Analysis Overview
SHA256
cbd66f0dc71d341a26f907f13876c6d58fa4c8ea027ac94ac36e386b92230ea0
Threat Level: Known bad
The file b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Renames multiple (91) files with added filename extension
Loads dropped DLL
Drops startup file
Executes dropped EXE
Enumerates connected drives
Drops file in System32 directory
Drops autorun.inf file
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-17 06:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-17 06:32
Reported
2024-06-17 06:35
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
51s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" | C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk | C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk | C:\Windows\SysWOW64\HelpMe.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk | C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Enumerates connected drives
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | F:\AUTORUN.INF | C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe | N/A |
| File opened for modification | C:\AUTORUN.INF | C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe | N/A |
| File opened for modification | F:\AUTORUN.INF | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\HelpMe.exe | C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\HelpMe.exe | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2144 wrote to memory of 32 | N/A | C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe | C:\Windows\SysWOW64\HelpMe.exe |
| PID 2144 wrote to memory of 32 | N/A | C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe | C:\Windows\SysWOW64\HelpMe.exe |
| PID 2144 wrote to memory of 32 | N/A | C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe | C:\Windows\SysWOW64\HelpMe.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe"
C:\Windows\SysWOW64\HelpMe.exe
C:\Windows\system32\HelpMe.exe
Network
Files
memory/2144-0-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2144-1-0x0000000000630000-0x0000000000631000-memory.dmp
C:\Windows\SysWOW64\HelpMe.exe
| MD5 | 58cab97dd444edeb9b74b345bae4913b |
| SHA1 | ffb6d71f4c1a368b2b8b1d7ba0ac7e4845857960 |
| SHA256 | f0f5c84912fbd1277d4580ad2986a9309a3cbcc1ae38af8583612cec16bdcaa3 |
| SHA512 | 6306bbcb50ef693cd139725d21fa94d6998a2bebb111b7701c4937b5a3f048314f9de243537d21ec840589eeb2dc85517c7a3a6c1b4121b101ee74634332123d |
memory/32-6-0x0000000000400000-0x0000000000478000-memory.dmp
memory/32-7-0x0000000000640000-0x0000000000641000-memory.dmp
F:\$RECYCLE.BIN\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini.exe
| MD5 | 988f25d94e9f210dc9483bb5074fc225 |
| SHA1 | df7da4f0e273fe023cc6ed7d36d27c47cc6ba329 |
| SHA256 | 50f11753b44561ccfed5aaa5bacfa392ca1289b51b1a4d68e0c2a250660a538a |
| SHA512 | 1b206ef2d804f3bd104e6bebd42f410a4577de73bbcd7a041ef62b24bde6961d945707094b8589203c09f45011e43587b58f5cce05ca6fe9920ca488786aaf39 |
C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini.exe
| MD5 | d951c69a4c8e10b76a859dffbb6cdf53 |
| SHA1 | 63f6f760f5f2388825c08293a5dfde86b5c686c8 |
| SHA256 | ac6f9ecfbbaa50efc65bf5a312d49cfac6c76e46c86a4a406f3e83707ee3873d |
| SHA512 | 6303c42f6b724f5ef5c35e9214ca4c9abe0199a912a4f40cd8281d5fc77d305123e867e4eeedb78261a0ec9694ec2c726b328606a2fa1d3edea767e3e75e2989 |
F:\AUTORUN.INF
