Analysis Overview
SHA256
ccde612b87a4590d7691e3be0045f83308d688bd7977dd1a5a6b17a25e304e38
Threat Level: Known bad
The file 5f03a75487908cb6837a220a4b052740_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Renames multiple (91) files with added filename extension
Drops startup file
ASPack v2.12-2.42
Loads dropped DLL
Executes dropped EXE
Enumerates connected drives
Drops file in System32 directory
Drops autorun.inf file
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-19 22:35
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-19 22:35
Reported
2024-10-19 22:38
Platform
win10v2004-20241007-en
Max time kernel
145s
Max time network
146s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" | C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" | C:\Windows\SysWOW64\HelpMe.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk | C:\Windows\SysWOW64\HelpMe.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk | C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Enumerates connected drives
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | F:\AUTORUN.INF | C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe | N/A |
| File opened for modification | C:\AUTORUN.INF | C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe | N/A |
| File opened for modification | F:\AUTORUN.INF | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\HelpMe.exe | C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\HelpMe.exe | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 760 wrote to memory of 5060 | N/A | C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe | C:\Windows\SysWOW64\HelpMe.exe |
| PID 760 wrote to memory of 5060 | N/A | C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe | C:\Windows\SysWOW64\HelpMe.exe |
| PID 760 wrote to memory of 5060 | N/A | C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe | C:\Windows\SysWOW64\HelpMe.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe"
C:\Windows\SysWOW64\HelpMe.exe
C:\Windows\system32\HelpMe.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
memory/760-0-0x0000000002210000-0x0000000002211000-memory.dmp
C:\Windows\SysWOW64\HelpMe.exe
| MD5 | 4212fc1244ac4da0602e53f8c236bba0 |
| SHA1 | af0bc872fd4900a59455cc60599d56721fcd7d18 |
| SHA256 | f9da259d122ec54e8d8342d7b6c8919c3b6648fcddd3c6619eabebd607999d38 |
| SHA512 | 0b2486fca28efda1950f6dc3f7f625bd1b1585b4162f67bd2647413a1dcd74ec4a3370d7897c79ad45dbc7ca320ec8704a8f2c5aa6beb3e1ce7e0720fd288301 |
memory/5060-5-0x0000000000630000-0x0000000000631000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-493223053-2004649691-1575712786-1000\desktop.ini.exe
| MD5 | b4a326b61d64c8886c454c33d6c004d3 |
| SHA1 | 8623dfd7638149ad4c720900f2af3c739535d911 |
| SHA256 | 2f7787d1f5c8a5922e6824be58f3920d430bc0890b1a826b6bdf150a3c35bfda |
| SHA512 | 4e67d82c6d284aa364ddf8934d03b2346049a0d386cf58daffd927cd8a124bfd7888bf00d1b03337ce41e3b047d0a90b191482f4bfa1e023981b449fac8b5abd |
F:\AUTORUN.INF
| MD5 | ca13857b2fd3895a39f09d9dde3cca97 |
| SHA1 | 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0 |
| SHA256 | cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae |
| SHA512 | 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47 |
F:\$RECYCLE.BIN\S-1-5-21-493223053-2004649691-1575712786-1000\desktop.ini.exe
