHA512 0aebb38cfd7e434eb4b599edfe90d245a9d46dd9162035c2db3b3a5483a019619dc6961805e3e7a5dea8a8c1f4718b8a58857b36d5e4315ef7b9d65bb85765a1

F:\AutoRun.exe

MD5 e361b4753d289ec6949afd89f8c03d83
SHA1 b88d7eba43a25f9f125c3f66dcc475afd4c51f35
SHA256 3d2b0858e01458d7f7c424022d79779182336e8d99457b385e57ae9fc8a87de8
SHA512 81e0feecffe9b256c7328607f96191229f630fbaf29387ff0891e7019aeb24ee4305a884bf342f3bea27a9d03b50aa5ee917bda8af7f94611d3b8e9a41bce243

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 81bc588df06f9e5c56cb9019b0401e6c
SHA1 26cbbd11202dc01daa1aed8708cf252a0b7d9a94
SHA256 c63cc15d46cdba700794c2d73da7aaa9e5817e000c5290200c002be82f56d18d
SHA512 acd624300982552831b6f883638b0732b6ba2361d9e48eabb70871377aa203dfa4b377ce82d085233e47c53f2e73aeac1123ddeceb21628228e4ed6ce56be1f3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b5e3987c1ca8eb06673a7214c78649d6
SHA1 0ae46a34c77903a9d37714cd4c768aa2a02c7b44
SHA256 4997fc91ccd6ffcd94dc64dcd57e300a4bb611296c4b829dd5a6b10399798d3a
SHA512 82d5301f30d789fc65ea7fc49dbbd4eba014fff63aadfcd45b20ea993f47f39c9854a619a2a9ff1a32f7c671a33aca5aa81e852a2d91e26d4489813d81341151

memory/2924-234-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2980-235-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2924-246-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2980-247-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2924-258-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2980-259-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2924-272-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2980-273-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2924-284-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2980-285-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2924-296-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2980-297-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2924-308-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2980-309-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2924-320-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2980-321-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2924-332-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2980-333-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2924-343-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2980-344-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2924-348-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2980-350-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2924-355-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2980-356-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2924-361-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2980-362-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2924-367-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2980-368-0x0000000000400000-0x0000000000478000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 22:00

Reported

2024-04-06 22:02

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Renames multiple (5584) files with added filename extension

ransomware

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\notepad.exe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk-1.8\include\win32\jawt_md.h.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\US_export_policy.jar.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SUMIPNTG\SUMIPNTG.ELM.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-locale-l1-1-0.dll.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Mso98win32client.dll.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-crt-runtime-l1-1-0.dll.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jps.exe.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy\splash_11-lic.gif.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ppd.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.Excel.dll.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\MSSOAPR3.DLL.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ko\System.Windows.Forms.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hant\PresentationCore.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\[email protected] C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN011.XML.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GARABD.TTF.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATER\PREVIEW.GIF.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Reflection.Primitives.dll.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\fr\UIAutomationTypes.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-80.png.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\WWINTL.DLL.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ul-phn.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ul-phn.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ppd.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\lt.pak.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-pl.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-processenvironment-l1-1-0.dll.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\fontconfig.bfc.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\java.dll.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\javafx\libxml2.md.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\ext\dnsns.jar.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Grace-ul-oob.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ro-RO\tipresx.dll.mui.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\Microsoft.WindowsDesktop.App.runtimeconfig.json.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\ANALYS32.XLL.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL117.XML.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SyncFusion.Grid.Grouping.Base.dll.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ul-oob.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-ul-oob.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\as90.xsl.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-180.png.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\pt-BR\tipresx.dll.mui.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Diagnostics.FileVersionInfo.dll.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\wsgen.exe.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-pl.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.SPClient.Interfaces.DLL.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Edit.White.png.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Unlock.White.png.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RIPPLE\RIPPLE.ELM.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RUI.dll.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\mscorlib.dll.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\TipRes.dll.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\SKY.ELM.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\security\public_suffix_list.dat.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-pl.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Grace-ppd.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\BOMB.WAV.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A
File created C:\Program Files\7-Zip\Lang\ext.txt.exe C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e361b4753d289ec6949afd89f8c03d83_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.192.122.92.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.173.189.20.in-addr.arpa udp

