Analysis Overview
SHA256
b3c35b8aaa7feb1af32061b3eb8d43bcdf9f21182e09e2ac90cb9862d77bee9c
Threat Level: Known bad
The file 53ac74e832d7a248e6030ae17ac3a829_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Renames multiple (91) files with added filename extension
Loads dropped DLL
ASPack v2.12-2.42
Drops startup file
Executes dropped EXE
Enumerates connected drives
Drops autorun.inf file
Drops file in System32 directory
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-18 07:48
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-18 07:48
Reported
2024-05-18 07:51
Platform
win7-20240221-en
Max time kernel
145s
Max time network
122s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" | C:\Users\Admin\AppData\Local\Temp\53ac74e832d7a248e6030ae17ac3a829_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Renames multiple (91) files with added filename extension
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk | C:\Windows\SysWOW64\HelpMe.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk | C:\Users\Admin\AppData\Local\Temp\53ac74e832d7a248e6030ae17ac3a829_JaffaCakes118.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk | C:\Users\Admin\AppData\Local\Temp\53ac74e832d7a248e6030ae17ac3a829_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\53ac74e832d7a248e6030ae17ac3a829_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\53ac74e832d7a248e6030ae17ac3a829_JaffaCakes118.exe | N/A |
Enumerates connected drives
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | F:\AUTORUN.INF | C:\Windows\SysWOW64\HelpMe.exe | N/A |
| File opened for modification | F:\AUTORUN.INF | C:\Users\Admin\AppData\Local\Temp\53ac74e832d7a248e6030ae17ac3a829_JaffaCakes118.exe | N/A |
| File opened for modification | C:\AUTORUN.INF | C:\Users\Admin\AppData\Local\Temp\53ac74e832d7a248e6030ae17ac3a829_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\HelpMe.exe | C:\Users\Admin\AppData\Local\Temp\53ac74e832d7a248e6030ae17ac3a829_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\HelpMe.exe | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2032 wrote to memory of 1744 | N/A | C:\Users\Admin\AppData\Local\Temp\53ac74e832d7a248e6030ae17ac3a829_JaffaCakes118.exe | C:\Windows\SysWOW64\HelpMe.exe |
| PID 2032 wrote to memory of 1744 | N/A | C:\Users\Admin\AppData\Local\Temp\53ac74e832d7a248e6030ae17ac3a829_JaffaCakes118.exe | C:\Windows\SysWOW64\HelpMe.exe |
| PID 2032 wrote to memory of 1744 | N/A | C:\Users\Admin\AppData\Local\Temp\53ac74e832d7a248e6030ae17ac3a829_JaffaCakes118.exe | C:\Windows\SysWOW64\HelpMe.exe |
| PID 2032 wrote to memory of 1744 | N/A | C:\Users\Admin\AppData\Local\Temp\53ac74e832d7a248e6030ae17ac3a829_JaffaCakes118.exe | C:\Windows\SysWOW64\HelpMe.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\53ac74e832d7a248e6030ae17ac3a829_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\53ac74e832d7a248e6030ae17ac3a829_JaffaCakes118.exe"
C:\Windows\SysWOW64\HelpMe.exe
C:\Windows\system32\HelpMe.exe
Network
Files
memory/2032-0-0x0000000000230000-0x0000000000231000-memory.dmp
\Windows\SysWOW64\HelpMe.exe
| MD5 | fcc0e1cf54e4b6d9fd949c47184ef7dd |
| SHA1 | 897d9d558fd920d7821748ebf1d66c060baddb79 |
| SHA256 | b8cb3394233df30654724aaa5731665ba0b84c92c07dd998f5b80c10d55cf4b6 |