| MD5 | c77ade4cd913add512556d95177e727c |
| SHA1 | e4bcb31eaa6e169053ac6be51f250150b38798a7 |
| SHA256 | 9d9750623d60a4e51ed822fc30d616922c0fe32e355fc7d1b8a904405a2b8c87 |
| SHA512 | 214f3f32c098d6799cdd3f2c38f789c092ffba5108332f6c2ebea45b1e761dd38ce3e5eb3096a29e22849b130ba40a687e14a5b1b783e0d65c11f8ce01f1d6de |
F:\AutoRun.exe
| MD5 | 5f03a75487908cb6837a220a4b052740 |
| SHA1 | e37d87b0a418839369ceb31287f9d21053317117 |
| SHA256 | ccde612b87a4590d7691e3be0045f83308d688bd7977dd1a5a6b17a25e304e38 |
| SHA512 | 13fc308b9ffa6bce038dc4a578e5cae38a4626b8f7c71a5e2ae658c92417a04bc7b3c1d937231e1aa3e5737fbf3362f2833c85576cedfb88a8e9bde05b7ad6a4 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/760-45-0x0000000002210000-0x0000000002211000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 4e3ad9943faee8abcc66ec0acfa1b37c |
| SHA1 | 92d59d0cea08fa8550edfe7eb88df82fb5f01928 |
| SHA256 | 863d25b4452384b8225f5afcdfa42173f41f4e84ecc9a27bede48f99529a4017 |
| SHA512 | f9ab5f3d1fca70353ab6234cf523b4e5a30c01cabd3f3ce99a7ebf9a09869052d41f7bd9bcc17895f73678b0c1ae3a1250210e6c7d67c4bfffd873eaf4dbdfe6 |
memory/5060-51-0x0000000000630000-0x0000000000631000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | e0a811faf6564c99ff7e66171f48ae03 |
| SHA1 | 0935b474a50a1e5d3bc385cd30c641d2e47c1be7 |
| SHA256 | 7ec305d146efbd7746679399b229979dc3fc3684d43c4a06d18e43a26a38ea71 |
| SHA512 | 84955f6417eb8bdd31c6c835b96558cea2eeea4f919c494ac1088094ded36951c04419faf3cad480ada436d288ace104af94ccbb5e47220b5eafef32ef7ddf7d |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 454bf8b2314408183aa4d54933bd8fe0 |
| SHA1 | 211c62e30f6590437576c7a7b638b94e3998359a |
| SHA256 | 120449094d1eeed77a05929070c88e9ec73fea6fe98db1ad0bf06f9fc2f2d515 |
| SHA512 | d099643c67869cc54b920d896687d3ca1bc3488996b817f6c37dfe3e2d09a63a12769d76d1f65c9546c3ba918304b845e6296918e26dcb3e6809766adec2ba63 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 9ee25b371081773bf36e3c7351ee4e69 |
| SHA1 | 1332e984c1d83721a4c6e773e96283797fbc97ea |
| SHA256 | 2115fbd9235b6e91e77a71acf1ca97662dde4ea7651b7f67ac56744a4bb1fa09 |
| SHA512 | cb131d1ccee279e55e86eba44f96f5672922a05aac520c61cf57eaa9ac67e0f5564ef21551cc760638d6971408f7257602490f3f6b337b32ddc6a2d6d8bdddd8 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | dcefabe99b5753b4f551c88ef4f51b7f |
| SHA1 | e030bdc0f9a73a14562644024ccf52a38135ba5e |
| SHA256 | c7128112a5bb052ab9d47362c7e69fbfd463e70ce17d299e59fe6ad1e38bebbc |
| SHA512 | c034b3a75660d63091f4a7114a9ee072226951bce837eb10b32e2c6cbafb133bb932e6d63e200736728870b63e4e7918aca3a9ec673646304412ae71b00a0a37 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 7ae1a948ae0c26dbbada932beae8165a |
| SHA1 | b942ff23c483f50a6f731efa0a2e6d1bec21b79a |
| SHA256 | 8da28537b7a4a1fff1cbdfeb21d890b8392ff15d0f016d63e532de6e792a573c |
| SHA512 | 99358b2317b2475d5b8a02f26b6f2fb6960e3a36136fe15cd63970f3943065a048dc3d2340bf232fbb8f6e34336d0239243e32bdb7a24abbccefcab5fda5846f |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 084d0e06a92a61324cd4a0eb0bf21b54 |
| SHA1 | 86e7372e6d8068878b9a0a87fdbdb6fe607f64b5 |
| SHA256 | 69e990ff2c1e09ae444938815df01d3dc1c360fdfee96dd91083d4cceb81e98c |
