Analysis Overview
SHA256
8741ccbf5c4054699732d5414e86346a851aeecf954900a1c9bf614f11af4230
Threat Level: Known bad
The file b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Renames multiple (91) files with added filename extension
Drops startup file
Executes dropped EXE
Loads dropped DLL
Enumerates connected drives
Drops file in System32 directory
Drops autorun.inf file
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-17 04:20
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-17 04:20
Reported
2024-06-17 04:23
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
51s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" | C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk | C:\Windows\SysWOW64\HelpMe.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk | C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk | C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Enumerates connected drives
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | F:\AUTORUN.INF | C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe | N/A |
| File opened for modification | C:\AUTORUN.INF | C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe | N/A |
| File opened for modification | F:\AUTORUN.INF | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\HelpMe.exe | C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\HelpMe.exe | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1392 wrote to memory of 4772 | N/A | C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe | C:\Windows\SysWOW64\HelpMe.exe |
| PID 1392 wrote to memory of 4772 | N/A | C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe | C:\Windows\SysWOW64\HelpMe.exe |
| PID 1392 wrote to memory of 4772 | N/A | C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe | C:\Windows\SysWOW64\HelpMe.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe"
C:\Windows\SysWOW64\HelpMe.exe
C:\Windows\system32\HelpMe.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/1392-0-0x0000000000400000-0x0000000000477000-memory.dmp
memory/1392-1-0x0000000000540000-0x0000000000541000-memory.dmp
C:\Windows\SysWOW64\HelpMe.exe
| MD5 | 129dfca94187120f825c592892e52f6c |
| SHA1 | 8dff7e86e0d128c2339f7dbdedab8f5609e34dab |
| SHA256 | 78f41d1ba212c04adfcf990c352036dc5f46a27779236b85d85c54b4398d6ce5 |
| SHA512 | b5db05cde57313476eaa21bd7876120db643d5866ab7c83d9b1c19a416c77e27451da318960a533a7874ac18128323e8b22bd8cb31d5be0de1c10319f32c0d82 |
memory/4772-6-0x0000000000630000-0x0000000000631000-memory.dmp
F:\AUTORUN.INF
| MD5 | ca13857b2fd3895a39f09d9dde3cca97 |
| SHA1 | 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0 |
| SHA256 | cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae |
| SHA512 | 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47 |
C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini.exe
| MD5 | 293ffa627ebd6227198a0510e773aa53 |
| SHA1 | dd0a202089965471392de5fa7e2868d04895f2bb |
| SHA256 | 6e88620daa7dfaf95852ecc3291970b4f2ba405000c12241fb2d422cb0101a71 |
| SHA512 | 95174f532adc53eeebc69527eddc1804d14a1bbc4a4e152fb049ddfc743865b3f77e29fcbbc0108f7a81bee2dcbdfc98d5bbf9fb07b19ac44ec843c4776fc2eb |
F:\$RECYCLE.BIN\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini.exe
| MD5 | e3b1adb985d735d8ad0115a15e68cf77 |
| SHA1 | 9de33da2c520daf65693e5c1cf550de43f2a7c5f |
| SHA256 | 01005ab1553c2a10d69aa7e11434dd244e228692a2697a8ff1efa8cff135c4bc |
| SHA512 | 8a9d36a4ce0126fb6839260dd8be4128d9ba76e763bdf1ea06daeaf5e10b9fc10febd2620f4bad3fa389d53a2042915abb0aee17f6a2ff0e1b8219ecbc5f298e |
F:\AutoRun.exe
| MD5 | b6b8b4a3bc16c2f4b558ed1e4516c944 |
| SHA1 | 9952e8cc06cc8509fa9b2b0d2708c46a7dcb5aa8 |
| SHA256 | 8741ccbf5c4054699732d5414e86346a851aeecf954900a1c9bf614f11af4230 |