| SHA512 | 711c5df4cdea91a31fdde4c6fd6a235a7435d4e0a739d05d860cd2d4f0e3aa79dd30f5dc7066935d6443b577e7182ebaa42dae70c1e3545975fd4c55451ddccb |
memory/1744-10-0x0000000000220000-0x0000000000221000-memory.dmp
F:\AUTORUN.INF
| MD5 | ca13857b2fd3895a39f09d9dde3cca97 |
| SHA1 | 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0 |
| SHA256 | cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae |
| SHA512 | 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47 |
C:\$Recycle.Bin\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini.exe
| MD5 | 5a0c5a9a66552b27e0377fe034cff274 |
| SHA1 | 8b2c48730e767c405f4f1186f5bee0492d3c876b |
| SHA256 | 2829e2d0e0389ff67f5d2f851d0349f4a131e532dbd4f496215c48566fec390a |
| SHA512 | b0991da43ba9aceb4e2e3b06057f4936d73ff1a10e6a25afcefab5da46d5c730a10b76cd4ae16b34eb40d2cfcd2cb5b43d3c98abff112d13681750daa9c94045 |
F:\AutoRun.exe
| MD5 | 53ac74e832d7a248e6030ae17ac3a829 |
| SHA1 | 0a1b8c72f47c6c3da2eb9c8c5a8e230d909ead4b |
| SHA256 | b3c35b8aaa7feb1af32061b3eb8d43bcdf9f21182e09e2ac90cb9862d77bee9c |
| SHA512 | 559cb07a285e3add3aa065675ac0b60f8482f31840f6251d875a5a2d88d2110a35969daa969c5c21fb4c4ede7c064544ef1741dfb9753cc31970f63a358ee83a |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 94f8f5137224419a70f0150a190c2c9a |
| SHA1 | fe5966e07017dc7bd23aabd9bd3bc9291bdeb96d |
| SHA256 | 449387244ddc03e73eae9270ba8fb63809f05ce1f6965b3abef497b7019f637e |
| SHA512 | ea3126fb05e0bb21a052fae0c7a996ad81fbf4411a200f2284496603fe0ca88da8e1d851a3241f9c5a229319ff08dc652f6ba8622963e3a2e6cdc8922992254d |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 32f34edec84d0b600aa791a49ba661b9 |
| SHA1 | c999065d51f51e544bc580e4ef584c9b27f73acb |
| SHA256 | 1eed61ab997f07f523d7fc63ef964e18590010bf90fad9080960501e9be68f93 |
| SHA512 | 2f0602728edbeeea55971ceee88609057dad871fdd76d8affad394a712aa489c766f4fb43d49ccbd25aced47b5a6d7be723c23fa0a01ebc6332413eb3af40a3e |
memory/2032-228-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1744-229-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2032-238-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1744-239-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2032-240-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2032-249-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1744-250-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2032-261-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1744-262-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2032-271-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1744-272-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2032-281-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1744-282-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2032-291-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1744-292-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2032-301-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1744-302-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2032-311-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1744-312-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2032-321-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1744-322-