Malware Analysis Report

2025-03-15 08:19

Sample ID 241020-wm61nssarb
Target 6398420bbf64a695b8ce314cdc95895d_JaffaCakes118
SHA256 d6e05088d81c44198a428de6aa06a0f124261e0246a45199fbb575c923476509
Tags
discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d6e05088d81c44198a428de6aa06a0f124261e0246a45199fbb575c923476509

Threat Level: Known bad

The file 6398420bbf64a695b8ce314cdc95895d_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

discovery persistence ransomware

Modifies WinLogon for persistence

Renames multiple (91) files with added filename extension

Executes dropped EXE

Loads dropped DLL

Drops startup file

Enumerates connected drives

Drops autorun.inf file

Drops file in System32 directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 18:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 18:03

Reported

2024-10-20 18:05

Platform

win7-20240903-en

Max time kernel

145s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Renames multiple (91) files with added filename extension

ransomware

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

N/A

Files

memory/2340-0-0x0000000000220000-0x0000000000221000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 7ecd15200df11ccac41aab777dbc702e
SHA1 c2c000f62c4e75115eb331b5fb16d3bd60acbf13
SHA256 226ad4572852b5f20e19078bf222f1497a880246e9c643cbd92d07952e198bcb
SHA512 494b81bff75aeb5e2e95bbd4acfbc1449753fdbc5e1867435d16fe0a29ea5bc7d25b9141eade2e6cc748c3f6bb23c768b0cbc991d3fa408eaa738ad86763ca30

memory/2900-9-0x0000000000220000-0x0000000000221000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-3063565911-2056067323-3330884624-1000\desktop.ini.exe

MD5 f46e71a9392ff83e830059c917228547
SHA1 fce523bf8236040d89af8228bba3e119ea7d2cbb
SHA256 ba0d7eff949b5907782fbb091917cd683502f17f1a982bafb2eea2b85172530c
SHA512 97d8f2b735beda2138d24800c704efecec6d4cd7388b9d19e5366a6d5299fdd6892437b2fb83b5009a0ddc76bd71123c185228300e3e7e84b49a483976e3c051

F:\AutoRun.exe

MD5 6398420bbf64a695b8ce314cdc95895d
SHA1 2623df498dedbcadf4a651e04e2fc647c227fb7b
SHA256 d6e05088d81c44198a428de6aa06a0f124261e0246a45199fbb575c923476509
SHA512 da7d39ef4e364b557969b4928e7e2ddb4c7490aff6f456e059faedd7872e6298f0c0b39a40400a2119ec7f638894a640ac27953153cfd946afee4119973c26a6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2340-225-0x0000000000220000-0x0000000000221000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4c0239fa1b0ce79fd702e010820818b0
SHA1 c35a2bf750d9f0c84bd58315e149d0937ab5db21
SHA256 76a5cf98abfb052a86b0b3d7c42e096e82bc3633d0137efc42c28ba6ac6dcb1f
SHA512 3ddb67c8bd34e5bd595fdca1ca8738710f52ea16745112ef58be73daec3a9f245d83a2940bc56b858142d6ccebabbc83a047e0892236ed0bcf109d847331ca6c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5757f50ce94517b798c9f26736e66337
SHA1 5c35a220ca44f90597870230817a58442623244c
SHA256 93e0f0d91634cd94fae09152437129d8bcc4e443b9769548c1b875b036a1c3b6
SHA512 77eca7851797aebfeb03603ec3db1149442de688bfe120ac014a3e59d3b574bec2fdbdd3bca6e63ec05103e9e97b8fa78fc2e4b20ea842656a0bf6822c81d25f

