Analysis Overview
SHA256
6c74f0f9a8b3082440a8ab2d7aecbd17a8551e55c5bde23d1d8f8dfeb19db356
Threat Level: Known bad
The file 53e74a9803323f11c2d02307c3748d7f_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Renames multiple (91) files with added filename extension
Executes dropped EXE
Loads dropped DLL
Drops startup file
ASPack v2.12-2.42
Enumerates connected drives
Drops autorun.inf file
Drops file in System32 directory
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-18 08:44
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-18 08:44
Reported
2024-05-18 08:46
Platform
win7-20231129-en
Max time kernel
145s
Max time network
118s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" | C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Renames multiple (91) files with added filename extension
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk | C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk | C:\Windows\SysWOW64\HelpMe.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk | C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe | N/A |
Enumerates connected drives
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | F:\AUTORUN.INF | C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\AUTORUN.INF | C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe | N/A |
| File opened for modification | F:\AUTORUN.INF | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\HelpMe.exe | C:\Windows\SysWOW64\HelpMe.exe | N/A |
| File created | C:\Windows\SysWOW64\HelpMe.exe | C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2268 wrote to memory of 956 | N/A | C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe | C:\Windows\SysWOW64\HelpMe.exe |
| PID 2268 wrote to memory of 956 | N/A | C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe | C:\Windows\SysWOW64\HelpMe.exe |
| PID 2268 wrote to memory of 956 | N/A | C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe | C:\Windows\SysWOW64\HelpMe.exe |
| PID 2268 wrote to memory of 956 | N/A | C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe | C:\Windows\SysWOW64\HelpMe.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe"
C:\Windows\SysWOW64\HelpMe.exe
C:\Windows\system32\HelpMe.exe
Network
Files
memory/2268-1-0x00000000002A0000-0x00000000002A1000-memory.dmp
\Windows\SysWOW64\HelpMe.exe
| MD5 | 1d449fef10ca8e68c6562fc47b80f101 |
| SHA1 | 049638bc77c332a3aecc760f15f70bc774f1e34e |
| SHA256 | 9bdaafda7bfb9fe0606b154e61db3f3998ef69637c8f1e5b20250051d1268498 |
| SHA512 | 4c5e68ed2105dde78b915fd3ea82b7fe67bb66da137e7def27226c0b6cf5ab27ccda63a0734c39929302cf9c8f6409ed548f7fbc77c230bfa98b13dbebfb0d04 |
memory/956-9-0x0000000000220000-0x0000000000221000-memory.dmp
F:\AUTORUN.INF
| MD5 | ca13857b2fd3895a39f09d9dde3cca97 |
| SHA1 | 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0 |
| SHA256 | cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae |
| SHA512 | 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47 |
C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini.exe
| MD5 | 4100c86708cb4631a68844d0b1c1b43f |
| SHA1 | 931fbaeda664375554bac652b36110a06cccc189 |
| SHA256 | 92366b9836d6ccab8dd9bcf391c32b08427b4ad8e50ba3dd613479db1ff84408 |
| SHA512 | 8b839dc53a164c65f975b92775bf6039f9b1d84309ba9fefdb0a3a4b7e246723c744c7382fdf6b0c61cadce256d453db11c8ac9416c6ac73745697189e6f9174 |
F:\AutoRun.exe
| MD5 | 53e74a9803323f11c2d02307c3748d7f |
| SHA1 | 160d33e67653f4924c4ec3951dbe9806a2ed2db2 |
| SHA256 | 6c74f0f9a8b3082440a8ab2d7aecbd17a8551e55c5bde23d1d8f8dfeb19db356 |
| SHA512 | cd3c5bff2a9650de4f51fad9489a68d42187b53ea4a0ab61865aa26f07d9cc7d329d3d3419b7fbd5edb30a1170ef31e990980d0271ace3b60e48225660b3fdb1 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 769911edfedfc30a0e98712d44d0f352 |