| SHA512 | 2cfbd49f8a98dddf304d22013496212a0c135e592c4984d6e76ac555d794bc875d2f16a538e4fcc85893027ac7483d71371144c3317921ce7c0d2a290d800c1d |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | bb26b642daa8f07f9d3a002b5b5af0fd |
| SHA1 | b4395b7a6ead64e5efea92d4001ad32c415c1b1e |
| SHA256 | 6ef52c09a460fd009171f567d7befca5eb4d1f476aa88938fd094c1bf0b0cf25 |
| SHA512 | 4ccd3cbf38e1f02b11579b41d68959a6d25b316bd19c8bacca37c2fba55fb7bef8b5fec0483ffd504bfaac0d5f5a21aa288d55df2c01fc6eeaa2c247dd9b563f |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 1b4ee2ef671a4480b6283b71739f6419 |
| SHA1 | 7b9d2de9a8de320c4045feed94be46b4c32ba295 |
| SHA256 | 6ea5696107164fdc1ef331dee3db596388f7c13f2ce55bbbe1afc5f42fbfbbb6 |
| SHA512 | f5a8c57ffa03e21bd4bd21127ca5ea0e5674c4d7fc97bab6b210ffe0f24f2b6506f8adb54d88d51571e592005380d18ab0cae8bc662fafcc85862b147f986cee |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 06ed1762b242c7d24ed34866a38c6667 |
| SHA1 | 603c5ef5f2f4d909e1078b6ffb79d7897356d191 |
| SHA256 | 904c6821e3723f96a70c997daf8c6e38e882cf8c5daa430afc33138aa3786a96 |
| SHA512 | ece029c0d0d369a446d77cc9bf5f58a583957cd263c37012e314af4bef4fb1d2a1b4614370a773cf8879133ed7867d2b7b887cf44706b2c9fcb7897d2f01445b |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 3f29287ef9fc909d80a6f26e3ff08b35 |
| SHA1 | 58746ebaf8cd8d17fbc2f0920521b2443e81efff |
| SHA256 | 76cd0f3ad8a1e9fbb2b0587508d88f0b0f68b5db6b97ce5b39cd901a14db4373 |
| SHA512 | 82eeac806d5090d6ac44bb883ed10680f875ae7e0cd31db97f8a800d11d2ab054571e3dbe0e70b16723274bf8b87a77360e6df6a0017ad7f2b83d55c400eb89f |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 66b11a3ef8da0e2a0784105c2810ba8e |
| SHA1 | ce5d6e1000c784c7e3cb88e9e3859072d651e88c |
| SHA256 | 4a0595333f42bc8f4ec038bec6214af93892c98015a278d5b0d385b740b58ad1 |
| SHA512 | 55ad1dbd376a496ec356a926eb54c06ad19a775aff23e36facc28392fdbc744cc0374613fdb3134e9a2bbf8c6874a9d441d79c6f8205640996988e95313df9c8 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | c254fb315d223287000c2df71278d8b1 |
| SHA1 | fae0ff949491197086fb20293bdf55fd50b4b1f1 |
| SHA256 | c2e756ca97657e8ac0835b5b23deb2e281e5743f791e42be18ff78d9f6464469 |
| SHA512 | 645a9e15fa12ed4ef188c5bc3b97d6ee7e90efc4c128121041af0a5f05e4c3eed01c9f3f164e35ae25d4630d05fe058501642842bffec4b11247911dbdf5db00 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | dfc6773d614ec4789ed16ee7aec7644c |
| SHA1 | a27708bc9433c7f2c763779cfd81a779593c178a |
| SHA256 | 7ff18cad78fe068a38244a55020a91882a839d28a7fa2b02193e4dccd949e113 |
| SHA512 | ff22a8c59879cdeca1abd186a02ae3fd4cf7cea6116d0016423cb42abe91ad899503c4e7f2dc850f6d4e16d27f0dc671db518bce13e0567eff175ef18cbb7e6f |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 3a3b4cde65a7430a887b95dd31fbc3db |
| SHA1 | 6aa0593edbaa9f9a8b12974c42625b58d5a1d25a |
| SHA256 | 2177691dcd28fb33ccc940d0aa6a41c2346faf67f1774ca0c2725b5e811007f4 |
| SHA512 | 0001e15fe9c7662cb207d494183bdca1fc58ab1e82c1f34f97bad981d154cf1054a76e4d3bb5eeb9aa804653495f7b5c722c2e776c70edc540adc35fc200b83b |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 20acb80d693d37d77fe8204c3f04cb84 |
| SHA1 | 91e4e21fa24c31051da6acd25a9d0156cf1af48d |
| SHA256 | cb6132e9e7dc5414a053b4ba5bc0e92ee7fd267fe2afed133cfd32ef64cbc782 |