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2032-327-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1744-328-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2032-341-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1744-342-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2032-351-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1744-352-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2032-361-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1744-362-0x0000000000400000-0x0000000000478000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-18 07:48
Reported
2024-05-18 07:51
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
133s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" | C:\Users\Admin\AppData\Local\Temp\53ac74e832d7a248e6030ae17ac3a829_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" | C:\Windows\SysWOW64\HelpMe.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk | C:\Windows\SysWOW64\HelpMe.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk | C:\Users\Admin\AppData\Local\Temp\53ac74e832d7a248e6030ae17ac3a829_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Enumerates connected drives
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | F:\AUTORUN.INF | C:\Windows\SysWOW64\HelpMe.exe | N/A |
| File opened for modification | F:\AUTORUN.INF | C:\Users\Admin\AppData\Local\Temp\53ac74e832d7a248e6030ae17ac3a829_JaffaCakes118.exe | N/A |
| File opened for modification | C:\AUTORUN.INF | C:\Users\Admin\AppData\Local\Temp\53ac74e832d7a248e6030ae17ac3a829_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\HelpMe.exe | C:\Windows\SysWOW64\HelpMe.exe | N/A |
| File created | C:\Windows\SysWOW64\HelpMe.exe | C:\Users\Admin\AppData\Local\Temp\53ac74e832d7a248e6030ae17ac3a829_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3044 wrote to memory of 1504 | N/A | C:\Users\Admin\AppData\Local\Temp\53ac74e832d7a248e6030ae17ac3a829_JaffaCakes118.exe | C:\Windows\SysWOW64\HelpMe.exe |
| PID 3044 wrote to memory of 1504 | N/A | C:\Users\Admin\AppData\Local\Temp\53ac74e832d7a248e6030ae17ac3a829_JaffaCakes118.exe | C:\Windows\SysWOW64\HelpMe.exe |
| PID 3044 wrote to memory of 1504 | N/A | C:\Users\Admin\AppData\Local\Temp\53ac74e832d7a248e6030ae17ac3a829_JaffaCakes118.exe | C:\Windows\SysWOW64\HelpMe.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\53ac74e832d7a248e6030ae17ac3a829_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\53ac74e832d7a248e6030ae17ac3a829_JaffaCakes118.exe"
C:\Windows\SysWOW64\HelpMe.exe
C:\Windows\system32\HelpMe.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
memory/3044-0-0x0000000000730000-0x0000000000731000-memory.dmp
C:\Windows\SysWOW64\HelpMe.exe
| MD5 | fcc0e1cf54e4b6d9fd949c47184ef7dd |
| SHA1 | 897d9d558fd920d7821748ebf1d66c060baddb79 |
| SHA256 | b8cb3394233df30654724aaa5731665ba0b84c92c07dd998f5b80c10d55cf4b6 |
| SHA512 | 711c5df4cdea91a31fdde4c6fd6a235a7435d4e0a739d05d860cd2d4f0e3aa79dd30f5dc7066935d6443b577e7182ebaa42dae70c1e3545975fd4c55451ddccb |
memory/1504-5-0x00000000005D0000-0x00000000005D1000-memory.dmp
F:\AUTORUN.INF
| MD5 | ca13857b2fd3895a39f09d9dde3cca97 |
| SHA1 | 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0 |
| SHA256 | cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae |
| SHA512 | 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47 |
C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini.exe
| MD5 | 0084bdb8a9033ffe9cc0560a99fccdda |
| SHA1 | 522f27335a656e4294032fb6e5457c1822072bce |
| SHA256 | 6f86a57f28c715f9ee669f60cb533076ad5e012be97f375553b257fd8d52cc35 |
| SHA512 | 6008be97cc577550c1fa2527f13bd65ffda6268cf2851e23a08ffd297bc432a3c3b5699d2d1973a9c5577221fc6bfd1b39ae932cf3878f0027fcdd2869e7fc6a |
F:\$RECYCLE.BIN\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini.exe
| MD5 | 4183e99e0e2eb7c313e6db70c1eed304 |
| SHA1 | 30a9e991560f6aca8d091344a577423cb3ad9e32 |
| SHA256 | 2166aa04608756f462c5657419b63ffc66a543ad09ab08abd2aee0c639128250 |
| SHA512 | 578a69e473a42f93cdd83a6eac3649938ffe7da9370db0ef035b6db01470e8838ed62230d800c520170ba7a4fb5a55d72f71afdf8e48e263b209d8ce9b6638a5 |
F:\AutoRun.exe
| MD5 | 53ac74e832d7a248e6030ae17ac3a829 |
| SHA1 | 0a1b8c72f47c6c3da2eb9c8c5a8e230d909ead4b |
| SHA256 | b3c35b8aaa7feb1af32061b3eb8d43bcdf9f21182e09e2ac90cb9862d77bee9c |
| SHA512 | 559cb07a285e3add3aa065675ac0b60f8482f31840f6251d875a5a2d88d2110a35969daa969c5c21fb4c4ede7c064544ef1741dfb9753cc31970f63a358ee83a |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 520db1b90917429cf2a246235b47b3be |
| SHA1 | d3d4e831f0066d27a7d620a596ecb1b7e7fa9b7c |
| SHA256 | c42b00fca05860d970c71bfa1b492aeb675b2b0830fe76492701381289e800dd |
| SHA512 | bae3f185a10267ddfb6e142628244bb06f70aa738704c9356548d40a94ffdbbd10f3525a5750eb12645488d8cfc799aa88abebd2797448f11d179d86f8b1f2b0 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | a17a1ebe746ecc40ed01122c5fa25655 |
| SHA1 | d9b412002c4b8bfd11d515a6ae244c0327b5f869 |
| SHA256 | e01d66761d89a64c64356c30a72b01c2b5c92080ba626ca85cade135b6285859 |
| SHA512 | cb9b48b3896e7cad8a18634c2485bc5120c3ca846a50b4d09a5d9cd9cb0d624b63c914e565af6e08d7b2222f1c08c9d448cb846e4832088cb08fd4f1205867d3 |
memory/3044-48-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1504-49-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | c14c71fe022fed899d6d5b803c82c3fb |
| SHA1 | 6f565521cfe1b9b78da90656481a6fe43e35f19e |
| SHA256 | a41cecd0a72881f5aaeae19fee298b3a0c8aa3d3e96bc5ce23d7acb417049fe2 |
| SHA512 | ca349a2a5df0254cdc037b74e5d5d0f966af26987602693d7dcf21f55c90f70788ab91b5e18bcfaa8ce942bea6f7714c49626b06b5c8ad4f9283abd71b048133 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 8c845a336791503175f3655aaef4bde5 |
| SHA1 | 31ca82026226edebbb308ce96f577c79b57e39a4 |
| SHA256 | 18e702b3d7f453b3031667bfe75bae1f65dd75a206b3c903c8615a939ae98336 |
| SHA512 | 2df8554158b7dee3bd4595b32848ecb63abf9021eb1faa4f5de35ca06abf6b8f00271e8886115a40a2cbf69fa16e4ab6122a700b45e169b3c6c306d3e87d49c8 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 92a1b940b239e415a0880ca6c3b0611b |
| SHA1 | f8ffbff6e2610359479c2aecf3f8a73787706dd8 |
| SHA256 | 1823f2d466b519e4b171191908e7e999e8ff47cfbd1a9de8edd2c9b53a3b8006 |
| SHA512 | cee9a8cd01f88fdbbac6753458f220e147aa1baa394aefd95c5ada61184f8fad3addf65ab3b8a772407d1f516cb412e72f6d1ded8e6c9050939ac520e47caf1f |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | fdfecaecbf68973d20d085d9372eaa76 |
| SHA1 | 54a17bdd5919cba7c80fbf95fc290b63e67a05f6 |