Files

memory/2944-1-0x0000000002210000-0x0000000002211000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 d4e53ff995b62db58b4fe58d3e013928
SHA1 c4fe01bc630ba321d9cee775ba70bc9945f15308
SHA256 c5f101d2c71dbfa4b2c2a44fcc917bcce925734aa29789936d55149d5000206f
SHA512 536f4313c4b2af5ce12a8230deaab4b30add154ef15effa614d8e42e14b02fb2a1cbb49f327f62d95d0be542c1e2b1e8cbcf8e498a7701e8cee0613ad87c6412

memory/4676-5-0x00000000021D0000-0x00000000021D1000-memory.dmp

C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe

MD5 054d796bbd889925678751665f91d3f5
SHA1 f73c53056c78f45b4e13a72e47f7b7b7ef8f3fca
SHA256 5bc34167a6010c6b0b934aff30cca88719199d18d3a281df8bc6459f88b5b6d2
SHA512 a9335a58128581c6e53fadcc16e6b0ea0fc4de3781c6b8c3f453f72cfdc80bfb24e046c416fedc77e1a2e10c9cacffd9e05989ca9b27f87ce783c2e38702579f

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-3270530367-132075249-2153716227-1000\desktop.ini.exe

MD5 da7ed6b9c9fdb0962b28120c712d2498
SHA1 20e7d50b2e292f8a136bdfce01b384e337cdcbf3
SHA256 170a9fbaad73266bb03ef131947180c8c81498f20e7e9a907e3dae939994ed0d
SHA512 31f47fa6c85de26d3f1b4dc51a1967122b4948d034b7d33279ea6c2a45247f0abc519c9af39676a809a9170a32e7551f072fac49e1d150d28c4aa39d85d78592

F:\AutoRun.exe

MD5 e361b4753d289ec6949afd89f8c03d83
SHA1 b88d7eba43a25f9f125c3f66dcc475afd4c51f35
SHA256 3d2b0858e01458d7f7c424022d79779182336e8d99457b385e57ae9fc8a87de8
SHA512 81e0feecffe9b256c7328607f96191229f630fbaf29387ff0891e7019aeb24ee4305a884bf342f3bea27a9d03b50aa5ee917bda8af7f94611d3b8e9a41bce243

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f0cf4f7f327e92d460e390191d1d2000
SHA1 e0237b2b5e497d777313680f3eb710f98f86fd5a
SHA256 62c1446e9dea1b88c77e053bf26210765afe5e73f15dc441864a12af02f3c291
SHA512 af7d3f5bed47a7d1408d9fe201a05b0c10726bbb61ebe6bc824a9a683046fa5e96bfccf9183db8a760e90b48a36c81a838ed16dd88ea093ef7c69b3421c5a782

memory/2944-2083-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9b4777a05cd5c704a12bab10b7789ca5
SHA1 249419ec2752f6d233f8b40a890f9dcde4774ef8
SHA256 1ec69652063599625acf9f21747257681363285b69bb71773be91f67438c3509
SHA512 d087dd3bce46f488ec7c02f9865582dd78fa43b9354f80a804890ff6eaa071925fd7e19f77761ac64438600d1ef58553112c9ee71743f01c813a9f89e6164faa

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1970db2392fbd312800df4e7c9df00e3
SHA1 7f0bb04f763b337cb0946e3dd1e6c6042ee6c292
SHA256 53cdcceea1ee94fa8fd30bdc3fae1894da896a3be67d37efde239dad80c85dd0
SHA512 bed2492583dcd9ad096aed3a02eed8fed3dda5142ec40728e4da63fdd649b85e44f7843f30c6115b06dba7af16056ea6b4133af5dd1c5208043cc399022b563f

memory/4676-3145-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e1ed74ea7a793193cee349a8e7ac73be
SHA1 694753ac43d0b43446c1be8bc9c6715c31d90f23
SHA256 db90c5b160ef263a4337371d5c99deb388047af3aef693e40fef8fbbf4419241
SHA512 a75c96bd3a19d5f6af2ef51107f1393856f720356f9e6856f197ee5544f69858953f426c3ca04abe2a7c1aa7958bcfcb55c1af5fd099629d9f7ac3d7bdbe3043