| SHA512 | 8088aa6bf97931a0ff7cc320ed788e0bdb7cc4393609fa47af39e1400a5918cf3a8591bb6789e5d15321741e49f2846ef24d1deaae06f6f501984982118d6ff0 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 417545e6acfc252871383275f306b57c |
| SHA1 | e876438c3ef495e5b8e96695fe9f2cbe5cf8da47 |
| SHA256 | 5fafcf700c0fa3e6efd594911b32ef689196026e622e1041f052f8eb2b009ef3 |
| SHA512 | 26406c883f64a22a4a183315240e8f1ff67e6a9f0a07f0156776a482c6e074c083cd5cf06be57b8edf0e8a16af1301c795b0ec21cbfa8ccd54be3c9e08f241a9 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 0f4f315f32a12a0406943b3d2543b2f3 |
| SHA1 | bd104596841baa665c679d4fcdac69299d608009 |
| SHA256 | 11fb0bfcc33e9ddba19f5c2342328de70c122dd7409e689ed72c736627fda816 |
| SHA512 | 40af9379b40efbf596a50279ab990e9b3d570a22878c362fc331b7d8ae118c4a6328dcce608fe94e76477fdb70e4185cfc8f25f5016d1bcd96b261a0d7eee5d4 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 2756dd1b2537f4cb0eb8802f6c407ff1 |
| SHA1 | 8203a703b291480b8476eb0329180e936e90878e |
| SHA256 | 557fd302ff4cf00f97304c886e6742bf50c4b657961ab823f93b3b6028f3602e |
| SHA512 | e562f064703cf1d7d49b8ba612ba534da955a1a469e7f25bf9cd11fde8135fe165f4924effb48450087005d73e1ca49fbb1e4000dd2d9503e2ead7d6ebb7c13a |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 30caa13d5cd1702bad81f26262f6ebd1 |
| SHA1 | 5fcd90f6fea726e3397606f9e0d06fdb276f343e |
| SHA256 | 7cbdb06af07d2d4f85be1f723c8846cf4612bfcfbf050ef3765fe7abe3920d05 |
| SHA512 | 6025ccc80e842a552a7cbbb72fa01185298ca70698bd43fc89f68c300b3b30b415ead85e9265176395e358138dd066f75c5e506ff22ef793cf34b7f4d639ce8b |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 34df3c44347ac54ebaf244295612c2b7 |
| SHA1 | 25e05013d255c2d29ffed03e5223b74095c300b5 |
| SHA256 | b85b89f8f496641d4a6fcb0f19f26edfe3ae4fe3e52ac831ae71d2a8946e4a57 |
| SHA512 | 6d31680fd5f7872ce57c234a70c528186152cccbda87c75d4d8747fb0f5660119f855d5153b78f3c6adb49edf1679f36b5cbefbd90261b1c60859ef3bc726b5c |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | bcc625dabe3b02061a94a877061b0508 |
| SHA1 | 64192b7398bc0d437d36ad1e2a505109679b27db |
| SHA256 | e003d46c5d683abb27b4407f3e96b41c41bafa43a30d56293d2421c1c9cfed05 |
| SHA512 | d67ca6aa156faf7699bd2dc9a214f46a25bf95a666a96a82d48a821b5583e4c1d973979dd644e2eba6fa542fe2e31e3ee1df69b5c6b54b109b5e31236ca0798d |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 271cd1f182806bf5ed22be9be2d1f92d |
| SHA1 | 187cbebc79aab39351e003176942ec277b56abbf |
| SHA256 | 8c094b98acfcedc5c918d51f02a7e08d171b75fa83afa9f62f04abb807aa0bc6 |
| SHA512 | 2f42728a4b0daf3aca2a91243686e11ee1d3b89db9b9e0c5979f95856b30f3a0becaab981a7f6abbdf3219adb6b31e73a0fcc53c05030d41be7fcad5e5775415 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 6a6a6990edfc2ffaf865b91a39d7e832 |
| SHA1 | 9103022555b267c805a68b7a1aabc21718e026aa |
| SHA256 | badabf2217d49c1312610bf9834f4134dc450a79783a7bc1a60222502914e594 |
| SHA512 | 11c7b18f4b00091c34662a18beb8af61f13a060367e7ea4ed1b49a073da3b44b75b214dcf25248223a75aa4c8319f948474e1a3f04561ebcbd12d3ee34c8eac4 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 3debfaab25a740f31344495cc1358c84 |
| SHA1 | b18bcc3d60f44835818412d1def210f40cc3db28 |
| SHA256 | cbb27174faca173cbc5a3499cbe5906a566324f828ada540c1d5b57f0eaec2fc |
| SHA512 | 574fdab071cd51ed7efb6f74cec6092bb879658e6ce642a0cd626c325248f785ac5a86951cd56c153793b6a76013efc8aa22723f3916732f6a481cc3b3e1d66f |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 51ab48c95a377e7161f0b6ce532ce32f |