| SHA256 | 26eaa075073fdc0867fbe0cfa3d9cf3d82f2ffba5a6ad949ddd2aa007b9e781a |
| SHA512 | adcc1859b8dcbe8785df506986cd94ec2c7faa01ff154e7b53a796dc4046f30bdbe04eddae7f375805d33fa1e50f1546440d1ae50157368ab5ca51579eb9f43a |
memory/3044-58-0x0000000000400000-0x0000000000478000-memory.dmp
memory/3044-60-0x0000000000730000-0x0000000000731000-memory.dmp
memory/1504-59-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1504-61-0x00000000005D0000-0x00000000005D1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 655ca7be8334ae382b38e1e2f09bb7c8 |
| SHA1 | 9369b992f306b9451c0ff2a80321a4dd52d3a141 |
| SHA256 | b00f0ad6dacd6fc96ef31fea9e59f7c7a09f8b4b7cfb73396bd01d2ea7e6f2f8 |
| SHA512 | 7fd2add7052e1bc4697de2df82d2bc509aa6d551e07bf3ea44048167515108507883bb64c95dab21365e4eba23ef1509574ac8039e43589cfe563ab1a541f245 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 1372d2e12d0997fcb8b9100cb77319b4 |
| SHA1 | 3e5b76ac2734bb1fb6a44dbebe91487474a64133 |
| SHA256 | be665d4ae834a24e5851c78e4a5c6b93369dab11adbf1a1e810730c8a9493174 |
| SHA512 | c57f4c6624affc2cddb8e572e367cdf1db64696fcc26f7f472a7ebdd2664dbf90c86db35255362079f4ec974c1f535bfd5d137963a59b9a61eaf1dc6e413c9e1 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | f55e6f34f1a98b053b74063074e83412 |
| SHA1 | 59464bbe5fc042ce7d655b999f9bf3ad3389b069 |
| SHA256 | 54e528d7f6c0e3bbbc28dbf1532885da29a6c0c69bd997b975e7d794644e1951 |
| SHA512 | 427a4958d8756901c701531ac342c2bb0f29088cd93bf11f02745057ea95e785642837cec94a00978e78e9663b09303f1e26d417e166fb9cb71ba46d326e9085 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 0f2c3f1dca4b50e2c23159509eb82556 |
| SHA1 | 3102b6baaa7ad3becea31ef20483f049900a26b2 |
| SHA256 | a2c62b68e2bb8fa0372229b6583f90dd8bf73ab74fd43daa9f0776cd51229061 |
| SHA512 | e67a2e77ca8452ae6c2b5eb313819497597550420ed7139b7cdaed2dde03b20198339df7bfc49250079859e373fc9e6c70b7d72b0418ef47ccb9cff17c49fc12 |
memory/3044-70-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1504-71-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | d2c44993ddfc9c98dc0fe83b8ba5994a |
| SHA1 | f382a774d50b55c652059f7a1102d527e059a2cc |
| SHA256 | 82218cd5edae83086469649a7d1754279163331149fc3e25292d13816742c81a |
| SHA512 | 6e5fef93712b823bb04d765b62ff748473fdfb4a6c83bf1edb1348d05faafe69b2c8fc54d2bb3e950a4c4cc700fbffd146ab5d3a0b4cb5c1070b7173b4a0f2d8 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 81048382616446f52bddacef2925ce54 |
| SHA1 | ba69aad0609d70668680b81332d2456ab0e11c7d |
| SHA256 | 4fe27276715c13a187b19878f22a921f2cacbed42fec1d95ca1f8f7e9b929a89 |
| SHA512 | d5843fcdecb6906b809a61a609edaf3dde3fd4157151c88d5d4282d166dbeced8b2c0148dc8cc6f72aea8116323785602faed64892b7d2fe5ec6a1b3902a2fb3 |
memory/3044-76-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 13a84f0dfa6daf21e8cbe9b060c5f13c |
| SHA1 | 45fb7ed507382b868a320cb9c59179dfc2614ff1 |
| SHA256 | b21ef9432fe4151d94899c53a2da1911511d68cb814994b329400f0ea5c2932e |
| SHA512 | f5ac2d94deefc51ef64c619b3c89954cbd047c9c965787e0254943e785cbcbe10fde6cb7d951420a56bc82713e91dd17f70f4cd522377efc4bef3ac6722a6a3a |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 6744931aea22db8901b4ded8e5b5f955 |
| SHA1 | 0e1ed8581c4bba183caf2ae9f0abf57d27d01d6c |
