Malware Analysis Report

2025-03-15 00:54

Sample ID 240626-27ae4azaqd
Target 13d63bb9e821f16c95202cd163df8765_JaffaCakes118
SHA256 222f99403e5829527d4a8becbed06d7f746ecd0bf5f247132b4f9ffcdaecc98a
Tags
defense_evasion persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

222f99403e5829527d4a8becbed06d7f746ecd0bf5f247132b4f9ffcdaecc98a

Threat Level: Likely malicious

The file 13d63bb9e821f16c95202cd163df8765_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

defense_evasion persistence

Drops file in Drivers directory

Boot or Logon Autostart Execution: Active Setup

Deletes itself

Executes dropped EXE

Impair Defenses: Safe Mode Boot

Loads dropped DLL

Adds Run key to start application

Drops desktop.ini file(s)

Enumerates connected drives

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-26 23:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 23:12

Reported

2024-06-26 23:15

Platform

win10v2004-20240508-en

Max time kernel

93s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\13d63bb9e821f16c95202cd163df8765_JaffaCakes118.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\13d63bb9e821f16c95202cd163df8765_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\13d63bb9e821f16c95202cd163df8765_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/3580-0-0x0000000000400000-0x0000000000410000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 23:12

Reported

2024-06-26 23:15

Platform

win7-20240220-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\13d63bb9e821f16c95202cd163df8765_JaffaCakes118.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{H8I22RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK} C:\Windows\ini\ini.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{H8I22RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}\ = "windir" C:\Windows\ini\ini.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{H8I22RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}\stubpath = "%windir%\\ini\\shit.vbs" C:\Windows\ini\ini.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\ini\ini.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\ini\ini.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\POWER C:\Windows\ini\ini.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PROFSVC C:\Windows\ini\ini.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WINDEFEND C:\Windows\ini\ini.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\ini\ini.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\ini\desktop.ini C:\Users\Admin\AppData\Local\Temp\13d63bb9e821f16c95202cd163df8765_JaffaCakes118.exe N/A
File opened for modification C:\Windows\ini\desktop.ini C:\Users\Admin\AppData\Local\Temp\13d63bb9e821f16c95202cd163df8765_JaffaCakes118.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Windows\ini\ini.exe N/A
File opened (read-only) \??\H: C:\Windows\ini\ini.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Etc\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\fr\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Program Files\Windows Defender\de-DE\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\nn\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\zh_CN\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\applet\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\TextConv\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\defaults\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\uz\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\Windows Media Player\es-ES\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\ja-JP\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office14\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ca\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\da\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\lt\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\Windows Defender\it-IT\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\ja-JP\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Program Files\Microsoft Games\More Games\de-DE\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\js\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\th\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\Windows Journal\es-ES\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\Microsoft Games\Chess\fr-FR\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\am\wsock32.dll C:\Windows\ini\ini.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ini\desktop.ini C:\Users\Admin\AppData\Local\Temp\13d63bb9e821f16c95202cd163df8765_JaffaCakes118.exe N/A
File created C:\Windows\ini\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Windows\ini\ini.exe C:\Users\Admin\AppData\Local\Temp\13d63bb9e821f16c95202cd163df8765_JaffaCakes118.exe N/A
File created C:\Windows\ini\shit.vbs C:\Windows\ini\ini.exe N/A
File created C:\Windows\Tasks\°²×°.bat C:\Windows\ini\ini.exe N/A
File opened for modification C:\Windows\Tasks\°²×°.bat C:\Windows\ini\ini.exe N/A
File created C:\Windows\ini\desktop.ini C:\Users\Admin\AppData\Local\Temp\13d63bb9e821f16c95202cd163df8765_JaffaCakes118.exe N/A
File opened for modification C:\Windows\ini C:\Users\Admin\AppData\Local\Temp\13d63bb9e821f16c95202cd163df8765_JaffaCakes118.exe N/A
File opened for modification C:\Windows\ini C:\Windows\ini\ini.exe N/A
File opened for modification C:\Windows\ini\shit.vbs C:\Windows\ini\ini.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\ini\ini.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\13d63bb9e821f16c95202cd163df8765_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\13d63bb9e821f16c95202cd163df8765_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\13d63bb9e821f16c95202cd163df8765_JaffaCakes118.exe"

C:\Windows\ini\ini.exe

C:\Windows\ini\ini.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\13D63B~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 w.ssddffgg.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp

Files

memory/840-0-0x0000000000400000-0x0000000000410000-memory.dmp

\Windows\ini\ini.exe

MD5 0207a4d69009e38edc0cbeb1e794034d
SHA1 c233336c76ff7a561534dd2f593fb360e860c554
SHA256 ad33c9ead99c1ac700060d403f2a9a2435837ec54d087d8b9a837144759e842c
SHA512 5228b7d501e21cf301922fc4aa579b259d29945db1e1a52b632ed1a10288da39e582cb256d6df287573b1cc70f3d6b9b02bef41dce09c52cdc06594b4458e17e

memory/840-4-0x00000000003A0000-0x00000000003B0000-memory.dmp

memory/1888-11-0x0000000000400000-0x0000000000410000-memory.dmp

memory/840-10-0x00000000003A0000-0x00000000003B0000-memory.dmp

memory/840-19-0x0000000000400000-0x0000000000410000-memory.dmp

C:\Windows\ini\shit.vbs

MD5 029cb6e8dd46b0bac89f075426176148
SHA1 ac38c1a3e3db05376f191d161500d74251c9e493
SHA256 638734859db449bb4597a1f3fff81fbf9c9ba9158fc232bfd0ba5f69eab67ef0
SHA512 f74516b98862b508d1714f9757ed22bd76248626ea1eb665f8a3141438c156bb218598adbd089f63c3cf80336e986a5afc2234f18839a8e807ca5c616af29d2b

C:\Windows\ini\wsock32.dll

MD5 62d674465aeb6cb32700fba27c5745d5
SHA1 ccecf6d66b50643ef70d5c25e0c6814fc55df425
SHA256 eea1e1b309f1f7beaf829fa636e2ca15bb9b02c3764c3432721cefbdde3741e5
SHA512 5e4e14c85f5f5933e924b0f8186af09356b387d835a04c31cabed881ddaa28d4607937f7474956bd16d5659565f2b00caa1e2d23524e771a48360046e2517a40

memory/1888-97-0x0000000000400000-0x0000000000410000-memory.dmp

C:\Windows\System32\drivers\etc\hosts

MD5 fddf3a7b7372d7b7c0aa2eae2cb582a6
SHA1 492f336df8c1a3467b38978955f1ad5ae03a65fd
SHA256 5de04384652accddd8e528fbf05453443031b47e23e12a5e219893497cb7a61a
SHA512 20ec9393053a3ab47a11ee0c3dcea771fdf7544525f6e89c08bc7b2ac744d8a10265512001377e6520e656f5afa4582fbb9f6616d2e32efdb7173fc255e02c0f