| MD5 | ca13857b2fd3895a39f09d9dde3cca97 |
| SHA1 | 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0 |
| SHA256 | cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae |
| SHA512 | 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47 |
F:\AutoRun.exe
| MD5 | b7375630562dd579a90c2ca6ea03be9a |
| SHA1 | 50519b84f1480c45acd4a7678a330300f8c8c874 |
| SHA256 | cbd66f0dc71d341a26f907f13876c6d58fa4c8ea027ac94ac36e386b92230ea0 |
| SHA512 | b0bece7b89e5912382140dd811385d3d63f8d7bace722918328eead5ef93b00719e543a798785b05808cd1d5463f4d1c353523493f021107babcaef9d0f872a2 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 0fbc177e5463237edf112f1e382be6c3 |
| SHA1 | be7e6caecdc50732ce72d236e876e06693ba2f4b |
| SHA256 | 6aed147d77769f8cedc6491adcf025d1b40d6452250884645a7e2d45422cfec0 |
| SHA512 | c85ffea4a79380cdc9e615c553f0aab2e5d78ca0b3f75eeae2c7dbba24b6d4036efaa52123c1b33335abc745b89ab30a864e28359fa9bcb4a694a84e69d8bce8 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 172eaf1d1e4509ccb8dcc06cf7f25c8e |
| SHA1 | 989ff1023ad05242750feda20e39f3e3984bdf31 |
| SHA256 | 493390de5ca7ae948b51d545acfec6b30c90e3870b11b954acf24af014c8536e |
| SHA512 | ed35b1144b5ddd1ebf6fe3fade8f85a6615a1a88e3fbec4bb3380ce21989e7ad6389b66b588de8952f0691a572429d0e16423a7ebd89af2e40fb915a09119cdb |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 439670d39f090e88ae759651ce5e6af1 |
| SHA1 | ec119f4bc1a5313a6b07a5665e3f07224fc55205 |
| SHA256 | 52aa4f34d8d39458df708c61db607dba5e79ded8a9d732f21c725609244a4f8c |
| SHA512 | 6134fc65b581f1a1d480a86038aca4263aa57bf79f4f706e79468c7ebc238f258daf8706a129775ee651410869ac0dcb2f4ae95d8e371b1c2af41c6e2a6b5296 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 2e615373156a4f20bdda27f78966689a |
| SHA1 | 5d689b7e134b3d635d726a196babb199a8d4b839 |
| SHA256 | 76bea8c0766dabceac4f7d4aa4b723929d1ae47c62e8e7ffd824d8eb7f3330e8 |
| SHA512 | 50a626df93204672c179b89248a4a4deb2ce78aa6f319896d4d79c31dc36675e7806488323368c289c59779aa3d9ce65da3fb32507efa87dc1a229427b7d496a |
memory/2144-55-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2144-56-0x0000000000630000-0x0000000000631000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | e4135e46790f8b8d7e581ef860c67a1b |
| SHA1 | cbbf248a9ff61f1ea682d167e2b8a16b337e93c8 |
| SHA256 | 6c3dd2f36b584caf27f975881d6ae883357d1f0fd4d873497daec5ef639bb9cf |
| SHA512 | fe779e8e1d7abdad7bc15d35d927fcc843f9257878c17695db16f3c5d8c3766aefc03d39c17614152548ce426d09d7b59031a42067d90f219e609e2ace40b3db |
memory/32-61-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 80b03cdf8d63066edc11a0b9e21699f6 |
| SHA1 | 4cc335c303c0d4a0c6c41d483dad3098c60d9364 |
| SHA256 | e44c5782e1ba52a3a6f1f20fa0fdc377af7304f53c13bc3a469375741ceae504 |
| SHA512 | 1579f375f256047abe7e7cf1d436c24fe7169f26ce77a8a2944fa9ffd009a608360417d43113351749758efd2ed4056211a0764108c77495d640f6b30320b074 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 289b48ec7aef0668c8ce94e79bd35594 |
| SHA1 | 69488ba4f6b573ff4e90f7f1f44a8bf92e368bc7 |
| SHA256 | b9ed7f54bc3709813c64a6145164bf0b8f46d7f3f40914c2f958002e3c17f9e7 |
| SHA512 | 89cb656b46e26bf42c16ed9f52cbfd423f944ec42356f2722c6eb4269e44fd0d96309d23b9d03c36ec5dd27c4b2fd055aca816c0aa151432238201b10f669236 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 4af4d5342572a6186cd470fd176e8b86 |