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 70bed9a3dec7df9ac6df09d6a4fb2b13
SHA1 41f06c6c5137037fbd515b826b84477971889569
SHA256 d7dcb1b261792821efa4fdf4e5e0a8eb7bb211e9ced566f0453db67c3158c885
SHA512 6b9f747f8dfd82603114f466b7072dac005ab5151693f58e8b7899a5a08780d0d0c86bd29f495539ba2aec1a87fe0b70a74cd397b874dbfb387ed9374952adba

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8ff7139d7a3d18a575813e7a88786260
SHA1 bd4c32cfe1b4187af9355dc2b47145bd86732591
SHA256 e83df3dee19ae68b51296d6f1ab34c46b11f663e10ae72d3d796ee57eaf474b9
SHA512 a94b3a8c0fbfd23af268fc48a87a67ec927aad99edb46ff596836e74cb9f60d899b281137550f653cf569111110e349a5d2bdbdc6da0c711765e6b1e0ab322c9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ebf8695dae3ac5e404ea9b8eb0b06299
SHA1 3d19b4a7c3e4db64e7da8bfb8d823c0a013307dd
SHA256 4fa274cb99c031c384c86f22204bcfd89d6c59578a7d3b3121cadef6f8cb652d
SHA512 2d912e74de61461abd971d3ae9d3edc86b4a74e9e353bcda36744063ecd5f9fd7548b8bd9c9c50cd4ef4f41a602796197c4dbcb23d7588b613530951d9777eb6

memory/2944-8003-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4676-8004-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7cfdb24efb428709dfbe66a8cf9fec20
SHA1 51c41bb6c9441471ce577700258f3282beecbf8b
SHA256 fc274ecce84a56238840ea878ff50bbf5983479f5d8b3424c2dab664e91b054d
SHA512 eafd7ec44089368e5be11cf68d1e87349ab88c149e48e200f761eaa4613fef1c443f4715f9c3966fb6fde8e1b800befd2cb04ea1650414b3576d387006a7d8f0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8220ecd60b2f80c14b68254663ab04c8
SHA1 5385e4004abd788732e9ed00537b31d5819e875b
SHA256 5aa85d9790bc4001684ab642896cf8090ae82f98022b8d8d1bfd2549fc351dda
SHA512 6edf568874bd0852627f135276ad09cf82beff43f077610ac0792db9c85e82a5ecc6cabd29555edb6abf1fca531ff9bdc61209bf8cdcd32948ceb77bff04d689

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d02bc4adc6f15aa15f41eb1f07dbd0e3
SHA1 75010a58f1ee46b8bf733ef723c8b8d46f0a92e7
SHA256 4aa22d9fdee8edd6fe360cadd5999af90584621bf1e819adc23e6ae0d891737a
SHA512 d224c4ce87498c3595a0381bcca67bff85971f675b98ceafec18925ad6d8ed29e28e8a75ac2ba4c8d7f308c470089a93727f6a1c175fde56c6080138b3d0f92b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c2867c92528d524187d5055e0c1e289f
SHA1 04f9db0c9001b474416bfe91e7d09ababfdd37e3
SHA256 79af6f74f8c0b5c3b098db55383bbd122e6de2423a3995a6420c29b2bbc94193
SHA512 9534c7ea490c478c5ee567d891ad8a5420f519813fd0c6df2284212f0b20814f22a6f0eac96e344d672e181899091e0e7d35a23d3611bbcbf65663db15cd8e50

memory/2944-11137-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4676-11138-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a3b3dfaaf8c42f57f8f843a7e6f2d019
SHA1 9246e4a401cdb9f806ac5e213b7d492b88d01f0f
SHA256 01ca1c69296dc8f4364dd350e7dcacfdc8234dd7be74fa8ffcd10bc33f9a47fa
SHA512 be96dbd03eed29688e8a57149c53c20c58e95180eab43394334d158fb583c7a547946a3674918bde2401aa8fd27c51cd723b8e73a15ea4f2224b2fb622703bdf

