Malware Analysis Report

2024-11-13 13:46

Sample ID 240718-a4n1jaxbrr
Target 557d4c09c4da24b8d5c59a91c3033093_JaffaCakes118
SHA256 b33051a22664cdea693fbc3d6f6fa017505e6a40a65f5ebe484281d6bf661de3
Tags
dcrat evasion infostealer rat upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b33051a22664cdea693fbc3d6f6fa017505e6a40a65f5ebe484281d6bf661de3

Threat Level: Known bad

The file 557d4c09c4da24b8d5c59a91c3033093_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

dcrat evasion infostealer rat upx

DcRat

DCRat payload

Sets file to hidden

Checks computer location settings

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Modifies registry class

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Views/modifies file attributes

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-18 00:46

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-18 00:46

Reported

2024-07-18 00:48

Platform

win7-20240704-en

Max time kernel

119s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\557d4c09c4da24b8d5c59a91c3033093_JaffaCakes118.exe"

Signatures

DcRat

rat infostealer dcrat

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\SoftwareDistribution\AuthCabs\69ddcba757bf72f7d36c464c71f42baab150b2b9 C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe N/A
File created C:\Windows\SoftwareDistribution\AuthCabs\smss.exe C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe N/A
N/A N/A C:\Users\Admin\My Documents\lsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\My Documents\lsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1628 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\557d4c09c4da24b8d5c59a91c3033093_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1628 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\557d4c09c4da24b8d5c59a91c3033093_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1628 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\557d4c09c4da24b8d5c59a91c3033093_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1628 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\557d4c09c4da24b8d5c59a91c3033093_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2800 wrote to memory of 2632 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 2632 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 2632 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 2632 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 2760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 2760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 2760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 2760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Temp\installer.sfx.exe
PID 2760 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Temp\installer.sfx.exe
PID 2760 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Temp\installer.sfx.exe
PID 2760 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Temp\installer.sfx.exe
PID 2760 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Temp\installer.sfx.exe
PID 2760 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Temp\installer.sfx.exe
PID 2760 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Temp\installer.sfx.exe
PID 2660 wrote to memory of 1636 N/A C:\Temp\installer.sfx.exe C:\Temp\installer.exe
PID 2660 wrote to memory of 1636 N/A C:\Temp\installer.sfx.exe C:\Temp\installer.exe
PID 2660 wrote to memory of 1636 N/A C:\Temp\installer.sfx.exe C:\Temp\installer.exe
PID 2660 wrote to memory of 1636 N/A C:\Temp\installer.sfx.exe C:\Temp\installer.exe
PID 2660 wrote to memory of 1636 N/A C:\Temp\installer.sfx.exe C:\Temp\installer.exe
PID 2660 wrote to memory of 1636 N/A C:\Temp\installer.sfx.exe C:\Temp\installer.exe
PID 2660 wrote to memory of 1636 N/A C:\Temp\installer.sfx.exe C:\Temp\installer.exe
PID 2760 wrote to memory of 2528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2760 wrote to memory of 2528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2760 wrote to memory of 2528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2760 wrote to memory of 2528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1636 wrote to memory of 2788 N/A C:\Temp\installer.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\sonarsolution.exe
PID 1636 wrote to memory of 2788 N/A C:\Temp\installer.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\sonarsolution.exe
PID 1636 wrote to memory of 2788 N/A C:\Temp\installer.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\sonarsolution.exe
PID 1636 wrote to memory of 2788 N/A C:\Temp\installer.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\sonarsolution.exe
PID 2788 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\sonarsolution.exe C:\Windows\SysWOW64\WScript.exe
PID 2788 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\sonarsolution.exe C:\Windows\SysWOW64\WScript.exe
PID 2788 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\sonarsolution.exe C:\Windows\SysWOW64\WScript.exe
PID 2788 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\sonarsolution.exe C:\Windows\SysWOW64\WScript.exe
PID 2740 wrote to memory of 2752 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2752 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2752 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2752 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\intoreview\wAxlVMFS3VFYmsuYtMNI.exe
PID 2752 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\intoreview\wAxlVMFS3VFYmsuYtMNI.exe
PID 2752 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\intoreview\wAxlVMFS3VFYmsuYtMNI.exe
PID 2752 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\intoreview\wAxlVMFS3VFYmsuYtMNI.exe
PID 2724 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Roaming\intoreview\wAxlVMFS3VFYmsuYtMNI.exe C:\Windows\SysWOW64\WScript.exe
PID 2724 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Roaming\intoreview\wAxlVMFS3VFYmsuYtMNI.exe C:\Windows\SysWOW64\WScript.exe
PID 2724 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Roaming\intoreview\wAxlVMFS3VFYmsuYtMNI.exe C:\Windows\SysWOW64\WScript.exe
PID 2724 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Roaming\intoreview\wAxlVMFS3VFYmsuYtMNI.exe C:\Windows\SysWOW64\WScript.exe
PID 2924 wrote to memory of 1068 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2924 wrote to memory of 1068 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2924 wrote to memory of 1068 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2924 wrote to memory of 1068 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1068 wrote to memory of 1492 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe
PID 1068 wrote to memory of 1492 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe
PID 1068 wrote to memory of 1492 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe
PID 1068 wrote to memory of 1492 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe
PID 1492 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe C:\Windows\system32\schtasks.exe
PID 1492 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe C:\Windows\system32\schtasks.exe
PID 1492 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe C:\Windows\system32\schtasks.exe
PID 1492 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe C:\Windows\system32\schtasks.exe
PID 1492 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe C:\Windows\system32\schtasks.exe
PID 1492 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\557d4c09c4da24b8d5c59a91c3033093_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\557d4c09c4da24b8d5c59a91c3033093_JaffaCakes118.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Temp\sonspamstart.vbs"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Temp\sonspam.bat" "