| SHA512 | 0344cdf8cd666595a7fb16dee0bbf6dd80fd3e849d0bffaaa67b0ae43013598f920a1bd6916f05b56d07ab5a178c33606b488d03f91a3a611609bdf627a5d49b |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 4dbb45ef49de1e04686a46fa5e020b61 |
| SHA1 | d2461476e622c8bcc619c5de65d10d76caa9665a |
| SHA256 | a41855c8c6206ba596499b9655edea6f28b436e9acf3942fdcafc31f66af787b |
| SHA512 | c1db826d187600e83766e08feafb609478c9593ef626a2bbfbe7e1fb87326aff5dddbfb7aded63a491912269668bb13190fb3eee487bb44a90984aea1828bc38 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | e6cfdd44201f3ccea94eb197c5906892 |
| SHA1 | c3c337874bafad5dcb2d98806ebf833a74ea3e19 |
| SHA256 | 290ee17b0f7ff8328f3f43811c748042ca7fb34426f48693bc5324538bf79008 |
| SHA512 | 8ff9b7a54b5a7c1edd0c832456ea3c05e06d40f576e666efd01722c7350e9ef7fda69575cc839d01effac54eaf858883e622c5c2c29ce55060df2b390a82d01d |
memory/1392-50-0x0000000000400000-0x0000000000477000-memory.dmp
memory/4772-51-0x0000000000400000-0x0000000000477000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 0c3188b669eb4425b217df3283cca209 |
| SHA1 | fc7617768f39b23813dcb54c47bdc69d6757c988 |
| SHA256 | 1707a308e73a4d25e0d83ba924c8b7feb81a5b86eb8d4130778502f0ae57305c |
| SHA512 | 6ace0dce8f4dc9f0cc178dc6b5f89c7ea72fbb79eb4e03106a3ecb7b72f2c8151df29709dac755d22e67139b6aacdb1863aa7e19ad897daa5de5d05d2a6b3748 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 5ce9753e3b242771b23b62bedfc55cea |
| SHA1 | d0a8ff2f90dbde1190712f74dded06f7592d3cf4 |
| SHA256 | 7a9e3cae514926296a4e856151c248da727dddc1999f871f617d27a1e7632d7f |
| SHA512 | ececba4248d79c886b82886b188c96c76726f4fc2baeaffefd2b4874d7332fb1fd09be79484e2bf1b0de517462158e6eb3334918c95ab13ad557f2edb7429e8b |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 99540e9e8052f1e429092ecc825cb280 |
| SHA1 | 800cd4a0b294eefbbaf573e5e4e3a7e477e282ec |
| SHA256 | ceab8f09faf7b4079241fc905df18a2ac074cbd4358337c18a1f109b79525237 |
| SHA512 | cdfd9a9a2a44b18bf6876d16405267dd5d116f9f8895114a1d83c87fc34834a96bde74add7dc581d16e298c0831a7951f3f133198ff895868f1969162fe74a0a |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | a4bc9ea740399676e2d03bcd3108d6f4 |
| SHA1 | 35a3a762d62c21fe9437e3f904c7227f90f7dc5a |
| SHA256 | 73263ce499fa87d4b16964e219453efc042847dcd554733e8f77df60a1448974 |
| SHA512 | de9a2c2912ae16434a7adcf147d10783b4c01b8f46cdef294f7475146f0b3eecb44baf200b9ec6c05764128a99fb029a41daaad3e404640da545064deacb1ad7 |
memory/1392-60-0x0000000000400000-0x0000000000477000-memory.dmp
memory/4772-62-0x0000000000400000-0x0000000000477000-memory.dmp
memory/4772-61-0x0000000000400000-0x0000000000477000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | bd3f95ffa66931c3926d4e83cf0229e5 |
| SHA1 | 5523a14dd64a4db1300910b1101c83e19cc92ed3 |
| SHA256 | 3e4d667304068cb81cbfe321345a92077f4a2389c2da760c74755eb374cab575 |
| SHA512 | bf99ecc2a7f1672ea2d1cd63e88c502b734c481efe3673481145dbbf20ecdf76f538e5ca1085de05f5b4c268a63c7ef0c3625ed4867eaeecb4d1db56dcfe4c77 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 63f9ddad7958a79a9433d395ff62d0ed |
| SHA1 | b710b7d68a51851bff2088bf2747a8058db67597 |
| SHA256 | b58c764beba42b763ad4d8b0dfd428f7648532a56315f25923d24b27815e6c9d |
| SHA512 | 1e9933714716f5893a1ee85898b6425fd6ebe3d8482dd029fe8866ad9aa44f13d7cee7085a1eee61086c6b296f245d01bc3201e07ec70518165565c01f0df342 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 662d3b63b1b6abcfd7a69c6f57ef2d13 |
| SHA1 | dedba3c1178931d427109c831072a7353d47f068 |
| SHA256 | 09e15542e6ca8a3988fb34aa2227cd8c793c80a08f28d47af0bf20f8f6592c32 |
| SHA512 | 8870b55140c02a97805eef149003b6a1c270fa8f94024146f1c3527ec41a91a33697361934e3b1c831c3009b31b33ec415eb19f8317d8c25baa2b54e6af46cea |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | b223c57d55bd4e4da9474e2602f10258 |
| SHA1 | 01eda2004397c56809655099a94764a3b71a96c8 |