| SHA1 | 43305705e04557b8597409b2ad44763b421275a9 |
| SHA256 | 9a59ec18996532f983e6f312e7caf3361bb3333dcdb80d82e39225093120ef45 |
| SHA512 | a4235dc888f15e2d4e3b809f9f023139249e769826afbf3016b393e62619ff871bf8b27cdd981c593d2511be44bacfc4e96130511660493f8d46d4648e5dc10b |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 3ce887fdd1ed7375fdbcd5496cdea117 |
| SHA1 | 5e62d6a013c35febf306a82837d38336877c6454 |
| SHA256 | 5d3ac24087db28edba8285a716d8c0007bb73297a92638971754e5adccdbd26e |
| SHA512 | d43c7f6f52245b47546ab68039745702b21e6e8c9e5e758c6d72b0bf7dc81fedc668022236e90b2aa711fb8823f718aa802fd3450e50dc9e00851c30d073da2a |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | a9395ca4ad8b2373f96958dde887ab52 |
| SHA1 | 87ccd26bbee4abaabd3cdaf3eeda59118aacbf82 |
| SHA256 | ccaf7f32b66a295734edfaba786091aa0a9c6cea63ab318a26d69c57ab652c00 |
| SHA512 | 1077cc7cae66234684bdc5a288049230d02ba81afbae93a48658498203f592229676ff49f393a9c0314d16b1051656308b52b43b09759500ce2caa46621b5840 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | d4adb4895b783a95f94a27302208abd9 |
| SHA1 | c9cb5364d1b07f4600ce746e487827b09b5c1810 |
| SHA256 | bef4031a25dc98137442b902a843f98127fd4ec237859ad69e38add4154525ff |
| SHA512 | add4dac9294547845aee50493ed98711a692b1382010a8a31d8402e76cda20f55c0735885bfc6c028c40eba0fe0518d9f2870c047fff377ea5c2977b021b709c |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 675471a3587e170574f6d70702ebe071 |
| SHA1 | d994a68a6daa1898a89f81c25b247bb6ba250caf |
| SHA256 | dcb4ca081a979abf059192dd84d394a8b886d0f625557d9c92b04a2567ec4023 |
| SHA512 | 3e2d69a4e77c1e16e2625b5156a99090314be26d316bbaac10fa2a4caa600fed1d3e19fe1f846a64c3ae423819ae7c5cbbba8308ca6d434253185fafa339cfd5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 6b1b930773b25f3db5cad359924e0e67 |
| SHA1 | 88d49c96348b86c29c3821128fd07daf907c02cd |
| SHA256 | ec8c7ff56526c55068de1e0c80be399b5f114c5df0247bdbe604e897aad6d789 |
| SHA512 | 5f0108cd8b1e50d36c2a2b2c243e6d900eb53c349e3d40c63b09eef9719a47744640152cfdabd52823a43bcd98578a6d77403fc81a2d0b203e933ee386956fa5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | c2425a716727129fe916c8e017d5fc44 |
| SHA1 | 24dd37b551703e1c6aad5386700d87f30fc3ce87 |
| SHA256 | 3ab08065a5648201c3bf8be1edaa2bc01c49629e5b8726dd20d61f973032b827 |
| SHA512 | ce90db6611969e9b8b71f685738456fac2189e289df369c15ad390ac3e2948d8865df8649fcfaba9907263655442685188fb6a6d10410ced5d49321894e25ad2 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 2cc046895c81ef4795181b7dad1a7007 |
| SHA1 | 3f3faf2f0d72c566940d4e4de09327811e4f33d3 |
| SHA256 | 769fa7a42065ee87d27be2d5f198df1bdd0fdd9beeb121cc7b0d8a7b9771f1b7 |
| SHA512 | 244774a91f19f32ac555f0ffca53cd93c7bc53c8683f79faaa1fe5be8936fa88858d5eed32bcf9655d2b2904511d2e5ff5069fdd9a91c90632dfa41d8e1c6c88 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | af2e95920347af85ca2535bc6e2273ec |
| SHA1 | f0eb75ffd8379f8ab1b5f3391951e0b30de58579 |
| SHA256 | 90bd093779e2b038ec1a490789fc5c0a6068749af308af7661c3af7b13d4c833 |
| SHA512 | 0282499946bb7fceabf024e4a26acc6f7dd9c616d270c6f3c52008fca6dc81fbbbacb6be89f33149bb429159976790942ac13b5b627b1c22b28bb505d5bf64ac |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 5c515455c6c19b340d92d55ec50be057 |
| SHA1 | 97bdaf65eb8a656a9f13c647b968fc0041291d26 |