| SHA1 | d4475bbe98306f602a86fd00e282c570c38100aa |
| SHA256 | e10d7773f9d66cbd3bdcbf4dcdeef24d6e51df3d98ea5d9b810d3a216ce7606e |
| SHA512 | 05084fbd5fd7dafa8565929194d6e5a4febd4f1155d2f44d02dfdcf39a64b7d907a675cbb30f91020a034b79f61b886ed96dca2a32a55889721fbe58b441e3be |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 049cd0ee1f6bba0a4aecfd2dd7f58b0b |
| SHA1 | c61fbb208186fddff77a3375508bf2059b8c2240 |
| SHA256 | 54b8de3bc5c6ac87701fbf50b5ffbc6eed6f9ce9d132f731e2add0634053a83a |
| SHA512 | c461396dddfa225a81cd63645fa56d9346d3b8f4f18f3f6edce8fe766642b80b1953694c831f9d5a0f26b8be41be3b40e623895f1eddeac2edca695a0fbd1c2e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 8c7514e897744ee47b136310341575c5 |
| SHA1 | b320f5d1a0be0cd89168204fe0aaafe17dd953c7 |
| SHA256 | dab8baaee8946573fe88e4652295f7c51827c12a1db442d55a95cfed644229c5 |
| SHA512 | 1b05bcbdc5a6c88e54580755a0d95306fb7b2f9b0141712d352ed5eb0c06640e23e90041806206a2f8b2fe90ef716be563d9bb0ed1eb252042c4f147af83bc83 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 81b30137b77a981a4a48eaa63e748f6c |
| SHA1 | d269b5812c9de068ec0570876d8720888392eb03 |
| SHA256 | e22ebcbf2815958f546b1a025b0300704454c7a2be16cbd1e1cbe98bb1dc686c |
| SHA512 | 82db994cf921e5686ddb070aaacf4990dc76a968af8dbdd725e31e2c579696cf08e2ad61ee3ae60ffc9e7689186415898cfd33f0d51b2cd3015013d7c177c5fa |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | bcc49bdc7ede09483e2deda4726b562b |
| SHA1 | 4e536e7277d870ad9858764972e8d2e1ea7b0a2b |
| SHA256 | cdf9396381179b3bf7e1b9a1aec6d2c97c99046d4a3818f4aee6946b87c349ad |
| SHA512 | b64e59c94d8abdbead80d6be5643ef60cb9bcb40636e6e7fb615f88ac5a06a97244eef08fea0595a8d5e7f78cc7ae59b60d940c00fdf7f711ce339627d322c25 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 077b0e7fe57a4e6772092dfcb943b3e0 |
| SHA1 | 9cb81c9d9eff2f313d095d9d3d62ad7f2518defd |
| SHA256 | b674d9dab2b8a6d4015ffa0f56a3f06b427e8f8baea8c47f2eb7341a586fac4b |
| SHA512 | 00f29ddb5d69db8bda3144973b66289d952372d9de07f12a471976f4f921828f0721bb3b393bd3135ce5ee2c9db46a17b6a52e9f2a7abcbd16c550385823140c |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 79a0dfef0ed2dab5d92b7d5b081bda13 |
| SHA1 | e370c5e0397ebf9f6a14c9e6c4c155e03ae37806 |
| SHA256 | 845a67b8bb95b0183ae3a44d3300e98338276ba8b0d012a465a50b14bad347d3 |
| SHA512 | 4de846e83840e728c1ced49a32682b5e516d3fbf2de20c7d04154437dc0398e3abf7848cd1c4539cb6becc0595b1a4eb731cee612fbcb9862a292aef4902cf03 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 52fe441c4b08799d6a21a4d8f08f0aa5 |
| SHA1 | 1a125349a7a91ad944a7350adbb3c85101dac7ea |
| SHA256 | 823107be62dbe2612a1caa33e863e4f9d4fb7d305f1430b90f171f1b2d5f059c |
| SHA512 | a8cb4feddf6ed96931bcde8e1b7151f982404e4b0d6fe05b2443bb88bc73eafa9e29913da672ab0dbf013d18ae486d939f72cb503dfdacc4c7ce95f73f92e894 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | a2cf4b33ceaa87ede9fbc8cb65094802 |
| SHA1 | f00daa28779378d69f1b41ddb3f6a40c855f4cd7 |
| SHA256 | a78e316dd14bedb1cdf28c48ca96881882d40fbaa4cf4313ac3bb3088ee25678 |
| SHA512 | 383f9e559090bd2c430f531e3e01cc01f1097b09aafad3047d6f01f68f8cb7696ae93882abd2539674f0735e9a864a923b2e57366a578f3e403b392d13d36949 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | b6bd9e51a5b5dd952288417d299983ac |