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-20 18:03

Reported

2024-10-20 18:05

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\6398420bbf64a695b8ce314cdc95895d_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/4432-0-0x0000000002210000-0x0000000002211000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 7ecd15200df11ccac41aab777dbc702e
SHA1 c2c000f62c4e75115eb331b5fb16d3bd60acbf13
SHA256 226ad4572852b5f20e19078bf222f1497a880246e9c643cbd92d07952e198bcb
SHA512 494b81bff75aeb5e2e95bbd4acfbc1449753fdbc5e1867435d16fe0a29ea5bc7d25b9141eade2e6cc748c3f6bb23c768b0cbc991d3fa408eaa738ad86763ca30

memory/5028-5-0x0000000000630000-0x0000000000631000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-3350944739-639801879-157714471-1000\desktop.ini.exe

MD5 0bb4d44e1d2a9415a6200ddb1193322e
SHA1 e72c6cc3e614870075d5153174ad28b48bc8ebb1
SHA256 d0ab2f083d35e968614c91a6d56a06c571722656a694b8b7037172cfb9a532fb
SHA512 2d4ea7160b865e4121297b13870558e4edb8cff292533bfcb6c64e46353a48eb0d4dff96db8090c835a4c48044000950b69934124f35eff6ce8d1a2d17ecd1b7

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-3350944739-639801879-157714471-1000\desktop.ini.exe

MD5 680e7275a34b1f84ffc502ee416d21bc
SHA1 5234340106f656498a029cd9522307ff7ca71787
SHA256 2fcd9b5fe0f4f201c99e0afd96f1d4b3d4464665b7364634357443d1e75aaec5
SHA512 a3354fd8f1c90fb229e4c80d99c471967b3d6253810ee0cf14009e924c90d7655b0e81c2f92602ad28f122ecb425a76a2d4455be68bb7c97c7b330d0e04e20d0

F:\AutoRun.exe

MD5 6398420bbf64a695b8ce314cdc95895d
SHA1 2623df498dedbcadf4a651e04e2fc647c227fb7b
SHA256 d6e05088d81c44198a428de6aa06a0f124261e0246a45199fbb575c923476509
SHA512 da7d39ef4e364b557969b4928e7e2ddb4c7490aff6f456e059faedd7872e6298f0c0b39a40400a2119ec7f638894a640ac27953153cfd946afee4119973c26a6

memory/4432-44-0x0000000002210000-0x0000000002211000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ca5a5384cdf5b33c081c2a7be782e793
SHA1 8973302b1478df118442d4ac3c50a3dad34a435d
SHA256 ef27f281b04854d36d0d0ac6de2bae796e0a06ba010b5e2dca340527115e0e18
SHA512 3971abe89ee227e96dbbe54638d73dcd9c4201c41d7b09469801c6a4b865f8df279f4145a4ddf4a8ce077951d691b7df80a27fb61d0ad02fd8c9262b432b01ac

memory/5028-49-0x0000000000630000-0x0000000000631000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ddd0c1cd9852b32f68b33c0db5ede00a
SHA1 91d8e84cb8e64603edf86cc8517500c8fad1e235
SHA256 5e3e78eca45843d033ab9a531dc0106def42dd99462ca1b1d2cd764ecbf00abf
SHA512 b24cb8fb07294a7f3e0ba6a25416e67f04506415ee22a0f7d1e727949e84b4b0036a3306cdb7950881928bcc5c27cdd32bf49abc1d01d1cc5771f4a1a7ab6710

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b4000c79d5182c4f5b2af2df1ea75f3d
SHA1 9300263e4ffce1cc84495c66ce723d5af5f0f97f
SHA256 47770035b87aeca57a4f429feae97c26b76122a9b0faeed9e195a6be0a97e5ef
SHA512 67bf58b649c1bb55d396b2885d126bf933e4446495c86ee6e69fc12976d97cb7cad025ceac5b0c871cdd3dde6beff9c56a3993c5f4a991f97ace5c6756fe5384