| SHA1 | 6a8680a91022e7aff9c68a68e04b1bddcb4559ae |
| SHA256 | 164f560af21c7056e38aad8a4464f42b7b23d6b7b5c8c5f75fdb755a7e07cdd7 |
| SHA512 | c1a1c87238dae88b6bf2de43ae36b5cfb31087dcc53b11b1390207255ed890e5e8c9ef762ce03660c11d5a189d17b7b2e382978d33011da81335509a46f77ea0 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 559251b79716099b27d942551e49303c |
| SHA1 | ba4d13ab00c2961c354d131392b0e22f6a3a16d3 |
| SHA256 | 8849e88e0ae6cbbc52f4df8f69e689066f476cc40951cef08598bd468d4c0ca6 |
| SHA512 | 3f0d0d76d98caea4f487d90fcd61cd6c11990a2109ff753737eaf3b58899cb3d0914983df9f0beff9499a099935616b1b172513f4a9bf4799e5b3691c3c36bfe |
memory/2268-228-0x0000000000400000-0x0000000000478000-memory.dmp
memory/956-229-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2268-238-0x0000000000400000-0x0000000000478000-memory.dmp
memory/956-239-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2268-248-0x0000000000400000-0x0000000000478000-memory.dmp
memory/956-249-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2268-260-0x0000000000400000-0x0000000000478000-memory.dmp
memory/956-261-0x0000000000400000-0x0000000000478000-memory.dmp
memory/956-271-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2268-270-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2268-280-0x0000000000400000-0x0000000000478000-memory.dmp
memory/956-281-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2268-290-0x0000000000400000-0x0000000000478000-memory.dmp
memory/956-291-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2268-300-0x0000000000400000-0x0000000000478000-memory.dmp
memory/956-301-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2268-310-0x0000000000400000-0x0000000000478000-memory.dmp
memory/956-311-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2268-320-0x0000000000400000-0x0000000000478000-memory.dmp
memory/956-321-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2268-326-0x0000000000400000-0x0000000000478000-memory.dmp
memory/956-327-0x0000000000400000-0x0000000000478000-memory.dmp
memory/956-341-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2268-340-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2268-350-0x0000000000400000-0x0000000000478000-memory.dmp
memory/956-351-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2268-360-0x0000000000400000-0x0000000000478000-memory.dmp
memory/956-361-0x0000000000400000-0x0000000000478000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-18 08:44
Reported
2024-05-18 08:46
Platform
win10v2004-20240426-en
Max time kernel
145s
Max time network
123s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" | C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" | C:\Windows\SysWOW64\HelpMe.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk | C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk | C:\Windows\SysWOW64\HelpMe.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk | C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Enumerates connected drives
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | F:\AUTORUN.INF | C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\AUTORUN.INF | C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe | N/A |
| File opened for modification | F:\AUTORUN.INF | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\HelpMe.exe | C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\HelpMe.exe | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4180 wrote to memory of 1524 | N/A | C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe | C:\Windows\SysWOW64\HelpMe.exe |