| SHA256 | 488022823f0243a0eec2f55e9d12a7ce8792bf04c73627ef9022507e8930e003 |
| SHA512 | 2c1be33a457b41acf0b872ca892cd47905f2a73339480058598ec3f988af4117b15994e525e364be41287a1346ab96a0f38bddb06c60e4a84d25e82e823cb09b |
memory/1392-71-0x0000000000400000-0x0000000000477000-memory.dmp
memory/4772-72-0x0000000000400000-0x0000000000477000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | a56e0b737ff5dec96542f258d80b752c |
| SHA1 | eaf8664e79dbea3c2ef3d64981ec9ead79ca6d50 |
| SHA256 | 181684804c89884b136771785481d0aa8dbf80f2e1e41dbf66eb69c059499cc0 |
| SHA512 | a69d4a0f6156fc6ea22e2abcf31f1cef68be5fc61a343a3c2c631322e05856933d746f64b3e52c6b27683dfbe35a09191073b4059fbfb3cbd05cc7089ff99acb |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | d457f3eb76e271301720bdcea211e5ce |
| SHA1 | 3ee9b1a0f98d56dafee5d012de12f74ab43e1106 |
| SHA256 | ede247fddd92cd088262f626d54674fb2b53abfdb0fcaa7988fc4c1b1854d732 |
| SHA512 | f0b4d3c658014fd4c3cd6d0d06d08b0d98f63c4d28462e36ba12c333b7393f65daa05ca389cdac7ac9dc60d042d286c037161656e23e2e360841964607270789 |
memory/1392-79-0x0000000000400000-0x0000000000477000-memory.dmp
memory/4772-80-0x0000000000400000-0x0000000000477000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | b97f696c89503c4c37bf2d7c35957b88 |
| SHA1 | e6a719dbf1564a7793630f124c77255245a38f37 |
| SHA256 | e60a316f3d9c24fdfa594adab9ed7b5bf96d97f7d9a393ceea76078dd53304a4 |
| SHA512 | 53203c350db8489c6a1f16fb11a7936d8ac32178b586975e0d0990fa292dd477b804fdde1eff25edf453ae44c75dc0f8ffcec32f003bc84812cb5f9c816588ab |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | cf79db81100cec48cabd1ee1d007e3fe |
| SHA1 | b4645797012f167dda277f91d7e64a54058acdc2 |
| SHA256 | 17d0e82efec15d1e603f0597ba39b482bbf0eb1b9481a04f3b2ccff37d0c7435 |
| SHA512 | 1b53bb767bd98348cecf66514513704e0508cd2215f296e36a6fab8edf8a788b5a76dca9a60e9d6bcce91dbc3b153c1281386635a9f0b44b9a54cd9bb878223f |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | db7234c847e970c697a48d92b268dc1a |
| SHA1 | c9106b1be26b3f43c307ed87ec00d1047ebe7a32 |
| SHA256 | 039dd8ad44e710d8fdf5db2ca09b97b3f335b76599b0e467798eb07dcba1dd60 |
| SHA512 | 8cfd0b3bd5e36622bf608b6fb05748b30791fc5ea2fedd31c0d80e65f064c40b98f3121d5e782246803035595763a8f07d584a26c20d8e411ff1c01dc9dc7f97 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 3fdb072f4c727745e02432c66863dafd |
| SHA1 | 247c6a118fa924ff763287ded5bd976f08597bd7 |
| SHA256 | 3306ec9cf42e60630ec0aaf62f4c72727fd2d2bb951cadc3a444d469a9ac4302 |
| SHA512 | b52be67c2c6a5237e12514d389a3782cbaad4fead2ec68bb550c81f6cab155779e5d22e4c0d65709d0a4da451f42d784fe8fed582b2c55075dd408da75e2cc9b |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 6d29986b88740cf5c9b6f413ebef13dd |
| SHA1 | 3f0c9e382eb4c8bb0e04f933f6bf14a03c4d81c5 |
| SHA256 | 0ba3bc72784cd1dd639962619fd162465be230fdf03d654eca3a7934858cf735 |
| SHA512 | e61986e1935d3da6b0235e1a78467c456139f1c77b3d8dc566c2405f59a52d1f4b5d0360b8a94020c7eaabcdb435c9cee9dcbd55a32561105669730259d3faea |
memory/1392-91-0x0000000000400000-0x0000000000477000-memory.dmp
memory/4772-92-0x0000000000400000-0x0000000000477000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 8bb2e93d6de609fb61d6b03ec427c29a |
| SHA1 | a6d730c69afe0c6c8b15773893758cbf232de6cc |
| SHA256 | 57e732adf3c206c4b58e9d89c1f78d6e860fcae6dd06c146d5176522ab5aa75b |
| SHA512 | c03d2365cf997a544e28c674936913187a25d258d61f13bf001670f3fdee47b53c92a961ab9d44112e32849cff98539b85a7378b01de6f3986c0b2e46a288677 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 05400850332c2d6a6fe97ebf489af886 |
| SHA1 | 82499ad8f12f7f4273ae4e5e50ede76bcf4f8165 |
| SHA256 | 3c61e18b4991c983c5490cd7b7e5c169c33900be46fa18ec936a517721e1a35c |