| SHA256 | 7e5ee9d2de60e4c440e5d91a34401fab1c912cd08cf03f720201baac84801268 |
| SHA512 | 8055a9e773e6a9fa001155858c32325a4b78118cdb8b262fbd3b510bd5d4b9b046f0379bae88730535afb9b8d7d2959f48e756442fbc06001425b86d724e2376 |
memory/1504-81-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 8366137f806c9d9bfdd1b8d90670472d |
| SHA1 | ba2457525b58043c5ae8ee0fad83bf18f378f1f6 |
| SHA256 | 1331184daaad702e354522dbf172877c9890880e884070739b5757b168d79628 |
| SHA512 | d9b26330179b3fe14ca2559869de430fbf5308fea15c2093f794f6d42b4d9c350b6cd531ef7c479e0d8b04d012bb9d2ad78053a7b10f8115835739ea7f12ff73 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | a556060c37fbb46733bdf4a6942c86f0 |
| SHA1 | 58771e827041f12a266b2e21a209d27879520310 |
| SHA256 | a4fcb09c756b391188927eef7a010d177392495de5e49263deaf8a2813352ff0 |
| SHA512 | af1e853eab7c6b210f46355ee96be5dd5612be2f9da5a81aca4a642f773c5aa12e6f154fc18a6136d193ce697b9b9ce00878b58fe6da2d8869a48e7f24a595a7 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | c4f42492f74db9fc68189abff75c67df |
| SHA1 | 6cf350419ef3f63bced0c1884ec13f8ff44b801b |
| SHA256 | 3e04cfe5a81adb015d3ffbbf3e34a6006f0c369f2200ab9421830bf611e79781 |
| SHA512 | ee5f8ebb27b7b10ee33887bfd999e35440503892acf9d9a4b9cb72f52ffe8f3d530aa1e30ee17e7fc4d14ebd93cd7ee1b1b4efe667ef928f3c66dfb5b63a659f |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | d690166303352c0cd03dc489074fbea3 |
| SHA1 | c549babd38f7df62a938dce805998ba51010955f |
| SHA256 | 0a5aaac61a54a98fe7c15ec97717835ed864a20642cddd8cd091733a5e052474 |
| SHA512 | 24d74c0e14808aa7b3ca2e56ee05aa016da143ae973cec47c8b1f7a265c28dac7a17b905e67e6cae44231c14483b55d88adf895b34705fc92b01e98fd32de36b |
memory/3044-90-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1504-91-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | fef3b9692dcdea2b386316e1aa291aef |
| SHA1 | 8013bbaaded2e6dfa00d1d6b96e2f2ebbe0569c4 |
| SHA256 | 32a8cc421637f38186384188db8688ee8f7b111add541da7b08333c4d13dce78 |
| SHA512 | 1c51b13e731cdff768dde170a783e3d025bcf51c9ac52ec757d3553f94a4955228a8028d739c8f68c26c880011ae57f3c9e4dd5cee550b1f3e616d98ff8bc1ba |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 5d3b96f4a9f5c080636d23366e777a6f |
| SHA1 | a9667de18969c67b51e1a8c7d5dd0a9c0ad74f40 |
| SHA256 | fc9d025975468deb95391f9f4049cd4839fcd2d106ab78517a923b136992097e |
| SHA512 | 38ff1d292a77758482cb406a63d29104733005a620f5696d8db6438f500667bbb56d8c4b2207458f6376943d500c349fd5e0c291abfb96bf6d0a5501a925e9f0 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 0a61fae7fa25f66bf607744c9fd54460 |
| SHA1 | bff10bf482ae26019d17c192d8613c0d2f59bad9 |
| SHA256 | f22543763f93d22a96202d199755ecac4e00dbae402144ddccc1809af4364d49 |
| SHA512 | eb7761cea6c1296a6eb31efa83d26c80e2b03d5a4cdb61471a61b994475c4cb0458a9ea51bdabab3f3d9d9348965b4e6a8dd50be6e71018e0afc993392f11d9a |
memory/3044-102-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1504-103-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | d8e0e2b903713daf8fa9b16ac94d47ae |
| SHA1 | 205b7a1ec671514a35525da2d9647b93d8d1c984 |
| SHA256 | 7ee10c24e78b49f71436e31c9c371d3d3772ad9a3ac3adba4dc89a0fe38f5750 |