| PID 4180 wrote to memory of 1524 | N/A | C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe | C:\Windows\SysWOW64\HelpMe.exe |
| PID 4180 wrote to memory of 1524 | N/A | C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe | C:\Windows\SysWOW64\HelpMe.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\53e74a9803323f11c2d02307c3748d7f_JaffaCakes118.exe"
C:\Windows\SysWOW64\HelpMe.exe
C:\Windows\system32\HelpMe.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
Files
memory/4180-1-0x0000000000730000-0x0000000000731000-memory.dmp
C:\Windows\SysWOW64\HelpMe.exe
| MD5 | 1d449fef10ca8e68c6562fc47b80f101 |
| SHA1 | 049638bc77c332a3aecc760f15f70bc774f1e34e |
| SHA256 | 9bdaafda7bfb9fe0606b154e61db3f3998ef69637c8f1e5b20250051d1268498 |
| SHA512 | 4c5e68ed2105dde78b915fd3ea82b7fe67bb66da137e7def27226c0b6cf5ab27ccda63a0734c39929302cf9c8f6409ed548f7fbc77c230bfa98b13dbebfb0d04 |
memory/1524-5-0x0000000000640000-0x0000000000641000-memory.dmp
F:\AUTORUN.INF
| MD5 | ca13857b2fd3895a39f09d9dde3cca97 |
| SHA1 | 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0 |
| SHA256 | cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae |
| SHA512 | 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47 |
F:\$RECYCLE.BIN\S-1-5-21-1162180587-977231257-2194346871-1000\desktop.ini.exe
| MD5 | 79688e887a23fd6fbe17a3a840e4e789 |
| SHA1 | 86151954de77dc670abb6c38297780cedf983523 |
| SHA256 | 77c48ca61271c2423b5e61b152ed6d078974ade596f813c3d0feff151cebad9c |
| SHA512 | 89af5dec09304b316d4852018fc71b3716cd56e8604444363ba08a062397533278c324d2c45d16f27832f9ee53843506f8a8791a24c37c7618493e5481aae00e |
C:\$Recycle.Bin\S-1-5-21-1162180587-977231257-2194346871-1000\desktop.ini.exe
| MD5 | bd775d687060acb0bcb9dcdfbb39f74b |
| SHA1 | edb0d0ca4aed2824253718e853f935b09d1c41cb |
| SHA256 | f98dd8a8ab02e4ced33285807e9cf90355333dd0bda995d6e0feefd2a6a864e4 |
| SHA512 | 90221b1de61885d0b9904febec6c05e858adde25269309b01f558b8a98ba5c81ba4d6a99b34f6e13a20bedea6eaf8ffbb1b612ca1f15beb597b2e94ff1a27aa3 |
F:\AutoRun.exe
| MD5 | 53e74a9803323f11c2d02307c3748d7f |
| SHA1 | 160d33e67653f4924c4ec3951dbe9806a2ed2db2 |
| SHA256 | 6c74f0f9a8b3082440a8ab2d7aecbd17a8551e55c5bde23d1d8f8dfeb19db356 |
| SHA512 | cd3c5bff2a9650de4f51fad9489a68d42187b53ea4a0ab61865aa26f07d9cc7d329d3d3419b7fbd5edb30a1170ef31e990980d0271ace3b60e48225660b3fdb1 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | fa7f3aac16cd42adc37f23d8f338f011 |
| SHA1 | 30bd573f976de12bc0b5d58c6169f1448607d977 |
| SHA256 | a3c4b2e849dd3ea9bbf2e911fca88938c7181a52f24f1172e70139173a5ac466 |
| SHA512 | 2068f4ae79265b90048c2bf2c9837cf4ccb0b3afb19a1a363456275cd34bf20f73e07adf6d80c1cee8c77018226ce5f0d9d54a583d7228c378f5d6d498c7d85c |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 525f1fa7763644c3044ac1c0eaac66e0 |
| SHA1 | a351ac4756d6dc009e3d0ab67e4db2e304a82d93 |
| SHA256 | d3d52c06edf94ce01f5c29675268acac74e7480beea6375617467619a6bf59c2 |
| SHA512 | e86de7021ffc142013a945453f08f6a327d37b8a6ec297ff19327973ae376f4e9be9720f217270e7b7035e07d89d5b74c11be07e2e8679992167138b45329fbd |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 9e3a34b13f701d0d238415ad25888402 |
| SHA1 | 8290b12ecfd2f7289bd3511b0c416c297a9dc949 |
| SHA256 | 7a445d7218760b63e176fa5d7b9eca75649372ccdfc41c7b875036375aa39732 |
| SHA512 | 130d53afbc62a7a2ae5a3e62d20e292ed96bf4b274d44d5d94990b435c04763814a3b628750eca766af5df5536cae889a9ad6519bb7f26a631cbbc3ed4a15b78 |
memory/4180-49-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1524-50-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | fe103c2baf969bf0eb6232b2fdb5b9e4 |
| SHA1 | 0c949bdebd0537ae71b459a6fb2edd14605f0799 |