| SHA512 | ebbf0d2032d628928b35f9fbf26ef9086cd1e2e5a9f76df14d7c350d0f3e929c7b25c944d287df2bc904aeb28dad1b5a82dd6cf5efc70c0c53e31e005b38bfb2 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 055bd31dbfd42d40d1e978c549ac4c56 |
| SHA1 | 4a2aecb6d89d9a05bd1753482a8d01d5e8f725ba |
| SHA256 | a261c375ff31ad775478f42aa96fff8b3bfede479e72610457a271e7a7f817e7 |
| SHA512 | b42bd271b749735e9eb28004e644e848cb5dbeac802415081f2771d2ecd035b53fd732cee5e22246195fd8dacb0064c7d10729295dc46a4c0210fb6d18b2f952 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | c6eb19fecc4b7d988cea7b93d4a9d1dd |
| SHA1 | c1bc0b26d51755ba744dfbef005c1f6bcedcc9d1 |
| SHA256 | aaf4040791edc5281bacf53b2d4f1ca013c197bcd4a8cf16d173c0b57621978e |
| SHA512 | e94320290a120ad7b9afee4085a5826c8fb123b5abefebd1bcf74b4b881a8c195dd02f54866813d5ef7ba1a0dfd2fe451ed235a6d3dc353d76289a44fa73a89a |
memory/1392-103-0x0000000000400000-0x0000000000477000-memory.dmp
memory/4772-104-0x0000000000400000-0x0000000000477000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | a05fcdba5ffe6ed245fd70a93eb30486 |
| SHA1 | 41c70b7cab2fbadb0a22bc875343eb4a5b030ae0 |
| SHA256 | 83e32f9df9c4ecc83e37c713e8599a050046e59c8fbe3e15b902d17101a12a4e |
| SHA512 | 0064f74724976a236f267c7ef2c5ae6945169ac86c8dcede9a620a338884699bd7320038a12432502a5b298bbd118de9cea8c1aed861e283be5279f5898b05a8 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 442a014c81c86cd8104a62a3cb86abe7 |
| SHA1 | d49980f6c07a8ca9d52884527d124c4dc2417122 |
| SHA256 | c381c18f4ea0f88068fc2fc91ace465e5028e5c4b737740d093190ed4f8cfd28 |
| SHA512 | 169f73b5ab8e5ba46b1e7ab8decca8635967b8aedde6ec537c88b2b09840fdba929bf51e67786cde44da2e3138bea66737c6b52654f3c0e353035ed359fb6ac4 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | a727f2d40d5411e5f32579069ddec899 |
| SHA1 | f56e9806928e41679476f5dcb0aff753579833e8 |
| SHA256 | cc8ceca7ccdfa4a38d5b276b08f155d6bfd9d5056bf526a3777e2fa14eadc4dc |
| SHA512 | 0b520898e2e78219e2c574b6a8e7de7141c72cc89b3f772460c546304cd4074f51abb1b9b885d0ad840d302cbb1f47a28105767a1047ac8324b102af61e0901a |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 86c67ebec090ac9a80bf5489d9f1bc1f |
| SHA1 | 271b7a0e3f6dafc0c02ac4fc53471640a451de5a |
| SHA256 | fd6e8336275d4c746187f2acbbba32c379e8b14a65c1605fd647226e06e711b9 |
| SHA512 | 3d1b0e8d2819a3151af41225e3d6eda8d36fc5e0489ec5e14189e8436ddef3bb4c689cbbd8ac1e42a05b8909194e51b8550d89d48381a833b278e02e78c23ee5 |
memory/1392-113-0x0000000000400000-0x0000000000477000-memory.dmp
memory/4772-114-0x0000000000400000-0x0000000000477000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 3be06f04e0e6a87708c07fbefb72e4f9 |
| SHA1 | 007057d16c05be504604139fbee30337b9dc822f |
| SHA256 | e8b8b1bc4b9b5ae91afbe9faa7eb56f0aa3a9dd2e4c392a2c6e3648b76fec616 |
| SHA512 | f7010a80934edbfcaf1c305530b53b8b7b5e1c47655d3e620a2fbc855f04b98b14df703ccb31390f60e697ec667bfbbce070852133de0f9b49ca2833c197a1df |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | b0ae5ee7796a8b93973717231579873f |
| SHA1 | 8bcdf24deac05482c428f86c883d41180dbde33e |
| SHA256 | 0158fd27e83182a762514ec8663f2430a65e33f4bab16f1a16cd8415af2481b4 |
| SHA512 | c0c87f012aa5f6428178f5f83c8a66cf09912cafd80f325a8bcd89e50176c5954884efeda5b2e131efb0d42dcd3ce9a5687cf1caf883ee5d8a8e9aa4be7e46e8 |
memory/1392-119-0x0000000000400000-0x0000000000477000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | a7a289e6fe3d2cecbf7d8e68a42b00dd |
| SHA1 | e0a4f70f44ea341fe5fc975d38b008a7c33e4410 |
| SHA256 | 3b5ddde6976cfb0ada1bc37ba5e214295f124caf56a6fda80c3ca28c29d6a341 |
| SHA512 | eab998ee4f005631e309edfac3ff8beea125cd94880056e567dc32adfe24d62ec9f888954159a5f7aa6b1e089176e03ec47fca1d309d88d8a9f8f7d83e4ee3d0 |
memory/4772-124-0x0000000000400000-0x0000000000477000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 6cd775155c839c93ba9453c20c6b11ce |
| SHA1 | 30573385ad74c40b4b146420c68476de14677bc3 |