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "C:\Temp\sonspam.bat" any_word

C:\Temp\installer.sfx.exe

"installer.sfx.exe" -p123908VDS -dC:\Temp

C:\Temp\installer.exe

"C:\Temp\installer.exe"

C:\Windows\SysWOW64\attrib.exe

ATTRIB +S +H -R C:\Temp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\sonarsolution.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\sonarsolution.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\intoreview\2vQqQbwd8RhA8xKo91WLCCkE4UKwEW.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\intoreview\FSog5bgYZXx2rSOcSWQCeQM8Sp92ad.bat" "

C:\Users\Admin\AppData\Roaming\intoreview\wAxlVMFS3VFYmsuYtMNI.exe

wAxlVMFS3VFYmsuYtMNI.exe -p172e198e773020af341caa2dc63175b338442b45

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\intoreview\azAF0affuCzvkcFTrlYsaov0B4h3QE.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\intoreview\KmpmfO2s07oawbng8shc259m1CtPFQ.bat" "

C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe

"C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\PerfLogs\Admin\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\AuthCabs\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "wininit" /sc ONLOGON /tr "'C:\PerfLogs\Admin\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "dwm" /sc ONLOGON /tr "'C:\Documents and Settings\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Documents and Settings\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\lsm.exe'" /rl HIGHEST /f

C:\Users\Admin\My Documents\lsm.exe

"C:\Users\Admin\My Documents\lsm.exe"

Network

Country Destination Domain Proto
RU 95.181.152.61:80 tcp
RU 95.181.152.61:80 tcp

Files

C:\Temp\sonspamstart.vbs

MD5 68f47f42c9c8df4f547695c0060f7663
SHA1 01e85ff16492d39879958fa9471a9fd0e0013206
SHA256 cb9f11054febd994ffc33d95139a5f3dc11cd6cb7ab8f87c02452854eae8081e
SHA512 7ddc5350f703ca3dfa1791fdcb36475a1cf7385864e97ada728f56803e5d3fa8d4b73235241734c3dbcccb9030fb89bb0cca356a3baa9b173c6060bfd95c200d

C:\Temp\sonspam.bat

MD5 b85cf59bcba86d882ff114d44ce2789d
SHA1 efdd4b718ed0d0f8af4caabad936afb03a5447df
SHA256 e26d9dec5f2cd1a0d4975da2976923c258b3edde78af028e65bd58129199a597
SHA512 e466ff1c1ee7ccecaa8dcd00e1ebe809bcb51df412e25c4bf06a940f72a29105485effe7789b152ba85048882c32438ebc8cca6c06df23d8b172d96bdc70e2ef

C:\Temp\installer.sfx.exe

MD5 eb3b0596ae7cb54396a1815beaede97f
SHA1 f5116c7e301dd50b0c2eeb3c4459ed75321a603e
SHA256 c6f2cf9b85b2ffe92ba9e2f525f024b953fa325f024c8801e3ac9523490fcf10
SHA512 ce004159f8080278db308d8046e1616e997631617fd7c8928709e2fb8a4d8ded04de4bc3321d8cdf78a8f538726adb1e56c1bc4b1279d9454ace8ba257fba231