| SHA256 | e8f5f6d67940ad4c77e8fb5bca23da8f6ce77ac969ee39ad28e4f5437e595c13 |
| SHA512 | 95e790c156c1bd433c2f1d0bd53c7331d53c003602611f5bd00c1d52010c83fbbe5d26cb20f66ff5a43aadeaa1618341e6c2d9f785dd89ae0a8560c07be90458 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 545279dd33528191ffef62d7ad93b343 |
| SHA1 | 566cf7ca60e64c7f969c0ee234d20a205a078f6f |
| SHA256 | 9ed3dfd938075db4e16855ab792efc1ea3786fd9068577816a0d7bac7811ba15 |
| SHA512 | 4dab4f6472db90b2477c5f4decd45e1cd7495bcef1a146128244f10243156e2111386a31a7ab63d7b73b9eb967a002f13a371e2b539b62751861a2d954780a30 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 9675800585c3676711fb9352a1cfc917 |
| SHA1 | 0e60521a556a83ddc72f62bbb234267fd8f0a7f7 |
| SHA256 | 2ef4aed16a83dfa223b46371000ae79d94897ffa4d4022e38b0749e5b11976bd |
| SHA512 | cf29e64592a578a5337b7113e7c18a3bdcb94850a2bcda8fb3d2e1ee766ed05215807284aab6cb44d851a7882ee99ac68b1bf4662d5b325272940ed7d4d486af |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 082877c68f3babd31458a9fe029d946b |
| SHA1 | 47013ffbedf72eb8b5ba2a52aaaf337ca8a589b6 |
| SHA256 | b33465a6a92d07325d23af0481cc1c59e7035630b7dfc55e6b27dfea0918e51d |
| SHA512 | e544281426a692d902abb13a3f15c4298416abb3858837b2f39f4c35f9d58c41d85bfa4ea90e2158f06e3e579e705e55c467bb369bfd9c95c8e7f8a55109253f |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 1de74afa3737783fb057ba87cab8aae9 |
| SHA1 | 4b72f9e7fb1e01c43f22f6bb34af2b37d2e6f653 |
| SHA256 | 1f96c5fa52e7750ecc46264f582a2e1c79619332d519efaa0f30b61e906cbfa2 |
| SHA512 | 21b35996be667fd7aa8ada387f862873885f73e552a69c598d495c84c94cdf0530d7a7e5a1698536c3e3d5edbbd3ad576ed5a66465c619a0863d5f04cf41fc39 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 7f8d800cf9522d2b8dfaf6950e557d9e |
| SHA1 | 53d812c49fcfc53ff99db7363e3a4c9f9f43422a |
| SHA256 | 8d230fced62b7beebd7f01b0c7d150cf8df7e50d4952ea95f605359ee64c0020 |
| SHA512 | 77a9403bf89a05c3fcb988693a9b56e28e978b3ae80a8fc3710ee3b8248dc02f39b469ecb746e3254044927dd4f5deb4fff0e0526386b02b6c8c4cbd2b29b4aa |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | d32175ea69351e86235a2741cec08fa4 |
| SHA1 | 5e1dd61e6d7421b6a8196dea3d74f3c1fcca7249 |
| SHA256 | 972834244ef5d3370bfcc88939626b5d2eee40a9c2c7b50e72b5670434e93c40 |
| SHA512 | d368b5eb1d448d09102dddc2f72a18f6dd7a2fdc7a138e6f682a4bd9f2330d150bcac16f65a51beb0af40f2504a0862f0d51f27107d7a8df01f6c127dbf224d5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 4de2bb2bb30406f603ac636ea1497ff5 |
| SHA1 | a57a7bdb1d76986d6967ace7921b2ebbe2bb25db |
| SHA256 | f9f4decae8fc34aa9ccf1f40bbcb168162c4458991abcf6922acb6b3c7439196 |
| SHA512 | b798e1c73ad359ea503634a410983d01e7ebd992412a0b6395f6e4e0e69af59800e445581ffcdcf8208a559eb4e5de1bfa942fe44d733ecbe14a39dc6d6b1add |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | c483dc5d7402a623fad02bfac7ef2752 |
| SHA1 | 59ad184b130b006c45c788685cd177a124c039b3 |
| SHA256 | fd3628aa9b0bcc483f47f90082b46cf9e18f70cef57f1d13317a1b49dc651251 |
| SHA512 | 0cbee9365d93a433fc3bd4c9c9988c754ce15b9b039fd79bb5f69c6e30a41f60b6dba41c25b9dd027b20a52409ab7e2cef48719f8304c5c78020ed8ead304101 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 7882642fd3dc15c49774ae7662fa1ae0 |
| SHA1 | a1fcbf27c8979bb12389d63abd7676ea787a29e0 |
| SHA256 | 8ae34af17818b1b3a9110d5a052dc777abe732fd2cb4920480e8cdd7f9044993 |
| SHA512 | 9c86e134368f5d3c20118bcf5c13081bcbfdfcb87b11d7f33e798fbfa0a0f92616019e58214a2e90e3906fd1f49ed1acbd8de44445ec047785a9153f35a458cc |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 5c06e399c06bebada095165d29e5812f |
| SHA1 | c3d1e2e876b164ba350beff72f869ee9b6c96fcb |
| SHA256 | aca979331219db0f509eff33bd4c49016a8d617fbe638c07af5264bb49627402 |
| SHA512 | e7d9e47a110fa64696ff70e13dc87008ecfee93842a7b6165a6491db62ce88d87edabfde48aafa56a23327d695b34e5f0eb1e45ba90432729c14175a636bd47c |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 3ff672234ce81ebd6e83c6b65936cab9 |
| SHA1 | 4d82568d955f730d2e432ea78af9ff8dc31b6605 |
| SHA256 | a53ff741f5acb0992d0708d037f3078808247afd8c3c35015b8897e0c062370f |
| SHA512 | d7f16e5cd2d5466884f880ee8c19b8df8bb916b00fae936aa22e076b7259450bffe8e111f147fda6d25e6ec9ab6b5bb766b01db62b74e43873e010eccba86ae6 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 792c7be0c2f836c21027dd2b83a7540d |
| SHA1 | 3c38c37e37b398becaa9ad9e48ca2a07b3745229 |
| SHA256 | 9123e28500bf3f1484add2d8151ce91b57cf832fba2bda049d4f16c41c8a4851 |
| SHA512 | adbcf4c12957c276dc2a13968590149ed8994fbebbc432c735d92c75c4f1e64aedaa9878c3cbaf732f6600ff2c1983ce002802577724b9d1471c9872af4bf96b |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 1c8342cc218ac5721a92a879c1231400 |
| SHA1 | f77edb43b1ea6e5af7762c5845b7861807d9af9f |
| SHA256 | ab39c71107b5bf03846e52c6c7d864b304b598f904b2a8f286f9f9ebb95db6b3 |
| SHA512 | 3350f88bda58dc302a8dfbc2c1a4ea25fcdcd6e93bb0e279a1758f35105984a58062e402ed846661ecdede7a9edb9c3c580540605a6d47e3deef4a818ca8c7e7 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | b75adf8c13ef663fb2a0b6dcfa5d25a6 |
| SHA1 | b1ec40f6603320766855f1c9bd8a5a9e368f5bfa |
| SHA256 | 6590f6ae31dfd865eae03c9d5c1cc8368fbae1b398ddd69a041db28aad54a38a |
| SHA512 | 0d4264b6359eb9587ca729edbfb807bc39ccda82596fe2a26d215d9299bbe8b56d6835d45ae8cfc3ce907073b01bba29c5689d3679476fb133a76d34d2b98801 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 7fa6a450e94ba7b5ea3cfb4f8249f522 |
| SHA1 | 3787d7b62cd2e5ac91d9316ccf554c04550c45a7 |
| SHA256 | cdf37f9e7b4b6e3aef1f9b07b7a3a8cb5a35c8c11a71edc86df1e2ce2699889c |
| SHA512 | 5ab60a9789955c2c4e6b6b3a16a8368840e4dc15745d8cf2efb674542a4ccb662a8f827bb216d5bac06eacc6b1f78dea8756cf69ed4dd4c5c89e1be5b1602589 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | e47d749008552e341b9cca0c1f8cdb96 |
| SHA1 | e1a80dc43c4dd4ad6c3a1f55b6517c375583599a |
| SHA256 | 8bece23d1746cbea14da7be5c88b0bf6db9381c149782fd2bf973391a3f4e42c |
| SHA512 | 2793e9ba2c46158d397b30536a7c9eb9f6bd3a21c965f987e48f23e4cc8060d709efbafe2d8ff68cee4444f8addbf065f50930f308dffdcb401cfce263227cfd |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | e48c5e5b020bb83424c87ea9053525ce |
| SHA1 | eae76366e92ead44704093cfbf71d277cd2d478e |
| SHA256 | 5616c5e4b62ef249a99828f7baef64056ca8d9ebdc8d93947cda370edc1259d2 |
| SHA512 | 3565d41185b938b72315bc416acdaab3a00ca68afca1eb8ee31c12bc02a673b248165fcdfbd29ed344c7436b384d5ba4db54456591601ece1a4c32b50b1b6425 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 3d35748a83dc05c8eee0599fd59e888d |
| SHA1 | 8fdef87fdbf0ef4c09b5bb63b228ed6cd6340ce1 |
| SHA256 | da87fe3084d25501a9b30a7dd751d817773236ea02508590d370ad0fc3bb61fb |