| SHA256 | c54465b07aff78302048fc92a3e42bdb57a627446fe36b5edf33a13198be981a |
| SHA512 | 86b7ddb7ddf5f080fe972774d07b457c4e3dcfae8bd5d16172eca0ee51af05ed197b9c246194197dbc59348d3a5307f7e2f3c14b28d5325459543c71e9773809 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 211fbe4907f408cfec34a76bc7d25cd8 |
| SHA1 | 57cc76d061d40afc86c6e281aee93a46d159cd06 |
| SHA256 | 431e4ad1b2cdf3e0c00f77468e56db2f471c4544d4a5a960849c1d94e0cd42d8 |
| SHA512 | 6f4aacf14ae573a96a474200b4bf1b22f6c09af80fb93728248a63149a06b237cf2bdd7fca962047ee3b0f612cff029e822bf076263a6cfae650a84ec9a9eaec |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 473f85a170ff42ac572024ed1c11c241 |
| SHA1 | 916c885ae824c16c9fd9cbe229b65021d4dddbf0 |
| SHA256 | 9e678077495b5be351509221445043be0eac88970d3136a5fb28505b70316010 |
| SHA512 | dd12b92b15df1140f109a67babfaed511a2f3383e630b597018686a98f5a53924f56e072555fc014863cbb94ea1128265d2241b5b801acf6993e6ba1048f4b49 |
memory/1392-133-0x0000000000400000-0x0000000000477000-memory.dmp
memory/4772-134-0x0000000000400000-0x0000000000477000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | de26944c4b2fe01ccc885249f3386b71 |
| SHA1 | 56b48df0a62b1948389b35bbf1c3985ad0505108 |
| SHA256 | f1fda25c00e5f952dd9fb1a9e1f9bd19573c467445fe32afd4d69f8a24374ba5 |
| SHA512 | d36378de759a84a2a9a6fa71563df45b7f340a372ef1e70e7354efe6cb83d9f8caf8436395a0ce69dfb0058066e79c0b9042a4fced31c82bb98d016e924ce0c2 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 151bce10b5b4359f921f12764bee5490 |
| SHA1 | b1c9538fdbde0acceca59bc9198b1c72b665c4df |
| SHA256 | 839627a358398bdb8a9d0a7a2f2649b8e74afa822c6d9ac860991bd2bd0b40a0 |
| SHA512 | 90a97b5760d7433bcf8117f142c29c3873cb1313454aecf910ff5d91cd3d5b8aed5aefb4a3ac3d6628b06440cf6a7d4be0562bd2b1a32c4072d10f6e6d1861ec |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 51e8c7258b6ae87b1e50956b0d703540 |
| SHA1 | 0bb05110e50b1fc0fb702af2c68b2667d0656fb1 |
| SHA256 | 2871100a0cde5eaa325fde9698820c8dba3a0ff084200863e5fb20790408dbac |
| SHA512 | a74536843aa02a9d967ae3e9776d03eae9a06d6a8cf27d958df13bc2e7190f0fdb57c015c116876cdaccae4003e4f5be0c9b817404b40e329902803b71addb09 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 7756a7097308dac210de2040e6979ee7 |
| SHA1 | 7550201d678c2f87d64d85884ef85071f5390573 |
| SHA256 | ac83d57147f5c331160e409620dccead4168105e4cd28f8b848a594c8c5ce96e |
| SHA512 | 484fbe5f6d6514725b5f66d7d5249ab1d570202be7411de8329d8d51c9700b756e19cbb279312eaaf389b27e87959f67699ff644d961411732079adaea4579f4 |
memory/1392-143-0x0000000000400000-0x0000000000477000-memory.dmp
memory/4772-144-0x0000000000400000-0x0000000000477000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | d42a28317a3b7fd1a6164ce86d7bd29f |
| SHA1 | fe03740eb416087d4c732a6f9ac5355d6f77962e |
| SHA256 | 61611c44b7b75c761f6486e5c35d4273ab0be2d070357c4a73ce47770e61fc62 |
| SHA512 | 44435522ba2b21ebe2ad22a4541b2b7ebc2b8b8e0edfd760610636d112cd000776d7f89f5290a88f04211338bb09204da24bd9d0c2643d7cb3c69ef50ea19e58 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 98383656e8c35123989bd696799560b6 |
| SHA1 | 7e9f6d69f3fa26ce7f063e26454add83578b19de |
| SHA256 | 869ce585f7fb7e0775fed7a976138d1e1fcb8365c72a292ef1863814a72cb8b7 |
| SHA512 | f383e802d5e70cc3c58f3c12eeb2037aa7ccf7331d210d1a07fe547e74ecb65a9701657ca9447beb6f4ff4820b2ec9b19d70e78b3c50574d1e495f28448e2d41 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 37eef8d16fdae78f5def805cf278b423 |
| SHA1 | dce47fe4252baed8b831d09c1de3ff691a4f682e |
| SHA256 | 81f6ee5a378724754581eaa42fc04ffb16785d064bf2a1cd003c7c0213a71e8a |
| SHA512 | 3692db195b45b5037d9cb2fd17a9ca5450dae5d895c07f5997b2ce132cdeffe89736d7f24b96f8a3999922851980d96a4d789be3e913c0e6f3ab092d2c8a8947 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | da7b58118858b6bd1b7da255cd6d1c90 |