| SHA1 | 9a664156895a93adb37207529b89cfb220df6028 |
| SHA256 | 43d4f480a90ed74d3bbfbc447b4d2bce25c1ba6dafac0d6e8111c1ce6199d095 |
| SHA512 | 67daf2b05ccecb9686a8fd13f231b43e369ba65cc236e89effb866e901007ec2b8ad0501f11142823eb98f0b2994c74ebb1eae2973c8df38faba04385edd9e2f |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | ac883134bdf44a9109ae4c3b2b04aa55 |
| SHA1 | d17835edcb13a71c53e9e2be2d3b51a8266a7eb3 |
| SHA256 | 420d9c53fce20a77de29cdbae3f858048a54553c41eeb41b9efe254275380d63 |
| SHA512 | 0e11a429bfddf9c3950d847bd65371581e35a76b0ab1a8a09d9c5ef163a7abd2a999cb7152de098d520d205557e367db278741b1811bb4dea085c484c9e739f2 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | dea319b73be4e0738bbdfe99f6877864 |
| SHA1 | ff5645cb0b8191d0655b128995f292fdf5e25ffe |
| SHA256 | f2401cbf2c63940799e8c41fbb2b8e42195a132423ec01dd57bf297b56efc0e6 |
| SHA512 | 82b2ba744b9c5ef7bd44b0881fc9191c6e3b62b47714b337bdcb40c51baf1404839c6601b731ff083ed0331dbe90f14bd5298ff1b06a8be7a5827dea7d57b1c8 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 7ac726b7e8cac7931d23a2158352ad8d |
| SHA1 | 2b9afa24e19c9a1723bcd93e3f6d65fe50e15088 |
| SHA256 | e60479e2f69b3b42d5c008d1065125706d71dd04ee6c6c4f86bb8fac29d947d1 |
| SHA512 | 494423ab67e0271419e87e1186113217c7f8f1d95b437a630b58fabff83d3b23294c8b62d645d6fbad388931cb2895c22c6193a49575ccf769f28378a6743dad |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 210e9207d4c93903d00db751ebf6d80d |
| SHA1 | 917caa2125f6cb54da1736b948dcb65b8aef97d5 |
| SHA256 | 899dc032e524578c77bc931633a503e727069c0d32594d078ce8eb035263448e |
| SHA512 | c819bdd7e59a3c4fe766a1c11c81fdf75109da70c623276a50deea7ac14af478c575ebaa426e57bab26f97ceaf1eb88909d36ae07c0a381e261934c0330ef02b |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 5b04d89f8e5210fc9494dd98707b6eb3 |
| SHA1 | 8581e969919648c0c507f59b143e6ee3f1a50b81 |
| SHA256 | 3eb52cbea5b88b7f3b471f53cbac7eb57d837e34a3c179ae8457bcb35c9de494 |
| SHA512 | f261377938e89463bc0c8516b25090f1320f5f3901ed8457761cfcf6bdbd04f5de8a4161d4e86690bad497b391871fd4bee97e18f77d73c02c0415fba3e7bab0 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 1784547d07e71f92e30f5cf076750c09 |
| SHA1 | a65a98d09f031abed0fdfbb2c91bbec2e1fb75ec |
| SHA256 | b48519e49361dcb775d97b7f8b63c692a23e7166c4f3190ed411f261a5c3e3d0 |
| SHA512 | edbc04bb05e1b78d3c29efe4b7eb28e067f4ef7814504d67951eed2aff831e174d27efbb248a01b974b50591e040efde3d5ffee8c01c1fc8ce1cde1438622d4f |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 4b0e31e06a073fe573fada483aa15ebd |
| SHA1 | 3ce67298515cc4aa766d48ba048f82805b10f8c0 |
| SHA256 | 50f97f4728b364e3a73e3e6867c3b203dc80e93292c0dcde3a87c9063f7970f7 |
| SHA512 | 91a75ec37d97d60ffd1072b6ff0441184fb9be2029523519cc3bdd564c6657478a47be8b9b125e6cf8ea6cf353ec32ac07c997be79f20ea88ff83f2a33d7e681 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | e54580c53e60b76cdcb3fdeb501577af |
| SHA1 | c7a5502da517cdfb37bf063db3af7f469c9aee9b |
| SHA256 | 18eb1f0875c98ac1eb50b25f19f0021b6bcb6ad66280ea0ec92b9a4fe3e76d26 |
| SHA512 | f567275fe76bcb8fc4130cb43e0b9fd27f7dd62ab490f5804e59fc0250310efa7b914d619e8bfeb69e70ef578328ef84feaef6c8981837a06b8a57463b6beb87 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | cc7017e896b505cdba7f844e7e4f830c |