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c784e51161828dafa2731ecbfe162e5a
SHA1 41c58ba2e7ef073e26aac15aa75301860a07b6d5
SHA256 32ebccf8d3a2b68e759b0f2a787a471681ab81c4f1008ab97ed049022d7281c1
SHA512 2f02ec0335237d0a121a2421be29f60a52fc291112e6ac8e75f3d606d8a023203b82d2b53303ac6b491e76ac1c9ca4f686730bb6bccabc75f7e5ddb67633bdba

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 873f7e46780a288cb051e548db6ab712
SHA1 06a75b81dba44331c63e22791588249fce32771b
SHA256 6d80df7116635bf2e1b656113f61f05df363bc733eed256ff036dccf15426f2e
SHA512 c31a8875fa3fa8f4bae00add6d1763f84bc165172c4418805438a28a3feb3e5666727ea4da09dff7eb561581cfacbb0835d564dad1fb1d7465930334c2c09fc2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fc1b64c01462ccccf04d72e3cf40217d
SHA1 3100e885b543576dfcdeba3aea5f421fb6a34744
SHA256 ee564b4d87a146d79654b5db9351e3c832b522e3c87b71d519a5d49d694e3f2a
SHA512 555a35517a62fa2bc6aa75c0feeccf5f90fddee4f545f7e9cf59a845fcb50a362a23c877ba56663af184aa146c6a16244bd8af046c2eea0ad22c79a8b7b6c3b4

memory/2944-11801-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4676-11802-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a40db76f6f215167a0dd502e97170658
SHA1 94d12c67817fe1c927e8c29ee37b436cd11baa53
SHA256 65e80e8baea14e68fc95e4c01a6eb0f71ff8e6c7073b5ae52d45b52c3d25ffa2
SHA512 678edc9a963003ff25e8d82b1a0083fa373a5dfdde34a07a0b4b0f5ea581cd0da8ba86fbc51ba76279c2af9a63e79349a1916f5ebadc63e4968edba64090f101

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ca0f0ab354d0cf73a53863cf3f9f9bdc
SHA1 44ac494a5336bee2a3c8b81fa443c306857a89d8
SHA256 c3f1dcd031b427022e8166de333ec32cabe42528e058e46675891533de06f76a
SHA512 3a45a4cc1f60cb22da6b95771b8130717393fbf83b2ce474e2bdddefbd0281c8e9c7a76e287d66c12c79718b79d0e05d3b3ff6d65e32a15604e40529119f5088

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ff7300c4a94b6a71c5a8b162d837b41e
SHA1 43ca83dfb95e900cbb68c293f73ff204d341da48
SHA256 66d82065be7c1a9a30f438c34bd0fd2b222b0f4a63f0b57d31b8a23467b9f55f
SHA512 ef968c92eaf788dcecbf10314974518831b76cdd713fe9157709c7e8d4999007cafc3cd2e312bb0952f40cb104829a5964cba66d9e7a3f785b7b587356b29d8e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 db0cf9b515242f29940c5f4405896ed8
SHA1 bdde1f310a575862d19cf28efb1f8ec07f4f6ba9
SHA256 753b4f146566303ce297e8eddf42436ebd01d3df9d9e52e7c0adc447464e353d
SHA512 5bba71387d69ed772236ee07dd5aa2f429372def2556dcd1fe072dc0ace4273a38f0b6bb59bdac401c9fde0b5938d1eb384cb9b73f994b5778ad8f82000677cc

memory/2944-11811-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4676-11812-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ecf97d25fa32d77a97291291e04f5c84
SHA1 ce7dee08d8cc377d3f45d767102de07d4ff055a6
SHA256 41efb602e4cdc0860aa1d23521b6dc79a59fd9b1f9881c9e6e0421ce44611418
SHA512 6c40ce48dd5e866e436e350964d7cee79b2c48fa5e5b84f1b2e1cbde05131a46878ef04a31847db40ea84af9ed5cbd21bd47a56c39da22d6db30935f42533443