| SHA1 | 028826fe9e3e039ab21adcbd1c1d89158b19af0f |
| SHA256 | 75ebbca35426db2f32794d890922d7c8c2f3cda389be856bf51699c62b12bc28 |
| SHA512 | b8591655abe2a4f02347cfd587570824628b9f288bb850fb05dd368d02a3c40f4f04b5815f6ab2f59ffd90ca9e676dcc17b070279fdd2d52723c18c9adaed955 |
memory/1392-153-0x0000000000400000-0x0000000000477000-memory.dmp
memory/4772-154-0x0000000000400000-0x0000000000477000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | b066743eec939c5cdd7c027901e54209 |
| SHA1 | 4676ff8fa77f4de540c947b75c0b148de77d8572 |
| SHA256 | 934752872b7a917870d82fb442791c42e4b7de3ae0bdd727168fa06eb4c7ef3b |
| SHA512 | 9b62885036f6da95d42c8e63f18faf64b0c347f03f97975af3b6292f58a1b74dffbbe932a8101829bb4e386df92094afbb0123dc4c93d770031192bef0585afd |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | ae82f62694b0bd3a23e55744b892e125 |
| SHA1 | c87d14900a797bc01d5183c9735b761a2a84d9ad |
| SHA256 | 86d4a1b9bb6252943dc0e897bf74d90820aa146ec4c650ed98e770a131848a28 |
| SHA512 | 65f3fa0ade268a0ebc6bc700c23f9a787d30914b9c0013907f4143b6bcff2c7c670d5a80ce30fe1f2b2a6fd48ba185a7fa2f8b10aa7b59a3eb7128284fca6e56 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | e81f2a5bb6e80ad6e12e9b960eaea620 |
| SHA1 | 23e28645162502d2cf3557a8089278bb55bdd969 |
| SHA256 | e3dabefcda9d1d2c348b077463766ee6c5ecb07ac63823f847cc986640691f85 |
| SHA512 | 83e82a53be9fc9c381a7f740c619a66914d64624393965778ca059cd2f1295cbd64d728d637b7fb3ceaf0290a42328b82c628fbadfd5a427a65e70157e34f6d1 |
memory/1392-163-0x0000000000400000-0x0000000000477000-memory.dmp
memory/4772-164-0x0000000000400000-0x0000000000477000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 4c76a3b697c08093e4cfe3aa34c2d12a |
| SHA1 | 1ae47ec67394948abbfa3a5adf81fd39b4b0b545 |
| SHA256 | e54e02ba6b3f5bc52c661121bbb535288e98f651e8d509874ad7dffa4b4399f5 |
| SHA512 | 7c27e6a147dd2ac0d83c4be0de5a04c0f4d36fc58dcaf102f7ac5f2551e4d6a37949adc311a183e26f5978c09870459747a7a9b880fda0ed0f8126165fa79c90 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 1886f01fd5ff4138bf677aeeba74f72e |
| SHA1 | adfea33f87bae956dc980a2a51e34f541786d5d9 |
| SHA256 | ed43421359c0a9f310073a7feb18e572dee77718915a7966122495c9a08c20c3 |
| SHA512 | 5ffca21713dd5f9d7488126cd0f7c268d5799f91c7bf4f6133a405286a03373186d048a7271618b35076aeead33a9fce73782c24936c9ec503c92423a1ee3608 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 576e7bdb66c7f2359464436c55057cb5 |
| SHA1 | ce789949e9c938f641f4315c26ad552e53837cb6 |
| SHA256 | 243e30702a12aaabe7bafdab2bc2b15fdb58c73646ac288a41e3384569cc0475 |
| SHA512 | f8e71870677bfcae6aa6cebcd7c1905c5e323df279485c070db22345eff800af5f09a0dd35ed13bfd935eb0b59b2b36990f37f178bcd6ad1270a5d1c9274d23e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 83d6ac8089f5c66387dbbd265f7feb7f |
| SHA1 | d8f30660362b54e7a2febae637c028a6c99d323e |
| SHA256 | 83ca4f51ddd71bda4157af7485f9a4dce88e3ad7d87c16c35fdc7c5006e770f5 |
| SHA512 | f331397b502417cc609eded2807fad8f576090e0ef074df7ea77c26c72abb6d715fc352562c9aa8bc1730787c13f948dcfaaac37f97710d703c92e51e6fbc7e3 |
memory/1392-173-0x0000000000400000-0x0000000000477000-memory.dmp
memory/4772-174-0x0000000000400000-0x0000000000477000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | cfe40a34077f5cb10917fb4886f7d3b2 |
| SHA1 | 298979025890ac5efbd7b905069389f373dfcc96 |
| SHA256 | a5d0278fc94a374fb017056e9930c83b583cdd39b55822b3d92d69a58cea193f |
| SHA512 | c13c6b5fa9fac78056208d2e5656144b8f2ec171dc443810bb16fd960a919c68982b6829076075a17981b72d8e0d4efe4d25c558943dc5c72c570171414497ed |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 5e0384ca2b4bd652fbd568ba55410baa |
| SHA1 | 127ccb2c072a2723115fe62165a777325ac995e1 |
| SHA256 | b3acbcde49a1c939c32e51d8cb7fa59b5739a4ff854bc02ca9df97ae85a9190c |