| SHA1 | e9c61803d696b8727790b563ec06fa8906cb4e0c |
| SHA256 | dfe4b4846f0a6d3bdc1776425586683878757a3a25d1deff2573ce17d6170add |
| SHA512 | 5f577c95c7d94fbf7f1c9901d733fbdd4e5ae20ff6cce4e9ba63aacf7b924399b3b0ba1df1e266a64e4989b826308d281f0efbe38e228d59888be55b159c4efa |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | cb5f6f2fd0984c96e7fa7e14fb8692b1 |
| SHA1 | fb84bf23f4513558e81b9bc1a255fca77490f1e7 |
| SHA256 | 986af3b815765d5d982994678573dbfd899bab7277cfbbf86d17d460caf29ab7 |
| SHA512 | 486845790ac351a0950212b4a1ebcec68b06871866b83b8354bf882b21f6cb89a3fc3ccc1b03b591c08d3930b2918ef092b6858a7ddb4cd17d2c9febe016dd8e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | b7f97ba6e1f45b4d426d3772b67aa1a6 |
| SHA1 | 409ebb20ad9842d95edad2034dc48373b1217737 |
| SHA256 | dec11aa18e4f34eaf1c1a36e81ff5c665152f5ced090fc24e87bc875db8b0641 |
| SHA512 | 1b9322e40a636573935a97782943bae650bb76d19c1fe64b3e76b0982582a2dfe5cf3899c64ddd4eb5214d36e595fa547d78c270dead042b3ffa2f37b9221052 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 197d3de24f3fd01ec5f6b2e640bb6bd8 |
| SHA1 | 79c738a168871159894259a34f12908914ba22a0 |
| SHA256 | 4b7a93220d2337a0c0838614dea1c15238b946092fd78ff79d22cec985eaa4b7 |
| SHA512 | 19f37d5b7618fae17f92ab6a5da9e75c05e9e51428d9486902ce921a3761d9847c76a3238a0cbe309a27a0af94c4d01d21fb396a14513ea3ea93a1613a8d20d1 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 26ee570e624289520d6643c17b566df9 |
| SHA1 | cfe3fc33ed3b9aaad70cf00c1ecba718e8a4e1af |
| SHA256 | af36fbe3c493648c32d94ee88008d50c7b9c98927cbf31d9e8278de7f03bc071 |
| SHA512 | ac19a6acc3776ebe3932fd18f2a065c36426b6a6462ab48903f0f86634728719cbad95964fb2c29bff1df3a532362358b72323126ee9baf7a869bc7bc48170c5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 450a1a2bd24305e1ef29b35892aa6e58 |
| SHA1 | 3825e8e7bdf6c1b01d5d4b71eaf4e0695552b938 |
| SHA256 | d7f8dd23b5f7ac6dd91fe8506283e7eceaad28329024fe69073fb00a0bf86e50 |
| SHA512 | bd0a6bb134b1fbb28504866bbbc8dc8b2c13b93e9145f9666f715238f609d6cce0317c3f3f8cf49c2bb765281bdd4331f6595813d4070251223cc353f0d6d3fa |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | c6d231b555287556bc1d4d349058e98f |
| SHA1 | f73201edb2172d58636c07e7497cfeb0292c702f |
| SHA256 | fd296c817619696efa68572991254ab2d630896e5501f576cc58cc7a8bb6e7f0 |
| SHA512 | 2d7bc31a06b65449b382eeaa21ba70ba157be36531f9728a6560df1558ac6e82230e0efe0b9a74f2a964ec5ebfa7a651dd1d9bce36847b1941bedcc14037a8a1 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-19 22:35
Reported
2024-10-19 22:38
Platform
win7-20240903-en
Max time kernel
145s
Max time network
121s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" | C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Renames multiple (91) files with added filename extension
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk | C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk | C:\Windows\SysWOW64\HelpMe.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk | C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe | N/A |
Enumerates connected drives
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | F:\AUTORUN.INF | C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe | N/A |