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ec0ad349db450a8948143e7f82609bb8
SHA1 d4400aef7d183f48a1a516421348fd63c14bcc46
SHA256 60aec63f9e40b006e8630be7d5572db39d18bd7db3443b295b901a94637124fa
SHA512 9d5455570491c59fd056d2f697ff9cc3c390169e18d2aeb68ca9ebfd270c6a5e17b24c1cf9bf918179e9f75c1f94de9ad0eba0b941a75920e7e9e3bd5a2f2af7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 eb32ecf7a29314f85bbd8f0e76408146
SHA1 639b51cf8bf874ffb2819a77e2b84d5a2444527f
SHA256 9486b1ecb56834541b4b7730d055f33ae2c31257e2c595ad475888ce253b781f
SHA512 4cf5d08e4307a634937da6e3f12781b656855e8aacf0856448b0f14bf8d2c23a12daf804242667305a51e804c870d54c1c0bf498ab2929f27dec0fb1d5d8c1bd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b5e6d802363029c5d805b3414d66fce2
SHA1 cc3edff72a0c8f29fceaa2bebb5aa73e4b0f4717
SHA256 08a80339b0e29d806ffd20ad7405e080d8dbabec5eea1e69907b5ac77dc6e2f7
SHA512 155ee85944541035924fc2bfeb2606d51defb37c937b5d912bb522bff20270c25a7fca9c9939ebb96400561e79ceb8490895a6aa6a6a4e8ae456afbfd2374b6d

memory/2944-11821-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4676-11822-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4e9585d56505f2588291119273ff142b
SHA1 f8e3256708abb5167ce291b98afff4c53998401c
SHA256 762ee6bc8ffa18d237ba028b041926766dd2c44427235cda64afd32f126dfa9a
SHA512 f513eb4a319f88cf2aebfb41a5ee959b8f5c7af41b2f553ee1f2d36892b5c5a2808d1d184e30489e92cb60b35a3fb85da3937d57886ea5793f5406ddeff07333

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c9f8fc8bd2d96cb8f3543510ecc6a4c3
SHA1 386558655773dafc7cdf5132ce6e3235b4704e60
SHA256 14bd4645aa8f0d56b93af65f6573980cac9c953a72868586906731d09b4bc0c3
SHA512 b771ec437433982c28dc1c50dfa0cbddce6df07589808491fbff66569a33a8df49612f62d16a0b2176a454a5cd201df9c80ce589821b865f8d13482be3f2997e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ee594289b402ba2a051a5da30f22191f
SHA1 98919f985ecfe2e023910c6cb56cfa7eb4b5463d
SHA256 abed1a7e142795748c8e54e6e8b6a32d5bc533d44afd43650280c3c3ac6233cb
SHA512 bbe7f2235c8409ed760c3aabc5a90399988c9ffc36519d385a3162840f218f05dd8a42f9bfcd6d4eacad2ac794ca901d94122e36db81278f5d961ec09a83bc19

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5b12dde90644230abd9c57d19c457ae6
SHA1 c1c1984a0f0952d489818967d5f41b4f60d1e1a6
SHA256 15d5c63d457c263e71e845c93a4ce6d157985071f4032d10870134ca6bb435eb
SHA512 e374b6588f48c3e31a500b7528b215e1eb95b076187db3570ddc4c793c94bf7aab2606c53d7c3fa931b31d1299226e2bc1d7b5bc692c7a547c58a02d43890f55

memory/2944-11833-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4676-11834-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5a840749911fedf5660ca875f6a7b226
SHA1 f36ee1bd610e834e48f0b6dd096cb402e017b5a4
SHA256 7271607f8a90d8b0d669fedb2ad090cf9205a312f0591eaeb05c896a3f72f298
SHA512 5eeb50f499d646baa12409496bfbeabc6d889573dd2b8a14eb74bf397355193f2322b207b0193bd44d39b0834b1659411cdb9b4cfb9769dc566f01359fd80f72