| SHA512 | e305ab0dac7689bfd6d6d9a232cbb7d9092d38ad8d05a851bcc803cd1596b0a3d1fd679b86bde3767fd562d906f92084ee41797858e848abcbc7cb4e27c41df9 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | ed28b9b83dbcbaaee728c4e1a8efea3a |
| SHA1 | 47d9e11df2e0d38d64eddc170be02af7345f5c8a |
| SHA256 | 78a7200d1b0e118575d4e0429d223f81b18ff22ddb0d7182383e5577d6ae1fa3 |
| SHA512 | 59398ab5cf8a1897f9336e577f2dd4aa8eb869cbcc705bdf5ee576433cf1b90822c75ec1f812fb2da08a922caefdff89ec89ebb3fbc358c04df5169922575738 |
memory/1392-183-0x0000000000400000-0x0000000000477000-memory.dmp
memory/4772-184-0x0000000000400000-0x0000000000477000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 5766e680fbc215ff0457185b3ade7ed7 |
| SHA1 | 6850b1c4b0489c6d2c1ff1f6b4cc4609b4e209ad |
| SHA256 | 77dce6ba752588702e7c6a1a2e5d601ecd0204437588f9b9d36cfe6e5fa476e6 |
| SHA512 | 6cf7c01d7b8a3d9d6d11696acbba120a00e160003ddf355840d58eb8fc4ed39ab8c7a6048f4f279fe3cc5f1e163527ddd1ebe58b341a3fc3521553855c7091a1 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | aa55abf97f5d82bbed7f85030f2f21d5 |
| SHA1 | 25807ce331091f558da147ce121e8f004b5be7bd |
| SHA256 | c78166a42d4709aef954dd0e6fbb4b6bb10f13dad3cf4b169c1a32c88700dead |
| SHA512 | 3c08e0a34d080151139a6ac8a4a0ff5845c0f731bdbadfd147df29693621e41cab8977b154db53f58e50f25a79516f59b1a7a8aab5bf76f892e53682423f33cd |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-17 04:20
Reported
2024-06-17 04:23
Platform
win7-20240611-en
Max time kernel
146s
Max time network
127s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" | C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Renames multiple (91) files with added filename extension
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk | C:\Windows\SysWOW64\HelpMe.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk | C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk | C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe | N/A |
Enumerates connected drives
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | F:\AUTORUN.INF | C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe | N/A |
| File opened for modification | C:\AUTORUN.INF | C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe | N/A |
| File opened for modification | F:\AUTORUN.INF | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\HelpMe.exe | C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\HelpMe.exe | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2576 wrote to memory of 3032 | N/A | C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe | C:\Windows\SysWOW64\HelpMe.exe |
| PID 2576 wrote to memory of 3032 | N/A | C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe | C:\Windows\SysWOW64\HelpMe.exe |
| PID 2576 wrote to memory of 3032 | N/A | C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe | C:\Windows\SysWOW64\HelpMe.exe |
| PID 2576 wrote to memory of 3032 | N/A | C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe | C:\Windows\SysWOW64\HelpMe.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b6b8b4a3bc16c2f4b558ed1e4516c944_JaffaCakes118.exe"
C:\Windows\SysWOW64\HelpMe.exe
C:\Windows\system32\HelpMe.exe
Network
Files
memory/2576-0-0x0000000000400000-0x0000000000477000-memory.dmp
memory/2576-1-0x0000000000220000-0x0000000000221000-memory.dmp
\Windows\SysWOW64\HelpMe.exe
| MD5 | 129dfca94187120f825c592892e52f6c |
| SHA1 | 8dff7e86e0d128c2339f7dbdedab8f5609e34dab |
| SHA256 | 78f41d1ba212c04adfcf990c352036dc5f46a27779236b85d85c54b4398d6ce5 |
| SHA512 | b5db05cde57313476eaa21bd7876120db643d5866ab7c83d9b1c19a416c77e27451da318960a533a7874ac18128323e8b22bd8cb31d5be0de1c10319f32c0d82 |
memory/2576-4-0x0000000002AA0000-0x0000000002B17000-memory.dmp
memory/3032-11-0x0000000000400000-0x0000000000477000-memory.dmp
memory/3032-13-0x0000000000320000-0x0000000000321000-memory.dmp