| SHA512 | f53b2b590ebc3eb00c175a4e01827f1394aaf7d5b4be8a0190d05728b782ba8d940ce303aa2aba2895f21a6f5635db9169506bb6dc9fbf15a612476c0802455e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | aa9273c924948880d3870079ad340806 |
| SHA1 | 103efaadbef81bece0cd04a07d2fead049c69180 |
| SHA256 | 325e46fc7dca7727cf958cdace6970a8d86db5815dac583d082de137e4ee2396 |
| SHA512 | eb0818becdd4937bb5553985abc04fc625a1122c570bd1f1d1d44100c7c48245dc402c6454295713701767240c81e5eb3e792448e6756795ae6078ee1fd76ff8 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 4c05a74f28f209e053c5fde135f48012 |
| SHA1 | c05778c8dfd87c50af5b3ae282a6a0a8742897b1 |
| SHA256 | 4f9c4dc9fab1be9f1e859928f61ba87c9c5fba17e3d738bff7013f3771707834 |
| SHA512 | 138df322154c46d556de397910918964ef8303dac9b33b068691a60520490cec6b564c617946d85324e6e93fe4e5362ff848bf491e381f2bd7c0404e82210758 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 12e88acb86c6d960ed1bfd3ea37cd579 |
| SHA1 | b5ae7e3c47f56e3c5aa2a31fa30968faea03cfe0 |
| SHA256 | 840dff0159a2c2e8fe4f6db3aa80a7576fdb858a4240d010e31422e63bcaab7a |
| SHA512 | 48ca59b4738465bfbe40d7791484c8952f1f10b066d084a03d8a878da461c9a13170222396a18ebe07204130603971e9463a823bd450dd7c6eda39eda5d14569 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 0942440ef0680f6933d3db01d06776ab |
| SHA1 | 1df6fd4913125eb4e84eb64ac3559f61ad54f363 |
| SHA256 | edaa2c3375cf7e72f9da45114d827a9f7efe344b25002b20ec80fa1d6d7db32e |
| SHA512 | 03fd0cf4bbe305a6d4783587d42c7d97602c4911e9eefcdc285c374707c6e2a8ae209970059a4e89c182444d8210c06a3c9a4c2c577da8b6e85d7f022c46f93c |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | ab18c9b75ee36a41ff07340ef4193292 |
| SHA1 | 490fac6924778293d1f05b7e726024fde2bb188a |
| SHA256 | 0fefdff4ed07f6132c8d2d2cb031c846d25f43c6efecca02dc541afb5198d635 |
| SHA512 | 00ddf84425cdbf6ce071735009c2ac402c636a63c7816a437b20db9ff5746d778ca2567e745b417fa90690465e38beba21b08dbbbe1bf211765f879f2ca70383 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 6185f759a15a220d6ab7fc5dd792b3da |
| SHA1 | 375987f28a754689dba06fa6a880766b53b883cf |
| SHA256 | 22f13f0eb49dffb9e9f0533c2567200020a97f7d8798ee7cbe66c8506d60bde1 |
| SHA512 | 9922dbea842a1c44ed55541acf460896f64ecec5fa8f87eb3bd096f2356c3b67ac081881c9ec3cf885800af1efa12a92fa091f7dedb348b847e9ceede046ab64 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 102752dd67ef5f7ffdc7fc7ac096742f |
| SHA1 | ac8437b0e83bdfd528159b87d3939bc01550c234 |
| SHA256 | 23912021b5edd43f4385d77d3b882df6cae59c9791fa6ef559c872056306cca3 |
| SHA512 | d187da06fa139973e2ac3466e02c027bfb82a8e3cf7e95be27e6a742160d3616e47a0f98b25b99e511d6713743a2439bcfd6ffdca35d440d4134da438975ebb5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | b3843bd4f8e02e660a43f98385635e7e |
| SHA1 | 614e81db57997c6f5f59f9d75badb13c3f2bf1c7 |
| SHA256 | 048a63467ddfa16496ee2a690a445c5ad80f34199b71fcb1ad560792f4006703 |
| SHA512 | 49895478eb7b88543c7a29b01bd7ae1bc9e3ab8e510e8b3ff2768223805afd97a20e21fa1f08b21c13ef58c8deee9b4550f0935826da90b6ad8f3c943a2071ac |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | f79baeaf8bcd6ce444d4428c5a6e2975 |
| SHA1 | c597f2b0c5e2056a4fec1f8fe6a92bcaa5fc870c |
| SHA256 | c18a9b7b0b100aa9bfdd0079acb84309f4ee2bf53a5924da01582a664b259f9a |