| SHA512 | 3185cbae1e28f968e54a374d4d55af643447255b25e2947ee194baeb730d21312294a1a2e9b07852a8858c1bbb67799095142a43e903b90d3423b30b6ce37f94 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 10afcf32d19861db94592082f29eb3ae |
| SHA1 | 193974ed0ac14a11eabfff786a81e72f5b5ad9d0 |
| SHA256 | fc145041572cc4b553493de55478c807a2f1ee2e177bdbec9185bf68f735789f |
| SHA512 | c6884662a0693870373492f1785c95549da396caa33c6d106f32353e5b5947dcef0e647df45c7702f252c575234c42458d3d315b4e65bf98bbb61083476742e2 |
memory/3044-111-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1504-112-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | c49dcc24a4341dbe68551eb42365eb3a |
| SHA1 | c366fec7a1cb39d04087ecdb99ae551b756851e1 |
| SHA256 | 743ced70f409251b29f5a8962bcca0be552ad64ac7e96614cd620f6545bfecd1 |
| SHA512 | f477f07cb917fd918d7114d93169a99f712702ac310d19eaa175670d22275b79bbf71ef841786c9f989eac24c130583502f106e9f342a95597e9239d3d7e145d |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 22da6c0be2ad6103e2a710d6478ac99d |
| SHA1 | 57c791a2a3b0e7bfc74259f7aa6612dcab54ccd6 |
| SHA256 | 4597d78137a36a0d079f7d27127f25dcf7a05e97b93df6792ee242a55161f5f7 |
| SHA512 | 63776609d7730cb0fe157324e045b5c599b7f4d047e62fea0604ffcfbf9848a345a748f7ab0e5e625c8060d1a3ca9832399633f9844c6326c988bedab3854737 |
memory/3044-119-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1504-120-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | f28d8a0b7c01c60e79fec3c16c65eac6 |
| SHA1 | d897d60f191c16f01a70d8f6841a3e880cf97b65 |
| SHA256 | 620a98caebc6925488cbf2edb25a1b1732b29c3df516c8154eff730d0015553d |
| SHA512 | 5a8c6cbe0300a767c0f5ad76c2ac93f48c03b4970ef64fc5f8522bfe4ea34f1d2e79b313d640e0f10a5a02f28b402c607c6c7edf8cc1e88cb0af382292d7fb5e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 72a460a03dc31d0f505a63070c2767ce |
| SHA1 | 13da9367ff12f14cf22aa00c5c02cb678d1e7e54 |
| SHA256 | 7b28fc85176186fa746b6ac7bec5d452ab4d9b0621162b149ba847d5263f3bbf |
| SHA512 | e0921e5e295815094bc959de74f48e96ae0874935b66e4430a82f31e7424e6472a6a60ade82c048d0e0bb193bd145763cb3b77150a844371fef7a03deced81ef |
memory/3044-128-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1504-129-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | cd6bed3f1a0ab1c95825e02c98a74f87 |
| SHA1 | 8fae45d78f662b1c1a75074503f4cce3693d7438 |
| SHA256 | 60df486576e508e33f5e69d6b99446c9495e7a046ea3cf3ef5559b375421e6d0 |
| SHA512 | 1965d4ad9bef7fffb7e3caf93f6f904f5fb935f3f335937438a9ab5acfcfb832198ce96c27d1f84c8e1f9744b3b08a963880d8d335c656714d65a7149a7aa3fc |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | c35c18c0ff07c1c00d836b5df6a15090 |
| SHA1 | cd9fdaa5e21535e5de03df64ca06cf0a2e70c490 |
| SHA256 | b3b6e2d7f90b952368f2a1d12d25a075e3b3025eea7291e16643a6848acd9abe |
| SHA512 | 92f607ce331413223691a8c831330520892696f783224010abf4f202252fe45abe517a174f90ce4c91cf5a177f56f2df69e8a045b040ab8716b3b0116146e38b |
memory/3044-137-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1504-138-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | f4947b911bf436c4b91ba9810788cf83 |
| SHA1 | fc41e7a55e276499a101629968ac303816e37010 |
| SHA256 | 63ad8c5d08c074d7876e109a2a9c7ebb08139fa2f02f5fca4717674150a05b89 |
| SHA512 | 33e362916a55eeed26ea74602e7b81987a7ef07bb4aeb4ed4d24f9ae5f302e8d625fb7a7770633de2edba89924ad2c4a81a63b26a9487f8d29e664a80adbd5ba |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 5076c4ea8272b5041069a807210c9121 |