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b89cf467bf2577b46b35871ed7268793
SHA1 15560092bda64586e7fd275be70bc15973c68fe7
SHA256 3a5ae0ac43dc92d3d339dbb21565da866eb3a8cf0f31012fd638c76d0cade1f9
SHA512 8579a7112f23caf1f9ea95382147aa148c8b1bda1cac5f36d598f0b80215b9b35fd06b95ceb24bdbd237b923e743d0eba7811fa205d7d892d05776ee9b9e5ec4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 96a53eebcb00f11ce0dc9484bad2921f
SHA1 9678ae67993b600143d412c3aced2e2f468cb4d0
SHA256 3f1900f1b9add17fe76d3eb1821bbc18f1c222dc02631d0d47763ee176792160
SHA512 75417e7c192fcde99969c4c1415be7bc8b124345f7befa478ec3670bbfdbeface1ea4b9780b58513c03b065dbcfca358f10afe25d229da2a5ea29a545ab74a92

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 782565ef73bb77bebb1f50c4d2e54d2d
SHA1 793947ae49b61a022df96d5c6ea36e04f69fbabe
SHA256 3986c48e998975533e8c74ec3fe613e0fda0f6b6c974dfcd803e0886459d9953
SHA512 f6879a6f71ae7110afacc5a43f6083cf5a782b0414b418d7e1893f94718afdf2c77684e83a656f09da14ba58eabd2dcb4681fe055b38f700b0f01708d544d1c1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3b17e3189bbed9100326d9624ce9e983
SHA1 2e0a6d877b03c51501ce74a0c025159f7d178b8e
SHA256 d58bb96162cdf91fb9ffe4aa569ae137dffb13b5fb79d32c52a2f130e792eea5
SHA512 6be9612b665b19507b35a0a1777fb461d18b4d75ae7a2c1d1e574adc5dd4ecaad0b34bea3608d2a09a9dcbdca273fc3a196847adcda0dedfd581420f6c9a33f2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 afa1e9d20f0ef182d3112c84ddd3f548
SHA1 89cf0b3d9811ac4884fd11050654f255c0fff93b
SHA256 6031f7b8c2de5ad699e2489c7955ad88c9c5155d1c661bf46e698b7094e6170a
SHA512 8a0f1b15bbdf7caf12c9ecb6e919be44b3957a7419e9f2e0c51e167001736f306662b1be90e204dd58ce3bc79a7c291b4a8ef72d16c527c42e3a1b1a632440bf

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7884e46e15387ff08851b863f70068a2
SHA1 1735f12f310b104fc6892217c30aaf1d697c3144
SHA256 7145ff8846614abb026fd9ca6f84a49ff72625712b88b32a93b2cb9e318e4eef
SHA512 6661b38f72d255f66be483108a77ed3284e1b00fdace9546898a8cbc0375a7fa9077e726f32ec2f65ffa8f6b91ca8d275a6d323060ecec554da0b9d166108067

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ba2e6a0e5a5be84b66f192ac807f6a1e
SHA1 dc1b06642c9c8013e9f0cef90e8c2be29014cd64
SHA256 6489d3f97cc902fbcc2f535b441f21bf6f7507ac85fd0c022e9428ddd7badb00
SHA512 610dd4364188069cc02cec478cc8baa15115f25e26ceb2ab268945f186adc94597cf3680667774663c74c7c2476eb7cf3c03964082e6f44dea4b3ad8cf844168

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5234c87efbdc40e627df7068ab132d47
SHA1 bba35c8e38fcd06ff58b29f599b08beb17ca6a7d
SHA256 971511d38a5715d3f691587ba16343de878b2a6bb0a907d0e550c5cd5a5369db
SHA512 93fd0597f513cb5ab227c55a6e75f51dbb91b77773d1c266761d2b7d2820c3ad6b41d11cd7db11486c625c922dfd32d3a0449ec950fc692167e762383dfb68d2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1dbadb84ece3c47ebe9d5857b074fd71
SHA1 ba4fa2e7499f8973b30e1f17f228e36925d8e4e9
SHA256 0a112353c5039276eee26f5c79eee19507e70aa28421b74041cbc1c5d4dec127
SHA512 e2c991471e4a90b188dd58a77b215322261237f18234d482dc27b482fe57f6b5386aa051b198284dab2256f0abe9515e803381adebd270b1ba755d02951ad16a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 59cf22c59cf88f288df16e53f7a7f448
SHA1 3b0829d56beb1935d62f6e069089984c60a1b988
SHA256 5389fe0d2f7a1c01090723dd2fc55ee50a12d516c76b05bd338bb59c39d3777a
SHA512 cf7ad7f98da3e3ebba1cae538ab645767be597e94d0ec9fa1ecf2dca421008a7e3c61a87005d20b31bec573492a5110be398d521fc34d0df3665a491992074ee