\Temp\installer.exe

MD5 849eb64e16678f93dab5d31e6f62eb95
SHA1 ee92d61555b766921daa006a56c62d2e43e01fb5
SHA256 3724cd2e908f3a69f1f55c41d6e6e1cfb2bad3fcba3557138e0eadd5e5e9e058
SHA512 d9cded5e8d425f5528981d1faa5820f1f2330f00c80d2699947a5eedb3895a24d9f6cf4b2c8a9fec523d9746131f608f270a717baf4b5631eeb0d1ce8aab6c8a

\Users\Admin\AppData\Local\Temp\RarSFX0\sonarsolution.exe

MD5 b44452a72e44157f12e331bd4623052e
SHA1 e02b7cfd576c64938827925fe215f9fce6075ac4
SHA256 8f0cfa70cb8e16d2ea45230505617978bf044940cb7fd66c9ddac41c7929dd7c
SHA512 698a36fb6347013ac827d3930b0d570e36870b9f40910653e72b50fec536c8429bcdcb31e9b1a7cd37bc4626402da564507307114ee2b07ba32ef701f3c27aa4

memory/1636-33-0x0000000003200000-0x0000000003281000-memory.dmp

memory/1636-40-0x0000000003200000-0x0000000003281000-memory.dmp

memory/2788-42-0x0000000000D20000-0x0000000000DA1000-memory.dmp

memory/2788-51-0x0000000000D20000-0x0000000000DA1000-memory.dmp

C:\Users\Admin\AppData\Roaming\intoreview\2vQqQbwd8RhA8xKo91WLCCkE4UKwEW.vbe

MD5 1b9c939adc33ae74ac644998287149cc
SHA1 633bd684184d9e12d13aa6c3267d80bd5d87393c
SHA256 5af62663f4979b00b469cbe2f54205027a61198207ed9ac673edbc3a818e55cb
SHA512 142da58ffa84e6a849247c6c593e70a405e944a171e9b1247af633fc2272a0c15b6d1fef20f35a757d8d0a6a49da8d4b9a2b0e9585288b9af1acabdb7e0fd3ae

C:\Users\Admin\AppData\Roaming\intoreview\FSog5bgYZXx2rSOcSWQCeQM8Sp92ad.bat

MD5 68dc7eb71a7f95c046a63052c8331e92
SHA1 77224c83ad1398efab03ccfca520a83460e16d03
SHA256 1d300057e2e7b1d5452d2a1eda0f95ec44b81909c02f9b3e21f86fa9001299e7
SHA512 9aa8970385ba3f8e5356699486304c54432d9535b67cef37e670ae611897c2abad58fcee6e665906c62d962fc9f773363ebe36d66666cbef1e8c35aea4ccc128

\Users\Admin\AppData\Roaming\intoreview\wAxlVMFS3VFYmsuYtMNI.exe

MD5 31e8f1b92ffcdd66676fcb134b225e15
SHA1 5c5e5795a4671c0dd1702fc4e7d1ad63f9643c58
SHA256 3dd4b0cb1041bc1948404df23c0d2d362da355a90c1d2ef472a7b298cda39110
SHA512 fcb0dc3b0b9893fe954fda85f36a1aae77ecc290d95db4e7844b73061f6364e1e3a5fe4ea8054185f54116052fc6ab6c0e05a1a3c31136bb904febc43c2c542f

C:\Users\Admin\AppData\Roaming\intoreview\azAF0affuCzvkcFTrlYsaov0B4h3QE.vbe

MD5 3d85f3996a95493013590846632e86f6
SHA1 9b9e935e3ae296a16d0fb08b7809d39d17f715e5
SHA256 b19f5cce6fe7ac54964e3dc373a4c54020ca89f9f7eb602a06f830c9be70f00a
SHA512 bcaf9930653a75640daec31a839c9a38fc1678abf8e2c96ffb56fbe05dfb15abbbb3040ac066003e5bd485c56aac9d3ee89f689d49b72a5fc328d64f13b8df65

C:\Users\Admin\AppData\Roaming\intoreview\KmpmfO2s07oawbng8shc259m1CtPFQ.bat

MD5 8c56e629a1aec270a35c4e9958b43bfb
SHA1 aa0b74c4d84fecdc34556bd4c7713bb618a5ba92
SHA256 ec8e5b756c10b043930c325e6765e969aa54609b8caba84f3f2d67430d1ae7bc
SHA512 a9e50c407c5c5cb621ee9aab8124bf38707d103aa21875a5fd07c7cdb7c4bce1a049ce70d0bbc75ce8008526cc3fe02a48165dcf4cb124a7ab69784b2750c43a

\Users\Admin\AppData\Roaming\intoreview\perfnet.exe

MD5 a1f2423f375be02b22175a9de219a17e
SHA1 d3f0dcee37bce0952a8841dea578ba431588f621
SHA256 d7da0aa06c6167b3d04faa2c808b1b68adacfb5fdd4475df76f0c75eb47eac71
SHA512 e10e3be553e698edb5ef10ecac0b132203248e9b3792a3749f78c46acea0d9d4932ac07c874eb6ffd46d837bdf580d8f8778245f97c8efe7bb1fd975375537a4

memory/1492-70-0x0000000001030000-0x0000000001168000-memory.dmp

memory/1932-92-0x0000000000D90000-0x0000000000EC8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-18 00:46

Reported

2024-07-18 00:48

Platform

win10v2004-20240709-en

Max time kernel

141s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\557d4c09c4da24b8d5c59a91c3033093_JaffaCakes118.exe"

Signatures

DcRat

rat infostealer dcrat

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Temp\installer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RarSFX0\sonarsolution.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\intoreview\wAxlVMFS3VFYmsuYtMNI.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\557d4c09c4da24b8d5c59a91c3033093_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Temp\installer.sfx.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Mail\StartMenuExperienceHost.exe C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe N/A
File created C:\Program Files (x86)\Windows Mail\55b276f4edf653fe07efe8f1ecc32d3d195abd16 C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe N/A
File created C:\Program Files\Windows NT\Accessories\en-US\conhost.exe C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe N/A
File created C:\Program Files\Windows NT\Accessories\en-US\088424020bedd6b28ac7fd22ee35dcd7322895ce C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\557d4c09c4da24b8d5c59a91c3033093_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\RarSFX0\sonarsolution.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\intoreview\wAxlVMFS3VFYmsuYtMNI.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe N/A
N/A N/A C:\Recovery\WindowsRE\smss.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\smss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4192 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\557d4c09c4da24b8d5c59a91c3033093_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 4192 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\557d4c09c4da24b8d5c59a91c3033093_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 4192 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\557d4c09c4da24b8d5c59a91c3033093_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 3444 wrote to memory of 2464 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3444 wrote to memory of 2464 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3444 wrote to memory of 2464 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 4932 N/A C:\Windows\SysWOW64\cmd.exe C:\Temp\installer.sfx.exe
PID 2940 wrote to memory of 4932 N/A C:\Windows\SysWOW64\cmd.exe C:\Temp\installer.sfx.exe
PID 2940 wrote to memory of 4932 N/A C:\Windows\SysWOW64\cmd.exe C:\Temp\installer.sfx.exe
PID 4932 wrote to memory of 4336 N/A C:\Temp\installer.sfx.exe C:\Temp\installer.exe
PID 4932 wrote to memory of 4336 N/A C:\Temp\installer.sfx.exe C:\Temp\installer.exe
PID 4932 wrote to memory of 4336 N/A C:\Temp\installer.sfx.exe C:\Temp\installer.exe
PID 2940 wrote to memory of 3900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2940 wrote to memory of 3900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2940 wrote to memory of 3900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4336 wrote to memory of 1404 N/A C:\Temp\installer.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\sonarsolution.exe
PID 4336 wrote to memory of 1404 N/A C:\Temp\installer.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\sonarsolution.exe
PID 4336 wrote to memory of 1404 N/A C:\Temp\installer.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\sonarsolution.exe
PID 1404 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\sonarsolution.exe C:\Windows\SysWOW64\WScript.exe
PID 1404 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\sonarsolution.exe C:\Windows\SysWOW64\WScript.exe
PID 1404 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\sonarsolution.exe C:\Windows\SysWOW64\WScript.exe
PID 4724 wrote to memory of 4296 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 4296 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 4296 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4296 wrote to memory of 4316 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\intoreview\wAxlVMFS3VFYmsuYtMNI.exe
PID 4296 wrote to memory of 4316 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\intoreview\wAxlVMFS3VFYmsuYtMNI.exe
PID 4296 wrote to memory of 4316 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\intoreview\wAxlVMFS3VFYmsuYtMNI.exe
PID 4316 wrote to memory of 224 N/A C:\Users\Admin\AppData\Roaming\intoreview\wAxlVMFS3VFYmsuYtMNI.exe C:\Windows\SysWOW64\WScript.exe
PID 4316 wrote to memory of 224 N/A C:\Users\Admin\AppData\Roaming\intoreview\wAxlVMFS3VFYmsuYtMNI.exe C:\Windows\SysWOW64\WScript.exe
PID 4316 wrote to memory of 224 N/A C:\Users\Admin\AppData\Roaming\intoreview\wAxlVMFS3VFYmsuYtMNI.exe C:\Windows\SysWOW64\WScript.exe
PID 224 wrote to memory of 4916 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 224 wrote to memory of 4916 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 224 wrote to memory of 4916 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4916 wrote to memory of 1620 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe
PID 4916 wrote to memory of 1620 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe
PID 1620 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1620 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1620 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1620 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1620 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1620 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1620 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1620 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1620 wrote to memory of 596 N/A C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe C:\Recovery\WindowsRE\smss.exe
PID 1620 wrote to memory of 596 N/A C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe C:\Recovery\WindowsRE\smss.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\557d4c09c4da24b8d5c59a91c3033093_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\557d4c09c4da24b8d5c59a91c3033093_JaffaCakes118.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Temp\sonspamstart.vbs"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Temp\sonspam.bat" "

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "C:\Temp\sonspam.bat" any_word

C:\Temp\installer.sfx.exe

"installer.sfx.exe" -p123908VDS -dC:\Temp

C:\Temp\installer.exe

"C:\Temp\installer.exe"

C:\Windows\SysWOW64\attrib.exe

ATTRIB +S +H -R C:\Temp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\sonarsolution.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\sonarsolution.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\intoreview\2vQqQbwd8RhA8xKo91WLCCkE4UKwEW.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\intoreview\FSog5bgYZXx2rSOcSWQCeQM8Sp92ad.bat" "

C:\Users\Admin\AppData\Roaming\intoreview\wAxlVMFS3VFYmsuYtMNI.exe

wAxlVMFS3VFYmsuYtMNI.exe -p172e198e773020af341caa2dc63175b338442b45

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\intoreview\azAF0affuCzvkcFTrlYsaov0B4h3QE.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\intoreview\KmpmfO2s07oawbng8shc259m1CtPFQ.bat" "

C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe

"C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Documents and Settings\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-US\conhost.exe'" /rl HIGHEST /f

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f

C:\Recovery\WindowsRE\smss.exe

"C:\Recovery\WindowsRE\smss.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
RU 95.181.152.61:80 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 95.181.152.61:80 tcp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

C:\Temp\sonspamstart.vbs

MD5 68f47f42c9c8df4f547695c0060f7663
SHA1 01e85ff16492d39879958fa9471a9fd0e0013206
SHA256 cb9f11054febd994ffc33d95139a5f3dc11cd6cb7ab8f87c02452854eae8081e
SHA512 7ddc5350f703ca3dfa1791fdcb36475a1cf7385864e97ada728f56803e5d3fa8d4b73235241734c3dbcccb9030fb89bb0cca356a3baa9b173c6060bfd95c200d

C:\Temp\sonspam.bat

MD5 b85cf59bcba86d882ff114d44ce2789d
SHA1 efdd4b718ed0d0f8af4caabad936afb03a5447df
SHA256 e26d9dec5f2cd1a0d4975da2976923c258b3edde78af028e65bd58129199a597
SHA512 e466ff1c1ee7ccecaa8dcd00e1ebe809bcb51df412e25c4bf06a940f72a29105485effe7789b152ba85048882c32438ebc8cca6c06df23d8b172d96bdc70e2ef

C:\Temp\installer.sfx.exe

MD5 eb3b0596ae7cb54396a1815beaede97f
SHA1 f5116c7e301dd50b0c2eeb3c4459ed75321a603e
SHA256 c6f2cf9b85b2ffe92ba9e2f525f024b953fa325f024c8801e3ac9523490fcf10
SHA512 ce004159f8080278db308d8046e1616e997631617fd7c8928709e2fb8a4d8ded04de4bc3321d8cdf78a8f538726adb1e56c1bc4b1279d9454ace8ba257fba231

C:\Temp\installer.exe

MD5 849eb64e16678f93dab5d31e6f62eb95
SHA1 ee92d61555b766921daa006a56c62d2e43e01fb5
SHA256 3724cd2e908f3a69f1f55c41d6e6e1cfb2bad3fcba3557138e0eadd5e5e9e058
SHA512 d9cded5e8d425f5528981d1faa5820f1f2330f00c80d2699947a5eedb3895a24d9f6cf4b2c8a9fec523d9746131f608f270a717baf4b5631eeb0d1ce8aab6c8a

C:\Users\Admin\AppData\Local\Temp\RarSFX0\sonarsolution.exe

MD5 b44452a72e44157f12e331bd4623052e
SHA1 e02b7cfd576c64938827925fe215f9fce6075ac4
SHA256 8f0cfa70cb8e16d2ea45230505617978bf044940cb7fd66c9ddac41c7929dd7c
SHA512 698a36fb6347013ac827d3930b0d570e36870b9f40910653e72b50fec536c8429bcdcb31e9b1a7cd37bc4626402da564507307114ee2b07ba32ef701f3c27aa4

memory/1404-31-0x00000000003A0000-0x0000000000421000-memory.dmp

memory/1404-41-0x00000000003A0000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Roaming\intoreview\2vQqQbwd8RhA8xKo91WLCCkE4UKwEW.vbe

MD5 1b9c939adc33ae74ac644998287149cc
SHA1 633bd684184d9e12d13aa6c3267d80bd5d87393c
SHA256 5af62663f4979b00b469cbe2f54205027a61198207ed9ac673edbc3a818e55cb
SHA512 142da58ffa84e6a849247c6c593e70a405e944a171e9b1247af633fc2272a0c15b6d1fef20f35a757d8d0a6a49da8d4b9a2b0e9585288b9af1acabdb7e0fd3ae

C:\Users\Admin\AppData\Roaming\intoreview\FSog5bgYZXx2rSOcSWQCeQM8Sp92ad.bat

MD5 68dc7eb71a7f95c046a63052c8331e92
SHA1 77224c83ad1398efab03ccfca520a83460e16d03
SHA256 1d300057e2e7b1d5452d2a1eda0f95ec44b81909c02f9b3e21f86fa9001299e7
SHA512 9aa8970385ba3f8e5356699486304c54432d9535b67cef37e670ae611897c2abad58fcee6e665906c62d962fc9f773363ebe36d66666cbef1e8c35aea4ccc128

C:\Users\Admin\AppData\Roaming\intoreview\wAxlVMFS3VFYmsuYtMNI.exe

MD5 31e8f1b92ffcdd66676fcb134b225e15
SHA1 5c5e5795a4671c0dd1702fc4e7d1ad63f9643c58
SHA256 3dd4b0cb1041bc1948404df23c0d2d362da355a90c1d2ef472a7b298cda39110
SHA512 fcb0dc3b0b9893fe954fda85f36a1aae77ecc290d95db4e7844b73061f6364e1e3a5fe4ea8054185f54116052fc6ab6c0e05a1a3c31136bb904febc43c2c542f

C:\Users\Admin\AppData\Roaming\intoreview\azAF0affuCzvkcFTrlYsaov0B4h3QE.vbe

MD5 3d85f3996a95493013590846632e86f6
SHA1 9b9e935e3ae296a16d0fb08b7809d39d17f715e5
SHA256 b19f5cce6fe7ac54964e3dc373a4c54020ca89f9f7eb602a06f830c9be70f00a
SHA512 bcaf9930653a75640daec31a839c9a38fc1678abf8e2c96ffb56fbe05dfb15abbbb3040ac066003e5bd485c56aac9d3ee89f689d49b72a5fc328d64f13b8df65

C:\Users\Admin\AppData\Roaming\intoreview\KmpmfO2s07oawbng8shc259m1CtPFQ.bat

MD5 8c56e629a1aec270a35c4e9958b43bfb
SHA1 aa0b74c4d84fecdc34556bd4c7713bb618a5ba92
SHA256 ec8e5b756c10b043930c325e6765e969aa54609b8caba84f3f2d67430d1ae7bc
SHA512 a9e50c407c5c5cb621ee9aab8124bf38707d103aa21875a5fd07c7cdb7c4bce1a049ce70d0bbc75ce8008526cc3fe02a48165dcf4cb124a7ab69784b2750c43a

C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe

MD5 a1f2423f375be02b22175a9de219a17e
SHA1 d3f0dcee37bce0952a8841dea578ba431588f621
SHA256 d7da0aa06c6167b3d04faa2c808b1b68adacfb5fdd4475df76f0c75eb47eac71
SHA512 e10e3be553e698edb5ef10ecac0b132203248e9b3792a3749f78c46acea0d9d4932ac07c874eb6ffd46d837bdf580d8f8778245f97c8efe7bb1fd975375537a4

memory/1620-58-0x000001E1A9BE0000-0x000001E1A9D18000-memory.dmp