| SHA256 | 7c452b88bedb6c99986ddd9a63942dc56d7fc9321c55055a361c91a3c9a40937 |
| SHA512 | 27cc734d0915965ca15dc7c5f6ce86707fa37785e6102acb854328d59d209b51e4ddc08d34843cc4fbe4f07920ba3bf9e8a970480da1448b199b9d85bccc2870 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 79990358326dbc32de74d1c30fe3d9b9 |
| SHA1 | afb4c16d938e579a1fb1258c21e32aa26640c507 |
| SHA256 | 728287706cf033449312a945be4b889ef8a16de32fae1c676c4a41bb0ce51647 |
| SHA512 | 462fdde7e263c3acb2628a13fcf4d1db62efdcc8b909f0f5959a4a537d99fda88c1434d06c791b248176c540e5b033773dc5ea9b74946a86b14f4c90f3790460 |
memory/4180-59-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1524-60-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 8114e14102be39de47f2fe33d539797c |
| SHA1 | 8fcd69140e46a625cabdd106af01a858060b5e70 |
| SHA256 | 6a2832e262bc9d144c424a541d63bf6c2bfb4c418466b9b22f3511201f777330 |
| SHA512 | bb5e5c93ebda9f27ad772580b2119c54002b717af3e7dc7974172b70092043b6e74c687db6482f4704079d7c5997b3b126de99abf6d0f749f227c73cb0af232b |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | e10d8185250ea3821b13d92001b0c1df |
| SHA1 | f7473c89c0f00d1c17a64e61a1de1f5be5829112 |
| SHA256 | c10ab869c02eb3acc6bcd0544e570448a2c0f9f2cd5935078c103756e9f9ce64 |
| SHA512 | 00cbb5085e85920b1f117311d29600d64686b8a346c2db74e088ca6588cf87e5120de0167e44ad1fcfeba106c846d3ac1e1053a6dd1e2774532be4acffde1a1b |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 1f3edf614b262a361f9b694c203a3c20 |
| SHA1 | 127355076cd2af4104ae2b57ee649e53efb80f0f |
| SHA256 | c47eb1c6f66c73c4111ade84cec4154eb3aa03a5a6cca155dd15bef7d7cd40f4 |
| SHA512 | 76ca838e83ef787f5927a93cad7f508476c8bb3b087282bb36b6b2480a1610a376f7f2185549fa4f8a70c2a8f28331608be87c4989e2e28e89298bd62a4d7d12 |
memory/4180-69-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1524-70-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 0fa3a31da6a5117ad19d1028cd948513 |
| SHA1 | fce47b29e3a7e3eb7203158c8e95f84a5fec89d0 |
| SHA256 | 0f480189c2483e34913b4fd9d5c3b73feee82d0a05c34fc9d5fd64e8d67207cf |
| SHA512 | 53c3901224a63e004af11b9e8c07f392f8a7c53eb0e023ceb44275b92b5dfbb981ced77e51b710b40d745f911483abfa8c7060b6f6c4649294faa5914ce179cb |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | ae6d116a523f155cfd92fbf34069b7a0 |
| SHA1 | aeec059b167cdd4fb6d2e45fe78c8bf2a704eb52 |
| SHA256 | b8d00a7a926eef01878ec3d9cb889456988336d8277be4f8be022cb27376f4cc |
| SHA512 | b72eea80ffdb1724375a1715661ef76ad1994742e8598c4487da564afefd44d1d0479f74b70440ad177fe55d3952317c9c220f862d26f1aaf8c518ba6bf7bfda |
memory/4180-75-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | f2f7154d8337f22084df16f4aa54d255 |
| SHA1 | a000002c471a380e5eb130963d3b9fb727a24b35 |
| SHA256 | 2e5cc883b1597773fdbc5c6d7cd2e795d11afe6fca01fc9308e29eb02844a540 |
| SHA512 | bb7a25c4cb792ac5d731fdd8df8c08a95ed30dcf8836e0125ed98945b467aa6fa6b3de0a704a780ac89279b7de097301b43585444885f1eb5188e761dab3163c |
memory/1524-79-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | e4ae34f6f432686b975c86b9e5f42138 |
| SHA1 | 56295d1d6fb9073e479f54877f088028b91f2dff |
| SHA256 | edad1d1bd89ad54307ab30f4f4ba123698205947e443364520e927db33ca7207 |
| SHA512 | b0ec04fc6fe7550317ca4877b050edbe6fa8554ee88ba2a26c2b2ce1eef14fd464aadca3f0585ff430269b1bb91ec2d46384b9b0e014b4d4e6e12a0c4445d7d6 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 33762c502a495704c84bad7947759683 |
| SHA1 | ad2f5edd53a54b10e7e1e1aaeb8046a5dbaedc12 |
| SHA256 | b15f910c866048f0914458bd17e73f12af818f68e6c038a8719f1fc9a2fcd1bb |
| SHA512 | 05d48b6adbc11fec929e789669c3783f27f81092fc52bea5bf72b4a833bf8a829bd9cfe4d1bd19ff87b9284b15300e3a219b46904337a689461fc35f3ba01c95 |