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b37931198853335a4d6c06a2627a42a3
SHA1 f986a5907bd56c8049c5517869c78d8fc2145fab
SHA256 b5556cdc99e93ff06622afdc1fb73aa4c3b35937a1e531c7aeb70e05a4dba193
SHA512 5bf0e6273fa4f8466d538c2685415246943ac0fd8d9eecfd19ef4fb6f65c19615938716ff1ecd50f8985431d0f578dd744db4778dd710b1331d3f12bdaed9f5b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b21a35aab86867a59fd0ae32dfc62e9f
SHA1 2ca623b67026a143addcac9b8986f12b62f02127
SHA256 3476a89fa50b9d99b404208abad143769bed9d394489ee21953cf7524f2f2f88
SHA512 4428a80adb1a3e4261f1438414e6acded30be2cd555078486f944f69d460c9badd5085da58dc8a6ed5a801b2f4412e1d6b2c859a70f93209150b0049f77d0fbf

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 691074f45ae1a596ac97a25869c3d92e
SHA1 f0079a3c4dba0649cb519f97675bc7390aa4703a
SHA256 e84dc5d1de39453476c7f5fe03e02f108040a7774991c51bf27ed7e7ca03f9ad
SHA512 cc38b971874ba7c125d8ac2123f4a9ac622ffbb09cb86276fbdd03c71885b95ac270437c619ff1e348f82ec142c234227e9a21a5238aac6578a6210d718d3daa

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 aa3b0677d43a14d136b82125a5dec4a7
SHA1 eeb93936d09e9992c845abfca98985b2833de205
SHA256 45b5679f1e17435a3f4d182840ceafa1e7aba30ca8d8c9d100ec6ca88450f0fd
SHA512 b7273aedf50e7420ceab2040bb29088af3b3b6bd1f558400ebc7556f28d0d380456f0606b6fa9d87f527977171e41f91aab778e64ff5970a3398767a22818d1a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 26cfa47c82bd23979251545c081d4614
SHA1 023f76e927bcd089ea2ffec6110d3832e686df63
SHA256 b406e71b6e5133e464b929804a1199970a98b335a31df280adfb2d9d16c5dbfe
SHA512 4f191cfe1f9735337ef2a3ca332de6bae32061736556c93f356883a7eeee96770aa94dee8a25f68f51549e20117139874236c92ff4801475167e692852b52f65

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ff0eb78deb38d82a5d854dc924f7bec6
SHA1 f9b200b439b11b386d4c61129aa9585fa3ea3c25
SHA256 984c970cbbc323064fbee831321fabbaa835a7bf8fe29dffc467be434f050d45
SHA512 98929c2876b1d11b2d9b4ea27f21929f795adf5b9182092189e2d020cba7d3fbacc2d7a7ffdc862a31da2df006277b06a27bf40761a1caa52b0094f6a6748b01

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f9792c06e5b4f80b4d68c24a0bfa0e0a
SHA1 8a7762e31cb2822abd4de86fb62b915cd151e368
SHA256 47c58f3482baa36c3f0f3f96396d5d88a762718656ae238cfebd526dcd0c51a4
SHA512 e8a739e594928133dd20d80a8ba45bf4869a0cb0b6d692d2f4e3d0df2ccf0a3a7ec7001dafc701d03b933d7e75f0e74f81455201531926cd923d136d01e8ed75