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3ec1347f90a3cce3f6290b5b2e7cdfeb
SHA1 1aad62e67ca8175bf300549336ad417b354d8f2b
SHA256 fbef0372628a98334e5d2a100e8bd1cc039d38fd82646a158f20664479b5380e
SHA512 93de5cbd225e007a7d099009b8ee6cc7d66fcfea3959beec6ae0cc2e38812199b4c7a851747836ab1796d480a4cca50bdf4a14faf17afc98269554b8cb60176e

memory/2944-11843-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4676-11844-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b841bdfffbc8494cfe6fe397cee0f8a2
SHA1 3c13143f73c78e090a4414240454e11f7a817b76
SHA256 d6141844268b30109d3ac9554bd17293bb3beb21e20cdbc5b10051ab5230470d
SHA512 0269291168f3d4e6d44cab7e400f95f7d2dd079b4ef1d9c1ed8a32dcdb6b4a9b9b911f82ccf3b8b57fec5b2b4886a115e23d48e1c7b1f1b99cb86d8ed84f6bfd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2e505811b140e2db0e25019c251a6dbe
SHA1 851de37011d905f1a8a87bab4d56b27c472332d5
SHA256 0576fa1f8f81100b437812ffc3706c844f4f1de804b30034fe2be7445eea3b62
SHA512 dff969ef463919111757a9f1b18321719abc1f0100bfb57ee344df44707dbcd5e109139715d3446c0fb8b0e650a813ec840eb239a56c17883c2a173a971a09ac

memory/2944-11851-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4676-11852-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b924e90cf666335409161f25c0858059
SHA1 26056e53c0f59de7e9cc8ba130aaab74f9fa58bb
SHA256 be064fa37ef0ac58ef017adbca45e8732321c4b95d899d08034d995b4863ff91
SHA512 97e12f6cb73e2fe4f12b33f949296f9e36bd62426a508758c173ab1e3a480a7c099bc89e811636bd4972abe845fadd9c6d30d0e20bf0a5da604031f9eb287a92

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c5ea25e524f6a7148620e6b783cb1d1e
SHA1 00feec6f8a895cfe3b160676f538d9de9a0fcef7
SHA256 34e3d0f95df83637922c904d96dcf037db2b1ab9ba7e26eaaa5b7c4f8aa13902
SHA512 ea4810595292751816911f8acc95ca2b9a5ad90083079b0c52bf2b0926e0070f8385c9d5cc927b231ea569fb5cc0395ce26ebfcff66f2650c03b03a3ae830376

memory/2944-11860-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4676-11861-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a71eded18e5f0f4f4b5352c940d52ce8
SHA1 228e1f4f52aa6a606c4a283b9fd160aeb3707b20
SHA256 8620ec65e124dbcac67f3e49b99b813f1af651733e304f0a28713f4ff7b3c8ab
SHA512 f02dd4ed3791f3cb4f7d0645278b9c5a3a0d2447bb3b735ccc5b6801870af527f9ae56824aeb7e96a7f839a1f567f7a9c75d5c4f656ae717f480d70ac24e38ad