| SHA512 | e3efce0ffb12d8bd9168d5f77159f9a9b4648a90c51f51904811fcb074f54e8915c60abacd9d1d30b2398ced6273bcaf17b521b1c344c12b9ae4ff530a400dc4 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 73ff03856f4fba08d5cd304d503fe1a3 |
| SHA1 | 1eb9455ac0ba253af929841b7a969b5f4b30e982 |
| SHA256 | 9182e11e3824d96b7cc75547421bb79d244477cab81cd242f298dc1a7de070b9 |
| SHA512 | 57f378d4700b4b3c91502338add6710141c9bbe66c115632ca26d78fb5372e225c32aa18f33603379eccbfa10af8669ecec02c0e66fa8501027a038839b1fed5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 534e027b7d6889a99bf5e96b0baa99f0 |
| SHA1 | 1bdba459367ee5834c697376a20853f6f91d0384 |
| SHA256 | ab7170de353111c333fc76b8fca6518d390509694e3858273962fac06c98229b |
| SHA512 | f9da3d3c2370321f58d2253d98e21051b948b9631287d995b5c3e207e79d3a12e14e9bb4f73dafc1e2e631ca978e1b8a46b09ffd0e6760b67d70f5b1eab39cdc |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 2a3485244420b1f4de2b51d1d068ec43 |
| SHA1 | c5541531bdc2a5932490ad49d69c30492853145c |
| SHA256 | 160e84f910ba0f0bc3478733d6eaae5b256749925ceac778c0719e9517238617 |
| SHA512 | 747f94ce0261e4a30a4b05da944194f5740354ca9d8c1a5cc7208c6baeab521fca54a5263e16850f0afa30195bbe5396548d250662e943285e10cf309350a2ce |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 5a4e4fa029f8adf1ccf19264937cf6f6 |
| SHA1 | adb4ba90622c8001995e669bfc7494e2a9705bd9 |
| SHA256 | 3e365e8e1114553b2fc2cd45b4cbce35d03c45d1df076760b37c79fc469836c7 |
| SHA512 | 72c6a6bd3eec104f1c68096dd1e74893b7c98a14a4c10d39289348b38a48a129a7f950f16f8ed4ecc22c1ecedde7dba44291dc852d80b33023d6641231d3c7f0 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 384494a888689581e86515a5e6f7ffc8 |
| SHA1 | bdf8c2962e57285a96e3a5a1a0a738a048c166dd |
| SHA256 | 2d449a97d65ff0eaef1ee76c195efbfd56741d0f54d90f31a66906a55da26dd9 |
| SHA512 | d1de584dcde3b0d175e6861555cd7bc4a729f5b6f22da1ae339209c4c39127166b0930b09ecaa042a21644cf101741bc667cb59e1c9a0df33a02e6b593eb43c0 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | e9516ca0cb9bf39f4b53aeba27d912ec |
| SHA1 | 2e27d8d592143a4ea24dde872c3248cd1b2d3240 |
| SHA256 | b9701d635d6be4ec37f336d109d31244f83fdd3b7546578e6cc8b50b4b3bf2dd |
| SHA512 | 4c5efeadefc0a1bd2f63dc2f3420baf5e2db9fad19943e34bf8981260d8fc540be547162e4882ae820c77f96a8e5b292c1ac9b5a3d065cd3b7c6ca244deae697 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-17 06:32
Reported
2024-06-17 06:35
Platform
win7-20240220-en
Max time kernel
145s
Max time network
123s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" | C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Renames multiple (91) files with added filename extension
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk | C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk | C:\Windows\SysWOW64\HelpMe.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk | C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe | N/A |
Enumerates connected drives
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | F:\AUTORUN.INF | C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe | N/A |
| File opened for modification | C:\AUTORUN.INF | C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe | N/A |
| File opened for modification | F:\AUTORUN.INF | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\HelpMe.exe | C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\HelpMe.exe | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2172 wrote to memory of 1592 | N/A | C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe | C:\Windows\SysWOW64\HelpMe.exe |