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 649633f3cdb708828a81754b24a70e26
SHA1 c13641271045e2ea2de2579691d617673e2a3706
SHA256 8c72d7da48867c9e0dbb20ba16383998dab35c427366c7021558be6ffbe4be72
SHA512 ac78e213d4acf2a7540439459d0e7c1b58dd70424c0e793b3b5548161c8c2f9d4b9e80c17385f7f0b7aab59f36f8619662a800caa237dab333a691be00c2b5b0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6d8ebde5689711668087d9a2f14a6505
SHA1 1fc62b8d8e19251bb31c1632f717e951d0a70620
SHA256 d898a6ebeaaa31997f1ef231afbbf5b90f110ea9923e8553f5d9eddd17bf730d
SHA512 6962f1f8e9a9a44d1e17d4c17fefadd188ab8d8565409247f84351af3821d439d277ad4c4f5869e285a694805f1bb4343aeecce59bd6000d3a86171966ff496c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c7d5b88a24b2e0b219f389cced6e93b3
SHA1 c8997bbacf0b91ba3bc45df62c6d1c2662f44d46
SHA256 cfa21107b88ad8e49ba9a80896e5e761c740d9b7bdbf8e824834ce2d6ccb665a
SHA512 2c8af6174f07670a60f06203f99bf89bef271f9c953b48a98880f2e71ae47d2cf0ff98527ab58129a94d75a184e64e83b28801f37ea0bcce33d969524cbc93ea

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 733fdd72e93cb7635ecd215732d6049f
SHA1 366ad7aa1f171ef6a34f264e13643609c5f14513
SHA256 dda63d2511a8496f5d36c66433efab9581df4f257556b651466164d24db050f0
SHA512 3b76e8ae14f684f745e97994a0fbe9afd6aae540ff08893dd0128360242f4d6f5d4a09141d60f5428efbc26786b7f5e749e578997e1d0d59c71edf1073023a5b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ca083bb47a720a45a134ac13b8ffe0f2
SHA1 8a49876e24fa75f052fb469e84155c8ac4b0efe6
SHA256 b00472b86eb3c3bc4378597847543b9925a540bd0228997de9236eadc568065d
SHA512 cdc4d0c5a5e108d6884f6704a562d10f0fa0133783a0772069b351cea26954eebcc680e39f30fb9457e5bd64b016b92ee64083a15e9484d4c6af78cf749a88ad

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8888b3173c0ad4f5e5135909c47d058d
SHA1 36e69c1db907575c97f60a4368f5d56408e9fd4e
SHA256 9c68f2a7f06493f56224dd5a7c6e9baed3f975fe0daa176b250aa2f1c248b0c3
SHA512 2f8f94c055e3fb05610d0027957ecb072193c18b58d2fe0dc0cd9c1beba1423ad58ac035cb216a75ccde82c51bc8183ab0c6c2b3447f16f3e83a0af0174a71e5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6d5729fbc76716f86b726e57c678323e
SHA1 6bfc5cae95edbefc2102c19d6b80ef25b09ebf9b
SHA256 04fd52774821e60ffe484105363790db391221916b24669dd4e8fd1fa0241f3f
SHA512 9c040b573cf575146907b09f2f3a43b899aacd6992f0fb92c9f3436001fcfb4bae992deaeee3f18722625a86640ae3cc33851779a20e6d7af922ab58f8fa4f82

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3e18859d0cec01b509c6371bd6659cf4
SHA1 be5dc23d67093af94e763cb8e340c728d29d4e61
SHA256 ecd267fb8fd63c50208aa393cdd40369c7deb5768fbd0cc6ed58447f83c48538
SHA512 ea96771361d8b3ceedee5f52e9a53aced236e1406b7c63e31fd1a6fc1188b2f29f0420d7c0d888817e73a7d7a87e814f208f6fa3c65f8e6a11b6997166c9b544