| File opened for modification | C:\AUTORUN.INF | C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe | N/A |
| File opened for modification | F:\AUTORUN.INF | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\HelpMe.exe | C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\HelpMe.exe | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2516 wrote to memory of 1544 | N/A | C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe | C:\Windows\SysWOW64\HelpMe.exe |
| PID 2516 wrote to memory of 1544 | N/A | C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe | C:\Windows\SysWOW64\HelpMe.exe |
| PID 2516 wrote to memory of 1544 | N/A | C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe | C:\Windows\SysWOW64\HelpMe.exe |
| PID 2516 wrote to memory of 1544 | N/A | C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe | C:\Windows\SysWOW64\HelpMe.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5f03a75487908cb6837a220a4b052740_JaffaCakes118.exe"
C:\Windows\SysWOW64\HelpMe.exe
C:\Windows\system32\HelpMe.exe
Network
Files
memory/2516-0-0x00000000003A0000-0x00000000003A1000-memory.dmp
\Windows\SysWOW64\HelpMe.exe
| MD5 | 4212fc1244ac4da0602e53f8c236bba0 |
| SHA1 | af0bc872fd4900a59455cc60599d56721fcd7d18 |
| SHA256 | f9da259d122ec54e8d8342d7b6c8919c3b6648fcddd3c6619eabebd607999d38 |
| SHA512 | 0b2486fca28efda1950f6dc3f7f625bd1b1585b4162f67bd2647413a1dcd74ec4a3370d7897c79ad45dbc7ca320ec8704a8f2c5aa6beb3e1ce7e0720fd288301 |
memory/1544-9-0x0000000000220000-0x0000000000221000-memory.dmp
F:\AUTORUN.INF
| MD5 | ca13857b2fd3895a39f09d9dde3cca97 |
| SHA1 | 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0 |
| SHA256 | cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae |
| SHA512 | 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47 |
C:\$Recycle.Bin\S-1-5-21-3533259084-2542256011-65585152-1000\desktop.ini.exe
| MD5 | 62b3d1d047faf67897549c7997fecdd9 |
| SHA1 | 16ee856b6020dd5cce1eb29ab07017edd7deca8c |
| SHA256 | e4ebfc9c8cc8e5cb4246622e0e5bdc7fb5c76cc1e056bbe0ee4fbf36345aa89b |
| SHA512 | cf11516755ac0bbe9a0e777ae043780262ea1996c9713d1e502100df6b5cc05bb9947dfc6d37c26d291fb9d944cf0c2dc983136d5766e67fee9de1b90143daf9 |
F:\AutoRun.exe
| MD5 | 5f03a75487908cb6837a220a4b052740 |
| SHA1 | e37d87b0a418839369ceb31287f9d21053317117 |
| SHA256 | ccde612b87a4590d7691e3be0045f83308d688bd7977dd1a5a6b17a25e304e38 |
| SHA512 | 13fc308b9ffa6bce038dc4a578e5cae38a4626b8f7c71a5e2ae658c92417a04bc7b3c1d937231e1aa3e5737fbf3362f2833c85576cedfb88a8e9bde05b7ad6a4 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 3ea466afc4955c3d7aa727bf0c0cd7d4 |
| SHA1 | 63fafc3b37abf50d159fc47de61c890a364d2f00 |
| SHA256 | 987883596e8d6ac0a5ee8cfbf6074e97e84b3ab5b19cee301c5a9a49c62d7608 |
| SHA512 | d1dbd99fdcbc5d186d5d3470a9994637f83f320119b227bc4c92531d2d7846dc72afbbaa4e69b5474d8e7bca69b01ac2e00658357755bcf67c5df5b130f3ff90 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | f9d62d814f79ad0ac61d9ae14b554235 |
| SHA1 | 83f74897a919b24018643ae9447bf844960b651c |
| SHA256 | b4f53b9910fa1ac885271f83e17c2e003330a139a79821379ee00e5a4995491a |
| SHA512 | ba3491b9a92dd6c920090c79ac1e8802d3e7b31635adbe63c2aefef7eef972dfea553ea255e06da5eac4a6f6d0d5253a1d9d709be96b7f559b9cf6ab9a1e5174 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |