Analysis Overview
SHA256
149fc4d8775ef6af76702301fd53182ea7c3a8d49a7b877f5dcaafb84ffaeebf
Threat Level: Likely malicious
The file 911b6ede550a51266f1d6a99a9174153_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Checks for common network interception software
Executes dropped EXE
Loads dropped DLL
Checks installed software on the system
Maps connected drives based on registry
Command and Scripting Interpreter: PowerShell
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates processes with tasklist
Gathers network information
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 08:24
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 08:24
Reported
2024-06-03 08:26
Platform
win7-20240508-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Checks for common network interception software
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-V2D3H.tmp\911b6ede550a51266f1d6a99a9174153_JaffaCakes118.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-KHV8T.tmp\gentlemjmp_irow.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-RRMBK.tmp\gentlemjmp_irow.tmp | N/A |
Loads dropped DLL
Checks installed software on the system
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\is-V2D3H.tmp\911b6ede550a51266f1d6a99a9174153_JaffaCakes118.tmp | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\is-V2D3H.tmp\911b6ede550a51266f1d6a99a9174153_JaffaCakes118.tmp | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\is-V2D3H.tmp\911b6ede550a51266f1d6a99a9174153_JaffaCakes118.tmp | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\is-V2D3H.tmp\911b6ede550a51266f1d6a99a9174153_JaffaCakes118.tmp | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\911b6ede550a51266f1d6a99a9174153_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\911b6ede550a51266f1d6a99a9174153_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\is-V2D3H.tmp\911b6ede550a51266f1d6a99a9174153_JaffaCakes118.tmp
"C:\Users\Admin\AppData\Local\Temp\is-V2D3H.tmp\911b6ede550a51266f1d6a99a9174153_JaffaCakes118.tmp" /SL5="$30144,3365513,56832,C:\Users\Admin\AppData\Local\Temp\911b6ede550a51266f1d6a99a9174153_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-KHV8T.tmp\ex.bat""
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -inputformat none -NoProfile -NoLogo -Command "& {$avlist = @(); $os = Get-WmiObject Win32_OperatingSystem; if ($os.ProductType -eq 3) {Write-Host \"ServerOS|0\";} elseif ($os.Version -like \"5.*\") {Get-WmiObject -Namespace root\SecurityCenter -Class AntiVirusProduct | ForEach-Object {Write-Host \"$($_.displayName)|$(if ($_.onAccessScanningEnabled) {\"4096\"} else {\"0\"})\"};} else {Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiSpywareProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};} Write-Host ($avlist -join \"*\")}"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq newversion.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq newversion.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq newversion.tmp" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq newversion.tmp" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Setup.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Setup.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Setup (1).exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Setup (1).exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Setup (2).exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Setup (2).exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq HMA! Pro VPN.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq HMA! Pro VPN.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Fiddler.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Fiddler.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Wireshark.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Wireshark.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Capsa.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Capsa.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq ipscan.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq ipscan.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Procmon.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Procmon.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c tasklist /FI "WINDOWTITLE eq Process Monitor*" |find "PID"
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "WINDOWTITLE eq Process Monitor*"
C:\Windows\SysWOW64\find.exe
find "PID"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq regedit.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq regedit.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Taskmgr.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Taskmgr.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq OLLYDBG.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq OLLYDBG.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Regshot-x64-Unicode.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Regshot-x64-Unicode.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Regshot-Unicode.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Regshot-Unicode.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-KHV8T.tmp\cmd.bat""
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C netstat -na | findstr /C:":5900 " | findstr /C:"ESTABLISHED"
C:\Windows\SysWOW64\NETSTAT.EXE
netstat -na
C:\Windows\SysWOW64\findstr.exe
findstr /C:":5900 "
C:\Windows\SysWOW64\findstr.exe
findstr /C:"ESTABLISHED"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C netstat -na | findstr /C:":5901 " | findstr /C:"ESTABLISHED"
C:\Windows\SysWOW64\NETSTAT.EXE
netstat -na
C:\Windows\SysWOW64\findstr.exe
findstr /C:":5901 "
C:\Windows\SysWOW64\findstr.exe
findstr /C:"ESTABLISHED"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C netstat -na | findstr /C:":5902 " | findstr /C:"ESTABLISHED"
C:\Windows\SysWOW64\NETSTAT.EXE
netstat -na
C:\Windows\SysWOW64\findstr.exe
findstr /C:":5902 "
C:\Windows\SysWOW64\findstr.exe
findstr /C:"ESTABLISHED"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C netstat -na | findstr /C:":5903 " | findstr /C:"ESTABLISHED"
C:\Windows\SysWOW64\NETSTAT.EXE
netstat -na
C:\Windows\SysWOW64\findstr.exe
findstr /C:":5903 "
C:\Windows\SysWOW64\findstr.exe
findstr /C:"ESTABLISHED"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C netstat -na | findstr /C:":5904 " | findstr /C:"ESTABLISHED"
C:\Windows\SysWOW64\NETSTAT.EXE
netstat -na
C:\Windows\SysWOW64\findstr.exe
findstr /C:":5904 "
C:\Windows\SysWOW64\findstr.exe
findstr /C:"ESTABLISHED"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq TeamViewer_Desktop.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq TeamViewer_Desktop.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq DFServ.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq DFServ.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq unchecky_svc.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq unchecky_svc.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq unchecky_gb.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq unchecky_gb.exe" /FO CSV
C:\Users\Admin\AppData\Local\Temp\is-KHV8T.tmp\gentlemjmp_irow.exe
"C:\Users\Admin\AppData\Local\Temp\is-KHV8T.tmp\gentlemjmp_irow.exe" go=ofcourse product_id=UPD xmlsource=C:\Users\Admin\AppData\Local\Temp\911b6ede550a51266f1d6a99a9174153_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\is-RRMBK.tmp\gentlemjmp_irow.tmp
"C:\Users\Admin\AppData\Local\Temp\is-RRMBK.tmp\gentlemjmp_irow.tmp" /SL5="$5015C,2965330,56832,C:\Users\Admin\AppData\Local\Temp\is-KHV8T.tmp\gentlemjmp_irow.exe" go=ofcourse product_id=UPD xmlsource=C:\Users\Admin\AppData\Local\Temp\911b6ede550a51266f1d6a99a9174153_JaffaCakes118.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-LSQI6.tmp\ex.bat""
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -inputformat none -NoProfile -NoLogo -Command "& {$avlist = @(); $os = Get-WmiObject Win32_OperatingSystem; if ($os.ProductType -eq 3) {Write-Host \"ServerOS|0\";} elseif ($os.Version -like \"5.*\") {Get-WmiObject -Namespace root\SecurityCenter -Class AntiVirusProduct | ForEach-Object {Write-Host \"$($_.displayName)|$(if ($_.onAccessScanningEnabled) {\"4096\"} else {\"0\"})\"};} else {Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiSpywareProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};} Write-Host ($avlist -join \"*\")}"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ads.noforyoubutyoucantry.com | udp |
| US | 8.8.8.8:53 | ads.cloud4ads.com | udp |
Files
memory/2424-0-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2424-2-0x0000000000401000-0x000000000040B000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-V2D3H.tmp\911b6ede550a51266f1d6a99a9174153_JaffaCakes118.tmp
| MD5 | 9303156631ee2436db23827e27337be4 |
| SHA1 | 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa |
| SHA256 | bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4 |
| SHA512 | 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f |
memory/1640-14-0x0000000000400000-0x00000000004BD000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-KHV8T.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
C:\Users\Admin\AppData\Local\Temp\is-KHV8T.tmp\ex.bat
| MD5 | a5650a3df0fcf23ec9ba25169d5eceef |
| SHA1 | 22ae2a9c03b38f4b2e3d7f343798e914519d8351 |
| SHA256 | 83b8dbbb34b7cc1edd12acc53533ee1c25b737626cc5f00a9bb998e86abeb133 |
| SHA512 | 4710d3845036276d3506f0c60ec46d04c8c04c706b4eac227c5692057fc920b53b093d6046f035e1af9f1d4df7eaa8e29daa231e3d80eedca7c2916513274a4b |
C:\Users\Admin\AppData\Local\Temp\is-KHV8T.tmp\av.txt
| MD5 | f8f8258012893e0a2c957d226bdd7587 |
| SHA1 | ed482b5f912ef2d31e2b231df6b6e3b64967390c |
| SHA256 | c341965a331692b4f79eed856a7da98c550d74fdef27d1241893284f1b51c3d2 |
| SHA512 | 6e563814e4347ffa1da1d4d26ab45430987d5224c22278e1ee41b207700eb263aaab1e69088a5eeb267fdd385f36a61c0c66415f5df0887162eefbcbec9d19d1 |
C:\Users\Admin\AppData\Local\Temp\is-KHV8T.tmp\CheckProc.cmd
| MD5 | dae8768bbb8a4fddc4dca8eae7c4d65f |
| SHA1 | 385ffb932fcff489392536d62e291ed9e0beea98 |
| SHA256 | ca1bf4fe8a59a31f06a4f2d975671fbb2eeca33d40b0c35318f2131a118754cf |
| SHA512 | 492feada84b7064547bd6d22ed13cf6949156eb3daa9af5aa9c3da44dd6ac7e540904c494de14a7858d498944ab51c7525caac3c9aa933d1e55ca35442c075b6 |
C:\Users\Admin\AppData\Local\Temp\is-KHV8T.tmp\CheckProc.cmd
| MD5 | 6a745081c62a706c014a876f45b5a56b |
| SHA1 | 25f17fcc50dd202d2381c00970e2dc04c2ad9707 |
| SHA256 | e9f9690b327cf24e6c260f93232dd4b961d82a709c16589ba72aabcdba0c039c |
| SHA512 | a420efa894ef6fedad4fafd5e15042f947ff96a169031b7299afeba797bcaefa675508f72f57bfa8452a35d61314a544e26bc535ddb61a0cdfdca03c07ae372f |
C:\Users\Admin\AppData\Local\Temp\is-KHV8T.tmp\CheckProc.cmd
| MD5 | f0315949ccc3d22d958503f5735cfbcc |
| SHA1 | 883bf4e366046eb1ef6e2d81fd74fe75ae73b2c0 |
| SHA256 | 201c4e665ce446e067cb152d1c3834e416f6a09a9e6d7c45c20f1bc1cc74534d |
| SHA512 | aa1faa44ba8f47052bf236d5135dc70f1293028663f4abbc7cc043277428217b047b25d6e6691c1685db52bd2065f0d5c4306d9db590696773c3becf2481a251 |
C:\Users\Admin\AppData\Local\Temp\is-KHV8T.tmp\CheckProc.cmd
| MD5 | 110d64c0e450ff59542f81690a2d53b7 |
| SHA1 | 7f2e989deb095a0530792989e5fa9d7279d5f3e7 |
| SHA256 | 735ca381b6d3cbb675e698aa92222566d5174c0fbdf7807605f105c512c9fa1e |
| SHA512 | 00b86a1fd4db9e8861d3973a395c34b41a5a277901552b66ac671ced492638174f256785f563bfad263bc93315544bce87c91d26bd48a39fbab7daccceae0d34 |
C:\Users\Admin\AppData\Local\Temp\is-KHV8T.tmp\CheckProc.cmd
| MD5 | 8fec1ab28e8ee7394915990458fb85dc |
| SHA1 | c70e183a783a9621cd64584de99f8163deb40872 |
| SHA256 | b96251154ddbfd11d36e74eae84537229912a54dcb86f1277deab084322ce4dd |
| SHA512 | c33223c094764b9704ced1ab6256aa227873c2be81acce328d12113504e55716563ad561641b726dcd2939c6237b4a4dad522512a4f59e3f805f91ffaf3a3be9 |
C:\Users\Admin\AppData\Local\Temp\is-KHV8T.tmp\CheckProc.cmd
| MD5 | 97cc4c6dda23b9631b8c9185859ad061 |
| SHA1 | 5f912a6c094bd918afe5e9f0c70cd45b36dff722 |
| SHA256 | 55b728e4cc0974b19641d1dc77df0f381f244b254d39e2566dcf525b9d106cd8 |
| SHA512 | cf82517f44425d402305129821cff7668c5db27d5427b8a8886e99146a1a56ef43b8055e6c62929fbfdf293a88664a760e49443ac89453fa3163ed1ebfb8469e |
C:\Users\Admin\AppData\Local\Temp\is-KHV8T.tmp\CheckProc.cmd
| MD5 | b921f2f9f97a642d513e1307f7685e0f |
| SHA1 | 3489b63a484a6114f1828100908bbbc622b07ed1 |
| SHA256 | 953998031a5ac3582232545f923b32f02587fb233791a0326b889f28af4cfabc |
| SHA512 | 1da42e0ed2dca9f2a559739c6a0c6b28a54e0d8d0617bec542729a362dd0f36f9287bcd4433c9cabd7db7430e7295f6879c7777a86035c4f3c86b3b05847ae0e |
C:\Users\Admin\AppData\Local\Temp\is-KHV8T.tmp\CheckProc.cmd
| MD5 | b35e8ab65e7f8a4edb3663885f775681 |
| SHA1 | 49b66b2e3cff64dd7d8315c53d852c19a46e8609 |
| SHA256 | 9b78165c2b44ba6675654f776e34815c19482a84c87e6a7dc9d1a68d3d5a5e53 |
| SHA512 | 3ec1fad817117f00f620103666b1caa2ece51b9cc1a9b3fb2142d57aedc745e9bc69608e0cb2a2eff1879c7ad6741b66751049020620bac8659598080404adcc |
C:\Users\Admin\AppData\Local\Temp\is-KHV8T.tmp\CheckProc.cmd
| MD5 | f1b6aae3dcd94b94aee326517e3dc583 |
| SHA1 | 3418fdda1ad30df64d7bac068e1a0c4e305cfd75 |
| SHA256 | a02aa2b143a8e126b1a044e1f036a912a0ac134e8e1f56836805b15819e43f6b |
| SHA512 | dae27c24d2ef685e4f968dcd91cda18bfa605fd924b1bf928307107630bd671d6623e78451d3f397dfc93cc4e1c0f74c25e962b5669e2350a79b72ec061ec1ba |
C:\Users\Admin\AppData\Local\Temp\is-KHV8T.tmp\CheckProc.cmd
| MD5 | d93cc818d32f755945cddfc02b29fb89 |
| SHA1 | fc564e791326d269d005c894cfca674352dae814 |
| SHA256 | c3fabcab01d67640320ce0a5354e4fc6a7832beebe2e9a7610f43614eefce32c |
| SHA512 | 62c20691da188a45b59c468826706ed47ad285d9e23996b714c03b4c639d87d93b57e22f9e4504be42a742ee4c64657d87565f9ce65b677d05f66d0bbef0e0d5 |
C:\Users\Admin\AppData\Local\Temp\is-KHV8T.tmp\CheckProc.cmd
| MD5 | 660d266764b1952b43431d6c7dc0dfa9 |
| SHA1 | 809794738d6ca580d6ec14e77a717e831b0d0e5c |
| SHA256 | e3c86ead8667eac8c9ea88e2ee5f5f14f0f0be59a54864f99cbee17d554f74e5 |
| SHA512 | 6fc27ec6f453c2791aa9d0c38817128ed8e2fff26748fbe0cfee6411d8a120970494b3504078a3079c90d409434f22b35974efd5cbbaf14ce3657715fc18f4c3 |
C:\Users\Admin\AppData\Local\Temp\is-KHV8T.tmp\CheckProc.cmd
| MD5 | 59a8010aab7eb203cd9fda8f6be1beca |
| SHA1 | b9a07636b921183c88880320294e279c935cddd7 |
| SHA256 | 2a5b80a6a1522b75fda6e7f99ceb912bc7db1bd6be11995fdcbde1ab7d836dba |
| SHA512 | 26ae700f89e827f9d5f8d29c7f393eb3e5885d32266591d61b20ffd7ba1d08dfbc0e6e9368c94288185a01960cbd0a8ce96b063187396465e640e963e9b3666e |
C:\Users\Admin\AppData\Local\Temp\is-KHV8T.tmp\CheckProc.cmd
| MD5 | a59dd0f9883ea39c5119831b0eed46cc |
| SHA1 | 8c9354051f7d92310636f0f17e5770aede9d1ad3 |
| SHA256 | ff1f1293c860b0709d0244a8c6a29294543efdc698a70469e1cd388c0db84493 |
| SHA512 | 4a07eac5507fc174879eb960becf19b3a20b224232f74dfeb28d393bed3f181a0d4020efb9b656000d4ce756491c44f4f5a86dec184feca593c9bf6bd8700dac |
C:\Users\Admin\AppData\Local\Temp\is-KHV8T.tmp\CheckProc.cmd
| MD5 | 32b997a9d994996a4369a580e6541b7d |
| SHA1 | d61b48404dd6f6dd43d90858ffb7ddb967ecb1f1 |
| SHA256 | 39863141871b63880b4282066451321a902a7e6b97264c9ffdfd8128ac8293b8 |
| SHA512 | f3ff262b5986436671b4cf970d2ab4eb0dfd3d70651e7e84c8ae38788ef12032db825b81e6e1d8c4f20f0aa5a8067e6e7943b7e3e3c9817e97f0ab227f3fbe1f |
C:\Users\Admin\AppData\Local\Temp\is-KHV8T.tmp\CheckProc.cmd
| MD5 | f0b99c1273d3787f7769feb4d56e6803 |
| SHA1 | 6105232df9585072be8ca04712f8760812943cbf |
| SHA256 | 176a95493ca3bbfc9a68b4283b53a291faef0f9a7c413b43e1bdad86834a820d |
| SHA512 | 73b313c0046f6fcec974f2af64859c0af122e9f86503c7427519b7d2aaaf67e2f8cc68de17b93f24604aff815b843fce9a01571c1db48d3c12867e49daab0133 |
C:\Users\Admin\AppData\Local\Temp\is-KHV8T.tmp\CheckProc.cmd
| MD5 | 755c6764b8ecbb83798450705f51510f |
| SHA1 | deb141c4fc3220f0ff5c16eabf1adf850bf55610 |
| SHA256 | cfe680c9896cade2f5163ee0a463a7f7dbae7ee4aadf8de15c6c119a1d582016 |
| SHA512 | a6292b9416cbbc4a407d143acd502b6a726abb5411309e292f6696a7e55ecb5b78b4bdc764dc3484e85a5a40f21d410018172544b00882759b251aa9dce5df89 |
C:\Users\Admin\AppData\Local\Temp\is-KHV8T.tmp\cmd.bat
| MD5 | 57c51f08efe3d4a7faf58bba6ce03ada |
| SHA1 | 2ebd31e12fa8d3a5a5f253c1ba0465face2c637e |
| SHA256 | d488dacf9fe744779929999c7fb162c5913e73406af7837ffa76a3aafb06b896 |
| SHA512 | 19002a6504d83775fb90da27de519aa09ecf58632746c990ed0c3d46ba638a7e5f248e4e0bab441d5460eaf27610ab20d40117a314c3506a579c35b2664170eb |
C:\Users\Admin\AppData\Local\Temp\is-KHV8T.tmp\favicon.ico
| MD5 | f0b81e3ecd1b5d144558da07bece8803 |
| SHA1 | 9ee5bf12a207859d89dc893b8d02bd5c739edb52 |
| SHA256 | dd7aaa38192189cbf2adfc9416289be6ea3c2e10f2ca08bae453cb1df66babc1 |
| SHA512 | 774a7485d316be62ca6a2303cf0e8f59611b804eb2d518dd76bcdbf755544818032be367d9c2d5ad778059b0c2da2d5a0e46e2a5420d6fd2da3cc0b2bcbe34a6 |
C:\Users\Admin\AppData\Local\Temp\is-KHV8T.tmp\CheckProc.cmd
| MD5 | e902b4bcf5b531d057d091d00be3daee |
| SHA1 | 0cd058fcfab51dbfe91b139dc52245d5a4326f55 |
| SHA256 | 9daadc1e6c019a712e5236eafc29e687ea79efd4de1310dc2eeb1ed165ea26c3 |
| SHA512 | 5f7a84040b4bbf46173ff5404d970af5cb3e54c0dfc0d6ab6b161c2f417b6b1a023abe7b9f2b723b2985511894649c54c045204de01b2a52a51d7143e8f82c11 |
C:\Users\Admin\AppData\Local\Temp\is-KHV8T.tmp\CheckProc.cmd
| MD5 | c842d438cebab4b876572a8bc032aabe |
| SHA1 | e95c7d4e2f6246daba6f0baec8e1b94c91384c4d |
| SHA256 | ef7d9a0d456e1901b0bdebdce961d480bcf8270a7d7646591bdc2886c8716218 |
| SHA512 | aa8a28a1b0a0b9b65db195863fec9b903ffa335ccee7d50dc514f5d9c63f2ca51b2bf52694879adf43021cedfc4c5f8e7c3c90bb6dc493114a700cd79cce183c |
C:\Users\Admin\AppData\Local\Temp\is-KHV8T.tmp\CheckProc.cmd
| MD5 | 410515fbd7d2a2b4fab0fb80c76c2a74 |
| SHA1 | f32bd4fc7ade9efdc92b99e79a0b2f95edfc5893 |
| SHA256 | 6b398a1053c39530e13afb3bad98900d9a5a6d27523a0c5d44c746afb539fe99 |
| SHA512 | f301aaeb96aa848eb6823830397c9fb12086db558663235c8b0882cefe2ae105cc75e2cc70315ce2fdfa17d3538427f4afa6a9cf24834a884a10cb4cb87652aa |
C:\Users\Admin\AppData\Local\Temp\is-KHV8T.tmp\CheckProc.cmd
| MD5 | 0cbb771b9f9523adb96d5bae77154a05 |
| SHA1 | 528330a335047039ab012b01bb7a3f585e6f5a8d |
| SHA256 | 4b6e256fc13fdb04ac97e583dda99f6ade2356f9c692f5150b262d3e464bd71e |
| SHA512 | 41f44acafb84b24e15ebee4a18c2ae39c06ad401db2272939ad1d650c27e1a219d7c05df63a7ec2ab0676c7ed34ca5c7ed1d4cfaa143998e90ce12f13875f0f1 |
\Users\Admin\AppData\Local\Temp\is-KHV8T.tmp\gentlemjmp_irow.exe
| MD5 | 14e668aaf993439d183e90a54a6e957a |
| SHA1 | 095a424c7ac89f893563c47b3dbbf696eb49229d |
| SHA256 | 9ef10e877cee340370ecf7580d9637d45ddbac6b37b96c8f6e7784a9e73cab5b |
| SHA512 | 9af81827f111a764a2e2dd69d6ae8217fb18365e5b9e9e925cc16f39f50be22eb25ba6c3df54391a0b1383fb4622170f4455c5bdf6651ce55e7b029ba573c909 |
memory/2156-70-0x0000000000400000-0x0000000000414000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-LSQI6.tmp\isskin.dll
| MD5 | 92c2e247392e0e02261dea67e1bb1a5e |
| SHA1 | db72fed8771364bf8039b2bc83ed01dda2908554 |
| SHA256 | 25fdb94e386f8a41f10aba00ed092a91b878339f8e256a7252b11169122b0a68 |
| SHA512 | e938d2a1870ccb437d818b5301e6ecffaa6efbf4f0122e1a1ae0981057d7d0376039ea927c6fd326456da2d6904803fca26b87245367a4c5de2aebc47bdcd4b5 |
\Users\Admin\AppData\Local\Temp\is-LSQI6.tmp\itdownload.dll
| MD5 | d82a429efd885ca0f324dd92afb6b7b8 |
| SHA1 | 86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea |
| SHA256 | b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3 |
| SHA512 | 5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df |
memory/1612-89-0x0000000003920000-0x000000000395C000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-LSQI6.tmp\innocallback.dll
| MD5 | 1c55ae5ef9980e3b1028447da6105c75 |
| SHA1 | f85218e10e6aa23b2f5a3ed512895b437e41b45c |
| SHA256 | 6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f |
| SHA512 | 1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b |
memory/1612-93-0x0000000003960000-0x0000000003975000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-LSQI6.tmp\ex.bat
| MD5 | b302e6a7fd48e58f827c98b87f481b13 |
| SHA1 | 84c4b972cc2de289dbd1d0988f02c4043af632a0 |
| SHA256 | 1dd98ec50c8897bf2d273bc9d5162e09eb34e91d8f1bd72b8f434796c9254562 |
| SHA512 | 736b2cb891ea8523aa78fefbc1478941135a3bb15b3dcb9522616d997c0e3ed4f669312e55c3eaf19853d5b658076f64076aeb785d25dc6e4aec5f86a8098518 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 88dd048d08e6cd9e276837cf6817868b |
| SHA1 | a4f07cf70c4f91e43c726aa247a80a8d050aa720 |
| SHA256 | d68e0106ba135c4bb938cd89ff0585ffc77eb9d2b82efc556a620e80ac60a713 |
| SHA512 | 019c76ae50f5f582374129d3826da41984048514c95a28fef107910535194dbaa321aa88ad01b02fabcb3d239cc1c4b54c750cd326c953cd41ebb454f6e03a34 |
memory/1612-106-0x0000000003960000-0x0000000003975000-memory.dmp
memory/1612-105-0x0000000003920000-0x000000000395C000-memory.dmp
memory/1612-104-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2156-108-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1640-110-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2424-112-0x0000000000400000-0x0000000000414000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 08:24
Reported
2024-06-03 08:26
Platform
win10v2004-20240508-en
Max time kernel
92s
Max time network
94s
Command Line
Signatures
Checks for common network interception software
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-IO9GE.tmp\911b6ede550a51266f1d6a99a9174153_JaffaCakes118.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-1JMK6.tmp\gentlemjmp_irow.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-NGVRC.tmp\gentlemjmp_irow.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-NGVRC.tmp\gentlemjmp_irow.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-NGVRC.tmp\gentlemjmp_irow.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-NGVRC.tmp\gentlemjmp_irow.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-NGVRC.tmp\gentlemjmp_irow.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-NGVRC.tmp\gentlemjmp_irow.tmp | N/A |
Checks installed software on the system
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\is-IO9GE.tmp\911b6ede550a51266f1d6a99a9174153_JaffaCakes118.tmp | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\is-IO9GE.tmp\911b6ede550a51266f1d6a99a9174153_JaffaCakes118.tmp | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\is-IO9GE.tmp\911b6ede550a51266f1d6a99a9174153_JaffaCakes118.tmp | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\is-IO9GE.tmp\911b6ede550a51266f1d6a99a9174153_JaffaCakes118.tmp | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\911b6ede550a51266f1d6a99a9174153_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\911b6ede550a51266f1d6a99a9174153_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\is-IO9GE.tmp\911b6ede550a51266f1d6a99a9174153_JaffaCakes118.tmp
"C:\Users\Admin\AppData\Local\Temp\is-IO9GE.tmp\911b6ede550a51266f1d6a99a9174153_JaffaCakes118.tmp" /SL5="$601C8,3365513,56832,C:\Users\Admin\AppData\Local\Temp\911b6ede550a51266f1d6a99a9174153_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-1JMK6.tmp\ex.bat""
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -inputformat none -NoProfile -NoLogo -Command "& {$avlist = @(); $os = Get-WmiObject Win32_OperatingSystem; if ($os.ProductType -eq 3) {Write-Host \"ServerOS|0\";} elseif ($os.Version -like \"5.*\") {Get-WmiObject -Namespace root\SecurityCenter -Class AntiVirusProduct | ForEach-Object {Write-Host \"$($_.displayName)|$(if ($_.onAccessScanningEnabled) {\"4096\"} else {\"0\"})\"};} else {Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiSpywareProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};} Write-Host ($avlist -join \"*\")}"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq newversion.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq newversion.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq newversion.tmp" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq newversion.tmp" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Setup.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Setup.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Setup (1).exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Setup (1).exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Setup (2).exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Setup (2).exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq HMA! Pro VPN.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq HMA! Pro VPN.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Fiddler.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Fiddler.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Wireshark.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Wireshark.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Capsa.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Capsa.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq ipscan.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq ipscan.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Procmon.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Procmon.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c tasklist /FI "WINDOWTITLE eq Process Monitor*" |find "PID"
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "WINDOWTITLE eq Process Monitor*"
C:\Windows\SysWOW64\find.exe
find "PID"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq regedit.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq regedit.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Taskmgr.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Taskmgr.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq OLLYDBG.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq OLLYDBG.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Regshot-x64-Unicode.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Regshot-x64-Unicode.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Regshot-Unicode.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Regshot-Unicode.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-1JMK6.tmp\cmd.bat""
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C netstat -na | findstr /C:":5900 " | findstr /C:"ESTABLISHED"
C:\Windows\SysWOW64\NETSTAT.EXE
netstat -na
C:\Windows\SysWOW64\findstr.exe
findstr /C:":5900 "
C:\Windows\SysWOW64\findstr.exe
findstr /C:"ESTABLISHED"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C netstat -na | findstr /C:":5901 " | findstr /C:"ESTABLISHED"
C:\Windows\SysWOW64\NETSTAT.EXE
netstat -na
C:\Windows\SysWOW64\findstr.exe
findstr /C:":5901 "
C:\Windows\SysWOW64\findstr.exe
findstr /C:"ESTABLISHED"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C netstat -na | findstr /C:":5902 " | findstr /C:"ESTABLISHED"
C:\Windows\SysWOW64\NETSTAT.EXE
netstat -na
C:\Windows\SysWOW64\findstr.exe
findstr /C:":5902 "
C:\Windows\SysWOW64\findstr.exe
findstr /C:"ESTABLISHED"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C netstat -na | findstr /C:":5903 " | findstr /C:"ESTABLISHED"
C:\Windows\SysWOW64\NETSTAT.EXE
netstat -na
C:\Windows\SysWOW64\findstr.exe
findstr /C:":5903 "
C:\Windows\SysWOW64\findstr.exe
findstr /C:"ESTABLISHED"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C netstat -na | findstr /C:":5904 " | findstr /C:"ESTABLISHED"
C:\Windows\SysWOW64\NETSTAT.EXE
netstat -na
C:\Windows\SysWOW64\findstr.exe
findstr /C:":5904 "
C:\Windows\SysWOW64\findstr.exe
findstr /C:"ESTABLISHED"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq TeamViewer_Desktop.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq TeamViewer_Desktop.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq DFServ.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq DFServ.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq unchecky_svc.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq unchecky_svc.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq unchecky_gb.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq unchecky_gb.exe" /FO CSV
C:\Users\Admin\AppData\Local\Temp\is-1JMK6.tmp\gentlemjmp_irow.exe
"C:\Users\Admin\AppData\Local\Temp\is-1JMK6.tmp\gentlemjmp_irow.exe" go=ofcourse product_id=UPD xmlsource=C:\Users\Admin\AppData\Local\Temp\911b6ede550a51266f1d6a99a9174153_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\is-NGVRC.tmp\gentlemjmp_irow.tmp
"C:\Users\Admin\AppData\Local\Temp\is-NGVRC.tmp\gentlemjmp_irow.tmp" /SL5="$24004C,2965330,56832,C:\Users\Admin\AppData\Local\Temp\is-1JMK6.tmp\gentlemjmp_irow.exe" go=ofcourse product_id=UPD xmlsource=C:\Users\Admin\AppData\Local\Temp\911b6ede550a51266f1d6a99a9174153_JaffaCakes118.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-53O6P.tmp\ex.bat""
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -inputformat none -NoProfile -NoLogo -Command "& {$avlist = @(); $os = Get-WmiObject Win32_OperatingSystem; if ($os.ProductType -eq 3) {Write-Host \"ServerOS|0\";} elseif ($os.Version -like \"5.*\") {Get-WmiObject -Namespace root\SecurityCenter -Class AntiVirusProduct | ForEach-Object {Write-Host \"$($_.displayName)|$(if ($_.onAccessScanningEnabled) {\"4096\"} else {\"0\"})\"};} else {Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiSpywareProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};} Write-Host ($avlist -join \"*\")}"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ads.cloud4ads.com | udp |
| US | 8.8.8.8:53 | ads.cloud4ads.com | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
memory/4268-0-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4268-2-0x0000000000401000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-IO9GE.tmp\911b6ede550a51266f1d6a99a9174153_JaffaCakes118.tmp
| MD5 | 9303156631ee2436db23827e27337be4 |
| SHA1 | 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa |
| SHA256 | bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4 |
| SHA512 | 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f |
memory/4448-9-0x0000000000400000-0x00000000004BD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-1JMK6.tmp\ex.bat
| MD5 | 3367ed41c9efb250dfb6d3fdd4091852 |
| SHA1 | d193f93d5888918730f887c914a551af4aaaca57 |
| SHA256 | 9b62f9fa02e42a8af63b0ff0cf9598b085d95969d0d6f7755970d9c6f3a08659 |
| SHA512 | 7b4de193db859917f5add911a53632083a2124eef2ac9a739002f17276b5aed400525cdfbd87b3e32f19f6f125c215bb2252c81e4b84339c5b78c180a95e3b29 |
memory/2196-14-0x00000000003D0000-0x000000000043D000-memory.dmp
memory/2196-15-0x0000000004710000-0x0000000004746000-memory.dmp
memory/2196-16-0x0000000004EB0000-0x00000000054D8000-memory.dmp
memory/2196-17-0x0000000004D00000-0x0000000004D22000-memory.dmp
memory/2196-18-0x00000000055E0000-0x0000000005646000-memory.dmp
memory/2196-19-0x0000000005650000-0x00000000056B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4i1kf25x.mqn.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2196-29-0x0000000005890000-0x0000000005BE4000-memory.dmp
memory/2196-30-0x0000000005C80000-0x0000000005C9E000-memory.dmp
memory/2196-31-0x0000000005D30000-0x0000000005D7C000-memory.dmp
memory/2196-32-0x0000000006C60000-0x0000000006CF6000-memory.dmp
memory/2196-33-0x00000000061B0000-0x00000000061CA000-memory.dmp
memory/2196-34-0x00000000061D0000-0x00000000061F2000-memory.dmp
memory/2196-35-0x0000000007300000-0x00000000078A4000-memory.dmp
memory/2196-36-0x0000000007F30000-0x00000000085AA000-memory.dmp
memory/2196-39-0x00000000003D0000-0x000000000043D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-1JMK6.tmp\av.txt
| MD5 | 68b329da9893e34099c7d8ad5cb9c940 |
| SHA1 | adc83b19e793491b1c6ea0fd8b46cd9f32e592fc |
| SHA256 | 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b |
| SHA512 | be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09 |
C:\Users\Admin\AppData\Local\Temp\is-1JMK6.tmp\CheckProc.cmd
| MD5 | dae8768bbb8a4fddc4dca8eae7c4d65f |
| SHA1 | 385ffb932fcff489392536d62e291ed9e0beea98 |
| SHA256 | ca1bf4fe8a59a31f06a4f2d975671fbb2eeca33d40b0c35318f2131a118754cf |
| SHA512 | 492feada84b7064547bd6d22ed13cf6949156eb3daa9af5aa9c3da44dd6ac7e540904c494de14a7858d498944ab51c7525caac3c9aa933d1e55ca35442c075b6 |
C:\Users\Admin\AppData\Local\Temp\is-1JMK6.tmp\CheckProc.cmd
| MD5 | 6a745081c62a706c014a876f45b5a56b |
| SHA1 | 25f17fcc50dd202d2381c00970e2dc04c2ad9707 |
| SHA256 | e9f9690b327cf24e6c260f93232dd4b961d82a709c16589ba72aabcdba0c039c |
| SHA512 | a420efa894ef6fedad4fafd5e15042f947ff96a169031b7299afeba797bcaefa675508f72f57bfa8452a35d61314a544e26bc535ddb61a0cdfdca03c07ae372f |
C:\Users\Admin\AppData\Local\Temp\is-1JMK6.tmp\CheckProc.cmd
| MD5 | f0315949ccc3d22d958503f5735cfbcc |
| SHA1 | 883bf4e366046eb1ef6e2d81fd74fe75ae73b2c0 |
| SHA256 | 201c4e665ce446e067cb152d1c3834e416f6a09a9e6d7c45c20f1bc1cc74534d |
| SHA512 | aa1faa44ba8f47052bf236d5135dc70f1293028663f4abbc7cc043277428217b047b25d6e6691c1685db52bd2065f0d5c4306d9db590696773c3becf2481a251 |
C:\Users\Admin\AppData\Local\Temp\is-1JMK6.tmp\CheckProc.cmd
| MD5 | 110d64c0e450ff59542f81690a2d53b7 |
| SHA1 | 7f2e989deb095a0530792989e5fa9d7279d5f3e7 |
| SHA256 | 735ca381b6d3cbb675e698aa92222566d5174c0fbdf7807605f105c512c9fa1e |
| SHA512 | 00b86a1fd4db9e8861d3973a395c34b41a5a277901552b66ac671ced492638174f256785f563bfad263bc93315544bce87c91d26bd48a39fbab7daccceae0d34 |
C:\Users\Admin\AppData\Local\Temp\is-1JMK6.tmp\CheckProc.cmd
| MD5 | 8fec1ab28e8ee7394915990458fb85dc |
| SHA1 | c70e183a783a9621cd64584de99f8163deb40872 |
| SHA256 | b96251154ddbfd11d36e74eae84537229912a54dcb86f1277deab084322ce4dd |
| SHA512 | c33223c094764b9704ced1ab6256aa227873c2be81acce328d12113504e55716563ad561641b726dcd2939c6237b4a4dad522512a4f59e3f805f91ffaf3a3be9 |
C:\Users\Admin\AppData\Local\Temp\is-1JMK6.tmp\CheckProc.cmd
| MD5 | 97cc4c6dda23b9631b8c9185859ad061 |
| SHA1 | 5f912a6c094bd918afe5e9f0c70cd45b36dff722 |
| SHA256 | 55b728e4cc0974b19641d1dc77df0f381f244b254d39e2566dcf525b9d106cd8 |
| SHA512 | cf82517f44425d402305129821cff7668c5db27d5427b8a8886e99146a1a56ef43b8055e6c62929fbfdf293a88664a760e49443ac89453fa3163ed1ebfb8469e |
C:\Users\Admin\AppData\Local\Temp\is-1JMK6.tmp\CheckProc.cmd
| MD5 | b921f2f9f97a642d513e1307f7685e0f |
| SHA1 | 3489b63a484a6114f1828100908bbbc622b07ed1 |
| SHA256 | 953998031a5ac3582232545f923b32f02587fb233791a0326b889f28af4cfabc |
| SHA512 | 1da42e0ed2dca9f2a559739c6a0c6b28a54e0d8d0617bec542729a362dd0f36f9287bcd4433c9cabd7db7430e7295f6879c7777a86035c4f3c86b3b05847ae0e |
C:\Users\Admin\AppData\Local\Temp\is-1JMK6.tmp\CheckProc.cmd
| MD5 | b35e8ab65e7f8a4edb3663885f775681 |
| SHA1 | 49b66b2e3cff64dd7d8315c53d852c19a46e8609 |
| SHA256 | 9b78165c2b44ba6675654f776e34815c19482a84c87e6a7dc9d1a68d3d5a5e53 |
| SHA512 | 3ec1fad817117f00f620103666b1caa2ece51b9cc1a9b3fb2142d57aedc745e9bc69608e0cb2a2eff1879c7ad6741b66751049020620bac8659598080404adcc |
C:\Users\Admin\AppData\Local\Temp\is-1JMK6.tmp\CheckProc.cmd
| MD5 | f1b6aae3dcd94b94aee326517e3dc583 |
| SHA1 | 3418fdda1ad30df64d7bac068e1a0c4e305cfd75 |
| SHA256 | a02aa2b143a8e126b1a044e1f036a912a0ac134e8e1f56836805b15819e43f6b |
| SHA512 | dae27c24d2ef685e4f968dcd91cda18bfa605fd924b1bf928307107630bd671d6623e78451d3f397dfc93cc4e1c0f74c25e962b5669e2350a79b72ec061ec1ba |
C:\Users\Admin\AppData\Local\Temp\is-1JMK6.tmp\CheckProc.cmd
| MD5 | d93cc818d32f755945cddfc02b29fb89 |
| SHA1 | fc564e791326d269d005c894cfca674352dae814 |
| SHA256 | c3fabcab01d67640320ce0a5354e4fc6a7832beebe2e9a7610f43614eefce32c |
| SHA512 | 62c20691da188a45b59c468826706ed47ad285d9e23996b714c03b4c639d87d93b57e22f9e4504be42a742ee4c64657d87565f9ce65b677d05f66d0bbef0e0d5 |
C:\Users\Admin\AppData\Local\Temp\is-1JMK6.tmp\CheckProc.cmd
| MD5 | 660d266764b1952b43431d6c7dc0dfa9 |
| SHA1 | 809794738d6ca580d6ec14e77a717e831b0d0e5c |
| SHA256 | e3c86ead8667eac8c9ea88e2ee5f5f14f0f0be59a54864f99cbee17d554f74e5 |
| SHA512 | 6fc27ec6f453c2791aa9d0c38817128ed8e2fff26748fbe0cfee6411d8a120970494b3504078a3079c90d409434f22b35974efd5cbbaf14ce3657715fc18f4c3 |
C:\Users\Admin\AppData\Local\Temp\is-1JMK6.tmp\CheckProc.cmd
| MD5 | 59a8010aab7eb203cd9fda8f6be1beca |
| SHA1 | b9a07636b921183c88880320294e279c935cddd7 |
| SHA256 | 2a5b80a6a1522b75fda6e7f99ceb912bc7db1bd6be11995fdcbde1ab7d836dba |
| SHA512 | 26ae700f89e827f9d5f8d29c7f393eb3e5885d32266591d61b20ffd7ba1d08dfbc0e6e9368c94288185a01960cbd0a8ce96b063187396465e640e963e9b3666e |
C:\Users\Admin\AppData\Local\Temp\is-1JMK6.tmp\CheckProc.cmd
| MD5 | a59dd0f9883ea39c5119831b0eed46cc |
| SHA1 | 8c9354051f7d92310636f0f17e5770aede9d1ad3 |
| SHA256 | ff1f1293c860b0709d0244a8c6a29294543efdc698a70469e1cd388c0db84493 |
| SHA512 | 4a07eac5507fc174879eb960becf19b3a20b224232f74dfeb28d393bed3f181a0d4020efb9b656000d4ce756491c44f4f5a86dec184feca593c9bf6bd8700dac |
C:\Users\Admin\AppData\Local\Temp\is-1JMK6.tmp\CheckProc.cmd
| MD5 | 32b997a9d994996a4369a580e6541b7d |
| SHA1 | d61b48404dd6f6dd43d90858ffb7ddb967ecb1f1 |
| SHA256 | 39863141871b63880b4282066451321a902a7e6b97264c9ffdfd8128ac8293b8 |
| SHA512 | f3ff262b5986436671b4cf970d2ab4eb0dfd3d70651e7e84c8ae38788ef12032db825b81e6e1d8c4f20f0aa5a8067e6e7943b7e3e3c9817e97f0ab227f3fbe1f |
C:\Users\Admin\AppData\Local\Temp\is-1JMK6.tmp\CheckProc.cmd
| MD5 | f0b99c1273d3787f7769feb4d56e6803 |
| SHA1 | 6105232df9585072be8ca04712f8760812943cbf |
| SHA256 | 176a95493ca3bbfc9a68b4283b53a291faef0f9a7c413b43e1bdad86834a820d |
| SHA512 | 73b313c0046f6fcec974f2af64859c0af122e9f86503c7427519b7d2aaaf67e2f8cc68de17b93f24604aff815b843fce9a01571c1db48d3c12867e49daab0133 |
C:\Users\Admin\AppData\Local\Temp\is-1JMK6.tmp\CheckProc.cmd
| MD5 | 755c6764b8ecbb83798450705f51510f |
| SHA1 | deb141c4fc3220f0ff5c16eabf1adf850bf55610 |
| SHA256 | cfe680c9896cade2f5163ee0a463a7f7dbae7ee4aadf8de15c6c119a1d582016 |
| SHA512 | a6292b9416cbbc4a407d143acd502b6a726abb5411309e292f6696a7e55ecb5b78b4bdc764dc3484e85a5a40f21d410018172544b00882759b251aa9dce5df89 |
C:\Users\Admin\AppData\Local\Temp\is-1JMK6.tmp\cmd.bat
| MD5 | 0a87520448986b073339d9e1dc7686ad |
| SHA1 | 768e2b5e7667c876fac31846735346ffee570dc9 |
| SHA256 | 4c5640518d12fb013cc9a576a7e0933d2694893df97330c124577ae0ef20ef7b |
| SHA512 | 1b906a4fd94333063a270f907daf85fb331b896b310a2710276553fb04467888a5bda2958a2e7f3d2ffba4a38709a67d230b2d49128f80d307ffd5d3122290dd |
C:\Users\Admin\AppData\Local\Temp\is-1JMK6.tmp\favicon.ico
| MD5 | f0b81e3ecd1b5d144558da07bece8803 |
| SHA1 | 9ee5bf12a207859d89dc893b8d02bd5c739edb52 |
| SHA256 | dd7aaa38192189cbf2adfc9416289be6ea3c2e10f2ca08bae453cb1df66babc1 |
| SHA512 | 774a7485d316be62ca6a2303cf0e8f59611b804eb2d518dd76bcdbf755544818032be367d9c2d5ad778059b0c2da2d5a0e46e2a5420d6fd2da3cc0b2bcbe34a6 |
C:\Users\Admin\AppData\Local\Temp\is-1JMK6.tmp\CheckProc.cmd
| MD5 | e902b4bcf5b531d057d091d00be3daee |
| SHA1 | 0cd058fcfab51dbfe91b139dc52245d5a4326f55 |
| SHA256 | 9daadc1e6c019a712e5236eafc29e687ea79efd4de1310dc2eeb1ed165ea26c3 |
| SHA512 | 5f7a84040b4bbf46173ff5404d970af5cb3e54c0dfc0d6ab6b161c2f417b6b1a023abe7b9f2b723b2985511894649c54c045204de01b2a52a51d7143e8f82c11 |
C:\Users\Admin\AppData\Local\Temp\is-1JMK6.tmp\CheckProc.cmd
| MD5 | c842d438cebab4b876572a8bc032aabe |
| SHA1 | e95c7d4e2f6246daba6f0baec8e1b94c91384c4d |
| SHA256 | ef7d9a0d456e1901b0bdebdce961d480bcf8270a7d7646591bdc2886c8716218 |
| SHA512 | aa8a28a1b0a0b9b65db195863fec9b903ffa335ccee7d50dc514f5d9c63f2ca51b2bf52694879adf43021cedfc4c5f8e7c3c90bb6dc493114a700cd79cce183c |
C:\Users\Admin\AppData\Local\Temp\is-1JMK6.tmp\CheckProc.cmd
| MD5 | 410515fbd7d2a2b4fab0fb80c76c2a74 |
| SHA1 | f32bd4fc7ade9efdc92b99e79a0b2f95edfc5893 |
| SHA256 | 6b398a1053c39530e13afb3bad98900d9a5a6d27523a0c5d44c746afb539fe99 |
| SHA512 | f301aaeb96aa848eb6823830397c9fb12086db558663235c8b0882cefe2ae105cc75e2cc70315ce2fdfa17d3538427f4afa6a9cf24834a884a10cb4cb87652aa |
C:\Users\Admin\AppData\Local\Temp\is-1JMK6.tmp\CheckProc.cmd
| MD5 | 0cbb771b9f9523adb96d5bae77154a05 |
| SHA1 | 528330a335047039ab012b01bb7a3f585e6f5a8d |
| SHA256 | 4b6e256fc13fdb04ac97e583dda99f6ade2356f9c692f5150b262d3e464bd71e |
| SHA512 | 41f44acafb84b24e15ebee4a18c2ae39c06ad401db2272939ad1d650c27e1a219d7c05df63a7ec2ab0676c7ed34ca5c7ed1d4cfaa143998e90ce12f13875f0f1 |
C:\Users\Admin\AppData\Local\Temp\is-1JMK6.tmp\gentlemjmp_irow.exe
| MD5 | 14e668aaf993439d183e90a54a6e957a |
| SHA1 | 095a424c7ac89f893563c47b3dbbf696eb49229d |
| SHA256 | 9ef10e877cee340370ecf7580d9637d45ddbac6b37b96c8f6e7784a9e73cab5b |
| SHA512 | 9af81827f111a764a2e2dd69d6ae8217fb18365e5b9e9e925cc16f39f50be22eb25ba6c3df54391a0b1383fb4622170f4455c5bdf6651ce55e7b029ba573c909 |
memory/3720-90-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-53O6P.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
C:\Users\Admin\AppData\Local\Temp\is-53O6P.tmp\isskin.dll
| MD5 | 92c2e247392e0e02261dea67e1bb1a5e |
| SHA1 | db72fed8771364bf8039b2bc83ed01dda2908554 |
| SHA256 | 25fdb94e386f8a41f10aba00ed092a91b878339f8e256a7252b11169122b0a68 |
| SHA512 | e938d2a1870ccb437d818b5301e6ecffaa6efbf4f0122e1a1ae0981057d7d0376039ea927c6fd326456da2d6904803fca26b87245367a4c5de2aebc47bdcd4b5 |
C:\Users\Admin\AppData\Local\Temp\is-53O6P.tmp\itdownload.dll
| MD5 | d82a429efd885ca0f324dd92afb6b7b8 |
| SHA1 | 86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea |
| SHA256 | b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3 |
| SHA512 | 5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df |
memory/1248-108-0x0000000003B70000-0x0000000003BAC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-53O6P.tmp\innocallback.dll
| MD5 | 1c55ae5ef9980e3b1028447da6105c75 |
| SHA1 | f85218e10e6aa23b2f5a3ed512895b437e41b45c |
| SHA256 | 6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f |
| SHA512 | 1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b |
memory/1248-115-0x00000000023D0000-0x00000000023E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-53O6P.tmp\ex.bat
| MD5 | 6a8ed5d06176c204d08e92a66eb50077 |
| SHA1 | cdb4be4c2640dfe3f19bbde19def1b2f39fcac67 |
| SHA256 | 094619df525925b48d74ba25093c512c49778eda6df371a07414bfcd80740a3f |
| SHA512 | 61c36d9872183736f107be59195231d568b7bbb147573b672975b2c0e6161f245032cf13adebe29c260852e75574d58de81af176077327b2679e05f45ec990e2 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 0774a05ce5ee4c1af7097353c9296c62 |
| SHA1 | 658ff96b111c21c39d7ad5f510fb72f9762114bb |
| SHA256 | d9c5347ed06755feeb0615f1671f6b91e2718703da0dbc4b0bd205cbd2896dd4 |
| SHA512 | 104d69fc4f4aaa5070b78ada130228939c7e01436351166fe51fe2da8a02f9948e6d92dd676f62820da1813872b91411e2f863c9a98a760581ec34d4aa354994 |
memory/2420-126-0x0000000006250000-0x00000000065A4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 67bdd2c108fabe49842e833fcc17f08a |
| SHA1 | dc32abe7930f6cfa20b4a9f7e51db3d97522b244 |
| SHA256 | 632e9b753dfea3f8a820357e0bcae5012af2eb31b199006b4f5eaa791c4c9bb9 |
| SHA512 | 29ddff05ae723ec31c60f1bec2c30ca528159ee8df9f68259f8e9d9297b0f377c03e2b68cca61aacb1b1defe563c37fba85fc809b19e12b6ea5bd83f12efa526 |
memory/2420-132-0x0000000006ED0000-0x0000000006F1C000-memory.dmp
memory/4268-133-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4448-134-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1248-138-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1248-140-0x00000000023D0000-0x00000000023E5000-memory.dmp
memory/1248-139-0x0000000003B70000-0x0000000003BAC000-memory.dmp
memory/3720-141-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4448-143-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/4268-144-0x0000000000400000-0x0000000000414000-memory.dmp