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8fcec5b3dafeafa8b8b00e7bb61d3a80
SHA1 d13f243f1d478d0553b2237488adfa379a5840c5
SHA256 9c152c35aaf68482032d0556b2ee56a3216895fcf2cef509cd503dbf8fbc3043
SHA512 d4fc39f223949d4fffcb04d6f3ddcee826f0d4c1fe1aafb248641f48a1af3b3f3ccd4124d1b24eee85f3111197a436284f9062ca97749eada12e634693807ef1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 08c941a4c93c9623cce8041242704246
SHA1 e90eb71f2dc3fe74879e315d6de29288266d1fcb
SHA256 6f65bd618b05b6e49dbb47eb84729a36d8d64b57db65a5e92807c75336786005
SHA512 a81afcfc4a0c2c0f0f14ba1434a5b8763feaf7ad8b2af4dc3f6574ccd6c130e3f13da4a5d5d92831433ec3c337369befff2f06b23c451d57fdb9347721a155e0

memory/2944-11870-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4676-11871-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c1f2592eca7b6bbad52759a96404d427
SHA1 3897bd42561387d9c6fbadeaed9bf188acd763fb
SHA256 8f80c9bad5014bb83a66b6e65f0b73fc79e3ca3026e4c0713aef433d435e8c5f
SHA512 7ef9b3a3fa3fe4d8a0f2ad6c21b2b4cb4fbc32c971a7d9614ff63f6758803b602f4701a328cd700d4d4b640b9f8a9a3dcf6ead86563236b3f2832d40282789c0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 eec5d02673d41a180c14d8388f82d845
SHA1 630cdcac191bf37b86d943053f1d126af1555557
SHA256 eb3e139221a206282eb98907e1060c50e8560e74efa3f2f0ee16de9822f38753
SHA512 c9990028573ccce7ee9725be3bbaa41ab1f5ee97b4d6e06a3231b2761f45304acd92cec8f7077e9036956dfb3e3a0b0d89df95ffeb400e920bbb73cc7f2a6290

memory/2944-11880-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4676-11881-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 766cbdeecdfa50c67724d3567597c276
SHA1 7058d3e0700435f065db29a4b074099c299e4f58
SHA256 39f93c67487523e58226d1be5666dd8a7f93681d4d37fb8f1dd4ef1ca37bcc5f
SHA512 8188da090a44d5eba600eca717073808ad6bc4a3b901c4b3d0c01facb70e2b8d15520f787e2830ecb03306afb1090af24ed6755ac982d3db62583770f71da26a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d56488d2249cf2ede34b40d4a6c21eef
SHA1 bcdf49e672743714399369a62f04ad7711f02bb8
SHA256 49edc1db474f8e1c2d9470cb84f99e2413c32e34a6879d8c0488932d28ace6cc
SHA512 03a46afca541dc0f29acf4d216231e7726f078d5b89323837c684d78403fb924e3e8ff49fc02d123b36659166f550f280aa1e27b9187a47da7280258e31bb676

memory/2944-11888-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4676-11889-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5567424891e41504588b271cc156c7c4
SHA1 32347a315c10d170eba7d0906f9146146a4154cf
SHA256 c4244dd5a7cd35c520ff38d3764260bc96a342c0c1d2cc27ac959099b0195113
SHA512 8f1528496cafb995f050903da710c1e457e079cf9d430699dd91a79d7ba33188a9608cb8e21364c98f92135a7b644806a2670c725f4f49ccf3f7b29b279e564a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c7bb5f9ff19109b01ef7319ef4b8f11e
SHA1 8dd1d1a5a617dbd2afed8e231a9547c83821fd8b
SHA256 f808b28c0ebcc6c3081dc8437568066250ec4010b280ea444dcbb2f6412f6a2a
SHA512 9af09364c20f67eea6f1898f02804c199df6ef12c29f7b8fe0fdf285ac081ae70d68401aeacff877af9be1090a2e58b17da792e71363d2b994376b5d9b50a94a

memory/2944-11897-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4676-11898-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8c72296efd86d644a8bbf1897f70833c
SHA1 c0e73abf704a435f16d5ea8a2fb1b51f3e6cd827
SHA256 0d7da706ea05e8285391cd73e1cebbea6b7b0643eadbeb85df982547dd1a2819
SHA512 149121de7796af272c75db99b0d02dd9b4a0bbfddf2417e8828ad3879bc41d43d04003ce11c2f4cde4a96346f705b310e7c5826a1c6df13add6890ba835e79b6