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8210950c95dd46f00e3869e879bcc288
SHA1 e1290832aefad6dc151845967b6d28d7793455e9
SHA256 9270ac65a03433f1ed2a2e71f349fdb40a289234e7ceb920cd9c5a5c48b2d994
SHA512 78139ac01020613938f6f18d0183627e8abe5bfb30735c09b24b079bf6845259ebdf4d25ed541dc4f72cfd7eb5e7a5f9e47a616523c559ca6ff85c4e1f7462bb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6db92d1620161fa159f21894f5857022
SHA1 6df84a95c61d9c63b30a7c59e660f8be95fe4b74
SHA256 1acff097af852a99d6da6d0ca51e6e1f34aa096c101ab38cba0ffa51e59a0e71
SHA512 926642bad6fd594b9eda2e79a32361e92326b73573b01f8c6c96b735895f210858bcfe9d60337c38afa926e27b0b3946871bc328bcef8748b8928e8cee75579b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d9e04fa367b3a4bd58dd7a2b40b99645
SHA1 68044266c4fd440592e12644a1e51a83fbe03b4c
SHA256 4b54cff0179a83bb5aced4377055d95915426b62ecc49eb36ca35d0a6d27da9b
SHA512 97b2689cfc73590da2c168ef5d10daeaccaa449af451f4e13ea0b6fe3554bd8db06bada788258a082b5d9857c93baaef0c48bcb6777df422cec57a45d48e583b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8a2464dc5780ed2f94185bf3bffa1c72
SHA1 1126e1a6b9e398f6de9b2b7b330b2567c0479890
SHA256 22893ed752b807dc0672ee8b3287b1f818d1b2b35b803073d41c38df9c2351c6
SHA512 879fa8b40b05bae081fbcf8e4f1ded83d492c75722c939c0fd5766baa7f70e08a0f665d780c2bab820a450231771aefc4453a58c15be7afcc02eec18c9b8e264

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4670a9dd7ce52b0a841ada6f61030fa5
SHA1 e3d959dc4fb7cf00e4ead561733b7065000a4a8d
SHA256 6cd6bde93fe14c4c6e75d8b79f7789ff9b61a9f0a11b9527d93cef2526666202
SHA512 4543801e710fb32399e697a406d8222c9b4bcc531aa3d35b085e526603742f24d9314e403a6d2244350279b143606fe014f4d0ab3b3c1acaa43eb88cdcd54fc0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 631414d21dba5b456240229eda85e5b3
SHA1 a9d9dc79c7a6be2cc61378e3a388afb51f13dbef
SHA256 600514cc10fc731833896c528475f85f5a451ecc802e97d703e8c8a69f94bb6c
SHA512 207a31818515830e5ec6e9bb1ce042338af9c607fa4a54c72fa098d07907f073b15e577cd91d302ed7e7bda5cf009a58d4295f2c93a623f9b24a700ff30fd6db

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2a09d21373ecca7247235d523bf191a1
SHA1 7e12840dbb8224c0297b960323562aaf946b897f
SHA256 33ad726f55ddba9d711821914d655d67397048aac80ef073a96306c3231cb72a
SHA512 607c01a08dd5fc43a909fa69d5f3981e041e5cea5597199c0f63cd284f7f03597f7921ea381aa7125b831c9be3d64da0b81c94f71a8b7524d1f8503d90f7220b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b6e3b8950bb7732af175b6d0b9c690a9
SHA1 76f1705494ab6c5888b7d70569efeb0c716822d3
SHA256 b91a6908ba1df90e51b33566e4561a0f791b5921a70482ddd2cc3dbbe35b1cb6
SHA512 769e6c0e2a308ba1aca9174be1f63c61a3b7400b2afaecc4762b297349a9f703f3f9e3f7c7d4802547a383925ecb0935e1cd7970cb2c06560b8b9098ead25833