| PID 2172 wrote to memory of 1592 | N/A | C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe | C:\Windows\SysWOW64\HelpMe.exe |
| PID 2172 wrote to memory of 1592 | N/A | C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe | C:\Windows\SysWOW64\HelpMe.exe |
| PID 2172 wrote to memory of 1592 | N/A | C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe | C:\Windows\SysWOW64\HelpMe.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b7375630562dd579a90c2ca6ea03be9a_JaffaCakes118.exe"
C:\Windows\SysWOW64\HelpMe.exe
C:\Windows\system32\HelpMe.exe
Network
Files
memory/2172-0-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2172-1-0x0000000000220000-0x0000000000221000-memory.dmp
\Windows\SysWOW64\HelpMe.exe
| MD5 | 58cab97dd444edeb9b74b345bae4913b |
| SHA1 | ffb6d71f4c1a368b2b8b1d7ba0ac7e4845857960 |
| SHA256 | f0f5c84912fbd1277d4580ad2986a9309a3cbcc1ae38af8583612cec16bdcaa3 |
| SHA512 | 6306bbcb50ef693cd139725d21fa94d6998a2bebb111b7701c4937b5a3f048314f9de243537d21ec840589eeb2dc85517c7a3a6c1b4121b101ee74634332123d |
memory/2172-4-0x0000000001E50000-0x0000000001EC8000-memory.dmp
memory/1592-11-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1592-13-0x0000000000220000-0x0000000000221000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini.exe
| MD5 | 9efc5e15dda68d9f8ba65a07ffe7f981 |
| SHA1 | b6a5e2a6b4eef575a7a1101ab08ba29d12ac9f34 |
| SHA256 | e9fed9482158bd62c7172bda2afd89d56aa82f00f1d120726bf53f5c043a93a8 |
| SHA512 | 9f059bd422978686c4c3426f25b5c284ade118a9a5650d4323f933d3893ad0463a82d00ddfc216a179cff1c2cde41fa80f4c34bdf5d7af50a9d5440a69e0f853 |
F:\AUTORUN.INF
| MD5 | ca13857b2fd3895a39f09d9dde3cca97 |
| SHA1 | 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0 |
| SHA256 | cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae |
| SHA512 | 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47 |
F:\AutoRun.exe
| MD5 | b7375630562dd579a90c2ca6ea03be9a |
| SHA1 | 50519b84f1480c45acd4a7678a330300f8c8c874 |
| SHA256 | cbd66f0dc71d341a26f907f13876c6d58fa4c8ea027ac94ac36e386b92230ea0 |
| SHA512 | b0bece7b89e5912382140dd811385d3d63f8d7bace722918328eead5ef93b00719e543a798785b05808cd1d5463f4d1c353523493f021107babcaef9d0f872a2 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | f579091a6a455ef9e024022a4a856973 |
| SHA1 | ad569552b4a0beb9a1f007cd744b7cffa32f45c4 |
| SHA256 | b0835d1cfc7365baa9126184d9a8d9dd4c42d21607bbbb97a1bebc988f341648 |
| SHA512 | 545391aa343dda28c04b3e732fe3656c80ebe6c2f534d64a5084a4e7aaf5e44e5ea191c70237c7a85f65bebdafbcba7c9ca6908ccc35c565d208d15d8d2df676 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 36658043f87dbb8dca3660f4cd919c5d |
| SHA1 | c19f2f55c41a09360736fe9c64583d4eef295790 |
| SHA256 | 5051ed62cdd9debf54f4e36dcf3ba483e7322322fa8735aeddcd348487188f96 |
| SHA512 | 2e657f4325f24606310b42fac49fcfe58fe45d76eab8572e61a146c799cc534e6cfe667c349b6a680814c051c3081ba3adc8bb630e635b8b1afcd364bff9f876 |
memory/2172-231-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2172-236-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2172-241-0x0000000001E50000-0x0000000001EC8000-memory.dmp
memory/1592-242-0x0000000000400000-0x0000000000478000-memory.dmp