F:\AUTORUN.INF
| MD5 | ca13857b2fd3895a39f09d9dde3cca97 |
| SHA1 | 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0 |
| SHA256 | cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae |
| SHA512 | 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47 |
C:\$Recycle.Bin\S-1-5-21-39690363-730359138-1046745555-1000\desktop.ini.exe
| MD5 | a41d0325347e1216b6bcf69f4d7c80c5 |
| SHA1 | 1605087728bc044400f238f74a454f7aca4427b5 |
| SHA256 | 8fa687d9f15fc91a5ea1cde367b3116da296bf995a06d8cd4f1879dd27d587b3 |
| SHA512 | 5c24293f730465ad18e472597dc26aebcf3bbad076bc05a58ea4df5bea90159a210fe5aaddbb6288e6c4089f0e78befd8235b2a54f571c630d355d4bfba891d7 |
F:\AutoRun.exe
| MD5 | b6b8b4a3bc16c2f4b558ed1e4516c944 |
| SHA1 | 9952e8cc06cc8509fa9b2b0d2708c46a7dcb5aa8 |
| SHA256 | 8741ccbf5c4054699732d5414e86346a851aeecf954900a1c9bf614f11af4230 |
| SHA512 | 0344cdf8cd666595a7fb16dee0bbf6dd80fd3e849d0bffaaa67b0ae43013598f920a1bd6916f05b56d07ab5a178c33606b488d03f91a3a611609bdf627a5d49b |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2576-103-0x0000000000400000-0x0000000000477000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | ed5a8222d853afdc411e846bcb462678 |
| SHA1 | f3039025458e013e1303d9f6074bb458551feec3 |
| SHA256 | 12a5f1f044f9dbcbb34c8add13786b4c9ff745ef40ae4c5578e75289508e7070 |
| SHA512 | b6cc698d8bd3cb0c2fa69e78076b1e9193bda3a1ee5925f128bf98672924cbb354be6f93c27a0eae57812410fbeca0d32b19fe6553737bdc533a3343bc6cc572 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | d067b426efa482dce37bca3260072fbd |
| SHA1 | 42337b172088c36eb70321c1169f9f19413bface |
| SHA256 | 9d2ffea80565ef6199ad01b5417f2eab3f40046a81e735ca11378a4f35c72431 |
| SHA512 | c88a1cf6d869bccbcb9d9e329400a3464cb5abf7661bb90543daffc6f11a2d26b478e338b5710fd29a85ee3d26e7b407da9b468afe171bbda7bdd4a41f96fca7 |
memory/3032-110-0x0000000000400000-0x0000000000477000-memory.dmp
memory/2576-119-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2576-228-0x0000000002AA0000-0x0000000002B17000-memory.dmp
memory/2576-243-0x0000000000400000-0x0000000000477000-memory.dmp
memory/3032-244-0x0000000000400000-0x0000000000477000-memory.dmp
memory/3032-245-0x0000000000400000-0x0000000000477000-memory.dmp
memory/2576-254-0x0000000000400000-0x0000000000477000-memory.dmp
memory/3032-255-0x0000000000400000-0x0000000000477000-memory.dmp
memory/2576-264-0x0000000000400000-0x0000000000477000-memory.dmp
memory/3032-265-0x0000000000400000-0x0000000000477000-memory.dmp
memory/2576-276-0x0000000000400000-0x0000000000477000-memory.dmp
memory/3032-277-0x0000000000400000-0x0000000000477000-memory.dmp
memory/2576-286-0x0000000000400000-0x0000000000477000-memory.dmp
memory/3032-287-0x0000000000400000-0x0000000000477000-memory.dmp
memory/2576-296-0x0000000000400000-0x0000000000477000-memory.dmp
memory/3032-297-0x0000000000400000-0x0000000000477000-memory.dmp
memory/2576-304-0x0000000000400000-0x0000000000477000-memory.dmp
memory/3032-305-0x0000000000400000-0x0000000000477000-memory.dmp
memory/2576-316-0x0000000000400000-0x0000000000477000-memory.dmp
memory/3032-317-0x0000000000400000-0x0000000000477000-memory.dmp
memory/2576-326-0x0000000000400000-0x0000000000477000-memory.dmp
memory/3032-327-0x0000000000400000-0x0000000000477000-memory.dmp
memory/2576-336-0x0000000000400000-0x0000000000477000-memory.dmp
memory/3032-337-0x0000000000400000-0x0000000000477000-memory.dmp
memory/2576-344-0x0000000000400000-0x0000000000477000-memory.dmp
memory/3032-345-0x0000000000400000-0x0000000000477000-memory.dmp
memory/2576-356-0x0000000000400000-0x0000000000477000-memory.dmp
memory/3032-357-0x0000000000400000-0x0000000000477000-memory.dmp
memory/2576-366-0x0000000000400000-0x0000000000477000-memory.dmp
memory/3032-367-0x0000000000400000-0x0000000000477000-memory.dmp