memory/4180-88-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1524-89-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 6c30d9931f6acdecbe5b7c3233ff4417 |
| SHA1 | a110455e3610c248fbe50aaed6d5dfb2d2268f5f |
| SHA256 | 8404782c432c6b625b0f4a90cfaba4bfd9e5ddfd27938a19cc1847b4bff0074f |
| SHA512 | 3ec18e3edef74281b97f7bc74c547b15ecbbe6506f5324b8286d57e31b96486cfd4fe6268a07975e21761b6074936e69f5c1dbacf0f828a07de5898527296821 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 53f43da4cbeb0b7211aebcfd9f433436 |
| SHA1 | d8e0557b8577a102fda8faab71347a4634248502 |
| SHA256 | f15eaacfccb0273b030f65d868af83c108ab26995d2375a9e87345df9250bfe4 |
| SHA512 | c6b168a134628764fb4ad58d51032fba3092e03e76f1417111608dd81d4108e84f35cca36b4cb2da274aa962a8e80e84883e590af3155e7720666de836ffbb88 |
memory/4180-99-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1524-100-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 34989bc8b57c1ec60cec6c477ceabd09 |
| SHA1 | 8e0571abb528392fa8f4bb22cc163960a1379e66 |
| SHA256 | 03b28d7067e811f4052a56ea83a67c790f66178747ec3fb1e0a034ab90ee731e |
| SHA512 | e38d04cbe1a46319f81a18925f70e2d08e429a44d49ec5f5e3f6da85426d918cf526caa73e85ab045d5bc31c6d159e368a303e93efe010096ea4e7e89e8205c1 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 838ff803be3b39ab88d5b5896d747008 |
| SHA1 | d89cc4d18abb7da0043967048182cfa4f224f6e6 |
| SHA256 | 5b824045313b67e09952f5d8c936617366c0367f8d08e90e07c82401a0b902f0 |
| SHA512 | 8e8e42f105f0e8ea0fe91390f88a449ba61280ffd90da855662f33c8722767758c67cdb18634f274aaf23eba30697736df6619d5b8353892ba79b24a0df7b347 |
memory/4180-108-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1524-109-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | df059fa4aadfe67d167860995074b89c |
| SHA1 | 90d644785a93e7846b6b0edd7a7572e7ab26ea4c |
| SHA256 | 02c97e10a8c091f781c458abecfb4eb85d2d34c3597202ee2034eb97d0015c1e |
| SHA512 | 91f39b8de6d4c23908f2ffefc48b7419ff62e3a493124fd55777a854e162a06795c87b8a63970a45364748517011ecef684c6fa8b0611c4ad920acfc00890b58 |
memory/4180-116-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1524-117-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | c4c588ac903951942aba0593d56fa151 |
| SHA1 | d77fa8497a5ae9ff6eae025fcfd727d872d0f876 |
| SHA256 | 40a90b969ecc32af0cf96901c97cff92f39375e8d4c34dd734ea8a989e20e729 |
| SHA512 | 2c80cd984879abfac81367cd39fa2eb50dd2821b5380a21caed041b3196ceaa3c4766f8cbdfd9402ead6ed3146cdac6fad54a707ac1c65359c5b6e880f4d1808 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | ac716072d860cf6371bfa2ff19d3c4c8 |
| SHA1 | 4405d939bcd023e905f03b606deb00a4b76be605 |
| SHA256 | 05a411e0680184a849e8c1daf84134c613a1fd8be0b12135f006ef6b7da161b3 |
| SHA512 | 34eee720782e9944c51f3c28bd5597836cffcc35915a94797cecc1d3e79d54804b95f9f9a2a4f30d43d750a254234844ecbb847a831ff1b863d8d85b9c2f9528 |
memory/4180-125-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1524-126-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 81024999c797937fea4bfa52173963f0 |
| SHA1 | be0f9bb5f4adfb3b332c84d5dc09f4db891ccdd7 |
| SHA256 | f39d750fdcebf564d97b0b27ce759eac0ae0b843e9681406d633623c9060976b |
| SHA512 | 95529747ac2f74d6c0039fa39639b26250acabf533c05b75cc4ce20dcdba68605475cb804852bb7957e5a3dbbd3746595161e96ca47ea241fdadd919bb9fa5a3 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 7677705385ba3514efb161f2fbb2bcbd |
| SHA1 | b13c55fe2b7e6a69675880ea7f435032614c0216 |
| SHA256 | ac53d62607cc795dcc913c39c8a9452843f2d7e3bc806ce6d85e939849ed32ab |
| SHA512 | db307b0f558e5b313d8426afdba32f1c09c9c0d3f7f5bb189297300621be1a6893a9832071d9a8969836ebcf7a1a2fe54cd86d6f42091ab5598f411d79c83993 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | c8f6dc7957b947fa6bfd52ce95e19f8b |