| SHA1 | bc752495e720a644606d423926df0064488b29d2 |
| SHA256 | 8d466cd75dd5c5b77744a07076fc9bcaf19e5ccf545e476d84d00359e0a2e650 |
| SHA512 | e05ef8fa3fdcec79bcc39d2c0b31800fc4a84d21074ff3dffd0b7b95d55011804e0be715497bb6bc1ce1a243ab2f45dc49b85890a4ea05db363075f2209345c3 |
memory/3044-147-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1504-148-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | d955eb74cfad801e637441ff76f375ad |
| SHA1 | a46082505f37ebde3da9f53a5a4e343eadc67e47 |
| SHA256 | 2140360378f14d5af8b23cc39b3c9dfb038c3642fdd9d9ea3e725a0ae546f4c7 |
| SHA512 | c3411a01dbd565eb7a9fba252b1785d5792c2cd062cb71ea1bc2b3d93f94b3fd262a2b5676dc9378a891292d3228e73ec9ce2067f99afe5878cb9a9d81754590 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | de38a0e23eaf2d9f39445791c32a3eb3 |
| SHA1 | a96932d84b9589c416b1034338b5e41ebd8f5b18 |
| SHA256 | 618bce28b5ca382a5f80e7a89d61fc4a20c302da76f365a01c666060ea0a14e7 |
| SHA512 | 52355ad3fe2248281fc50d3dc0f3b9bb3075c89f6a1fa8bdc5d3bb8db210a850539c8da0ac33fad18537ae45354e5b6ebed7d2ad6607b8f6b9df913f68dac8fa |
memory/3044-156-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1504-157-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 95ec32dea0fe4c589fdbcb8ae532bb55 |
| SHA1 | 61a3b8ae507b403ad3b9f562a3b3136318923baa |
| SHA256 | 8d3037c06769de3a4493122c56cb42dd56698a2f09600bd833b42e7bd73f29d0 |
| SHA512 | 44389021b8e1026a3bcf9e1d704efedbc665aab04e7a4e6e390590bf8174ce831886c6326d4e9c116be1bde8c20186039b884ddefd03d6bfcffa1f912b139bf3 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | d92b1f443676f10182d8f7804fd5ca62 |
| SHA1 | 299e8a9cb2913112e590192022186fd5855339d5 |
| SHA256 | 628cd4ed806ec3cf4651cdd4ed725093755050c75108e67da1d81a1fbd05e43a |
| SHA512 | 6149b9bf4ad7ff54b2120a5263f2e809781687291140b44448fb794d0765bc55da118ba5de9a8c2899487501ac872f6337ce8995cb1b42e2b14933d67f34eb4a |
memory/3044-166-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1504-167-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 81edcf3639a94489226fd3db7c0f4c9e |
| SHA1 | 88fb9127e4b4b9cbab41396fc2b051ab67c33150 |
| SHA256 | 738fac98af943b18fefb7c706f1521727908269efdcd44e8c20942fd1baa29ac |
| SHA512 | 7b78d6571b1e27fc912426115fa5a92b1228d00bd080d26032f755659652389e2f6ec94181be467a4fd739d898e66bb7b0d3b8817ed44a5aef5fd455476e41a8 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | f3cc2db9349057832213546138a87437 |
| SHA1 | 5c795980ab4a061d79f771d631fc446d0a90a3e9 |
| SHA256 | 489593c7d08a6cb52cccaf2a2f9168518ab67e06beb8d7494ef0e88ed7b7fe73 |
| SHA512 | f83d2f9ad0379e53cf2fa7d53d675874396c853956ed0f6d0bb63ca78d72bb860558e836abf74a85c7d776defb1cea5b6573675054dd37ccf8d0573fe7c54882 |
memory/3044-175-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1504-176-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 92a38054b6d0535fdf1b0fc1dcc5bac1 |
| SHA1 | a0fc5a6498954bff268383f3f6ddd62f60c8be65 |
| SHA256 | 787d622ca7214139f1c986ea8f65000bab006ef2754afa4b3ef560a21fad08ac |
| SHA512 | cad4679095da804620ceaaddc9fbc888fac710bd3cd9582b9b7fa0d8650f54307a4117cc78ba653ade31916736c1219041e6b8a48a1c35112f71fad40366b058 |