| SHA1 | d63533005b28d7d6ddc00c7a3c9767793494ee2a |
| SHA256 | 654c427a2a65cada31247ca91517a8773297005ea5bb742d6d4aa60778b92e6d |
| SHA512 | e532418b687716eaa2d479b5b07953c94881ded0ebf3f89323b914565370d12fec9cc0cb0a7ab1815f3daf4f0803a159f0fc2c5454e42260583df5b1b2011dd7 |
memory/4180-134-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1524-135-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 785325298d3f6ef56fd0530cefc3c592 |
| SHA1 | 4dbf90c781fbc46db73e7e32629de0ab0aec415a |
| SHA256 | f4e845b7eee329da00b4c40b27086306be1fd958e6eced8e7f83637447b4bb66 |
| SHA512 | 9011dea74a7bed81ce08f28a864a04a6d7fa2cd5747da8351954bd1d3ce8536a6649e9a918e0dbf10aa98b7bf2ba8ff7e27034fc9e2d3229458402fb81d327db |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | df62eea7e9d8b1d801a70ed15f93185f |
| SHA1 | e90629dc26032ef3dcec65dbd7b6eee13bfd6cad |
| SHA256 | 3d7ac515354422d75d9f20b07ac7fde26867f15309ae42a0276b4814c1beb1a5 |
| SHA512 | fc733d658b54d68b549a228b9dd5e4eb02d4ee0428ab436b2c6b5baffeece87ab949a431cb0fbf2b2e7a631c45dd519374053465ddac57018e62a57683c56bc4 |
memory/4180-143-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1524-144-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | bb3e6d4652287df8cea5b4d670fcb19e |
| SHA1 | b36c2d4281c845421ca55d20febaeb47702f2493 |
| SHA256 | f6e21b0e544c247d2cb5c89c2167fc4b0c4dfc03d02a9f6d954c5e4ad5e2f0c6 |
| SHA512 | e01676a30737b1c9de620dc05f490c8a7fb8050530d6ff6741542f96dd65ef07c5b9762cdff59092880414aaf3045ce21fe79010d15513f6b8c2ed8f9d9c52ea |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | cb8f67acdc23eb95d77c5f6ef8d3b4cb |
| SHA1 | f047e21829a3246f5b109d8cc4b47a78f5b7ada0 |
| SHA256 | 742948c5872a6ec0f23b751e26cfd7b489c59fd0ae8320bc18cde8e909ac7783 |
| SHA512 | d8648da1f6974485a0619846a7cc9300b13d807966cc99bd528061be10a8e30ad7159305c36eb1a95e52a5d701ef9880a047d4cebaa6593fd39587ce75817b8f |
memory/4180-152-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1524-153-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 351f50bed8a7c5254920bcc09425f0fd |
| SHA1 | 015bd72cc50d1370bd0cc6c9bb6ca8f5fb9ba43c |
| SHA256 | 0e97e9b5c07b8f499603995e75625c5bd9bd5bb2b00cc886b34c2e2e70495f35 |
| SHA512 | da3bee713474b4d7beee5196fb15163b6d18d9036ed601dabc31335dafb8fa078f0e5e971dbd8d9e55f47b98ff450d73f228e8be2c6c5e5499942f0a2e03b868 |
memory/4180-161-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1524-162-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | ac2c16c82a065bdcbad51524c2431ec6 |
| SHA1 | e256305282d221931f40ba0de8bbbe56ff052d59 |
| SHA256 | 7e554e18e881ca3f9468812c88f9d30d1a5e53b8da4e7cdb4df4cab5b24e36cc |
| SHA512 | 839091fef474f53040c0b13b48be7150c967c897af802f34f6e74ef95d3e38ebfdc7533f644d866fdc7682a06aaf2222ba02029f2804e116e896386abe7586ba |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | efbb303fe7407afbd1d299b5c9b90ce6 |
| SHA1 | e1f29fb2a751311aa1b1b9c899a9a7a27d6a9ccb |
| SHA256 | 6a8527d9e612ec0067278f5646517111f175bdf56fe46d1f6ccc2204353984fd |
| SHA512 | 5a33b722ee38f7be14a0557dc0be737fe73ea693968b91a02e8c6c646173792c8558624c17bfc67b77a4dd68f2802e725b644f3bc383b7c87f8474ef622e577b |
memory/4180-171-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1524-172-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 7e00766a4ddbe718acdb398587cbd599 |
| SHA1 | fbb1aa5de68de703a7fef5faeb4fb9e1134c18b2 |
| SHA256 | 7b236b0bbe517740c44aad1a0ea5525c9f42bae71baddfd30da5b6747cb49b91 |
| SHA512 | 52bce651ffcf384829e0b1bfbc5e84b2b5c5ae871b0c1e80dbd7f7053d16485ae7bd4a84f260f5a4456405818fdae545285bec28c4a7867fb44eee934b55af39 |