Analysis Overview
SHA256
24c7ce219369223dada0233930938d06b805f45b7062fdcbc1bcef643a337b8d
Threat Level: Known bad
The file 56a5b0a28bb4b14956977dfe6def40a9_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
DcRat
DCRat payload
Sets file to hidden
Loads dropped DLL
Executes dropped EXE
UPX packed file
Checks computer location settings
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Views/modifies file attributes
Modifies registry class
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-18 08:51
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-18 08:51
Reported
2024-07-18 08:54
Platform
win7-20240708-en
Max time kernel
144s
Max time network
122s
Command Line
Signatures
DcRat
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Temp\Sonar Solution bps.exe | N/A |
| N/A | N/A | C:\Temp\Sonar Solution.exe | N/A |
| N/A | N/A | C:\Temp\Sonar Build.exe | N/A |
| N/A | N/A | C:\Temp\SonarSolutionsBuild.sfx.exe | N/A |
| N/A | N/A | C:\Temp\installer.sfx.exe | N/A |
| N/A | N/A | C:\Temp\SonarSolutionsBuild.exe | N/A |
| N/A | N/A | C:\Temp\installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\sonarsolution.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\intoreview\wAxlVMFS3VFYmsuYtMNI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\Sonar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe | N/A |
| N/A | N/A | C:\Temp\audiodg.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Windows Portable Devices\smss.exe | C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe | N/A |
| File created | C:\Program Files (x86)\Windows Portable Devices\69ddcba757bf72f7d36c464c71f42baab150b2b9 | C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe | N/A |
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe | N/A |
| N/A | N/A | C:\Temp\audiodg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Temp\audiodg.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\56a5b0a28bb4b14956977dfe6def40a9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\56a5b0a28bb4b14956977dfe6def40a9_JaffaCakes118.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Temp\sonspamstart3.vbs"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Temp\sonspam3.bat" "
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Temp\sonspam3.bat" any_word
C:\Temp\Sonar Solution bps.exe
"Sonar Solution bps.exe" -p123908VDS -dC:\Temp
C:\Temp\Sonar Solution.exe
"C:\Temp\Sonar Solution.exe"
C:\Temp\Sonar Build.exe
"C:\Temp\Sonar Build.exe"
C:\Windows\SysWOW64\attrib.exe
ATTRIB +S +H -R C:\Temp
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Temp\sonspamstart.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Temp\sonspamstart2.vbs"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Temp\sonspam.bat" "
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Temp\sonspam2.bat" "
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Temp\sonspam.bat" any_word
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Temp\sonspam2.bat" any_word
C:\Temp\installer.sfx.exe
"installer.sfx.exe" -p123908VDS -dC:\Temp
C:\Temp\SonarSolutionsBuild.sfx.exe
"SonarSolutionsBuild.sfx.exe" -p123908VDS -dC:\Temp
C:\Temp\SonarSolutionsBuild.exe
"C:\Temp\SonarSolutionsBuild.exe"
C:\Temp\installer.exe
"C:\Temp\installer.exe"
C:\Windows\SysWOW64\attrib.exe
ATTRIB +S +H -R C:\Temp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\sonarsolution.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\sonarsolution.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\intoreview\2vQqQbwd8RhA8xKo91WLCCkE4UKwEW.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\intoreview\FSog5bgYZXx2rSOcSWQCeQM8Sp92ad.bat" "
C:\Users\Admin\AppData\Roaming\intoreview\wAxlVMFS3VFYmsuYtMNI.exe
wAxlVMFS3VFYmsuYtMNI.exe -p172e198e773020af341caa2dc63175b338442b45
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\intoreview\azAF0affuCzvkcFTrlYsaov0B4h3QE.vbe"
C:\Windows\SysWOW64\attrib.exe
ATTRIB +S +H -R C:\Temp
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Sonar.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Sonar.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\intoreview\KmpmfO2s07oawbng8shc259m1CtPFQ.bat" "
C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe
"C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Documents and Settings\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\Libraries\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "audiodg" /sc ONLOGON /tr "'C:\Temp\audiodg.exe'" /rl HIGHEST /f
C:\Temp\audiodg.exe
"C:\Temp\audiodg.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 95.181.152.61:80 | tcp | |
| RU | 95.181.152.61:80 | tcp |
Files
C:\Temp\sonspamstart3.vbs
| MD5 | 2bbf5501471e1aac194788329d51c1f6 |
| SHA1 | d6567dac174a790c4c9c0260ebc26f1e907e11c6 |
| SHA256 | b30b02a7f47e28833f61fae076a6f5d4f65ad8be8a2f7e149823f16865f24c84 |
| SHA512 | 2ef72434ac17b1b5f9cd6acb75bba79694b8b07707a4f8627f32b490e0c28c85a4aecc96af0888e0e3783478d91d5de96ae6d08a380a26b5b5bc36e70f7ce2c5 |
C:\Temp\sonspam3.bat
| MD5 | d03ef1a5b47192022b84cf3cbe846746 |
| SHA1 | 69fe029ecc4b2b54668cac671327f47898a16098 |
| SHA256 | 01fb9348f5ac22ba4c66238383e0f3282afb73426e58a008d982c796115ca43f |
| SHA512 | b8cb805dffc485f0b83f18d801454f7e1b5bf04266d3685a0da5c0ad3d22cc3e81329a5e03b2f3b1c125220b5653418112b7239138eb3e6b423517b7cf29711a |
C:\Temp\Sonar Solution bps.exe
| MD5 | 042e5cb5d7b65e74dccd2e353058bb4f |
| SHA1 | e91f4bfd50dbf648a6c90799615d177fa4bdc9a9 |
| SHA256 | e36d1de190713bf60677894938ec31b1115f106cb3155eea129bab9f7ab15674 |
| SHA512 | 36d39fe0287a43377ac479049e9e91d5cc2d78fcd620e1b95c26440b62ff70abfe9fc8180bfd0e630d53472d22a75888063cb67228680554ffe246232335f247 |
\Temp\Sonar Solution.exe
| MD5 | 557d4c09c4da24b8d5c59a91c3033093 |
| SHA1 | d0a604bbfe5638138cc76644c8762563762eedb0 |
| SHA256 | b33051a22664cdea693fbc3d6f6fa017505e6a40a65f5ebe484281d6bf661de3 |
| SHA512 | 0aeff6d7376dafd0bcb04e62921ad4333cbaa792b81ec8a748bf9c198c43fccfc7534e6309335f1e66b50bcbb43729e6f53dc711163113e4ffc9e628b045206e |
\Temp\Sonar Build.exe
| MD5 | b4b602c182251256d93cd3ac38c80ea1 |
| SHA1 | 702caa8790a2dc43302bf4a837f1a1ffda558121 |
| SHA256 | dd0ac90dc00a212e95eb4ec74475cdde57e1575195a369335cbbdbe8a367927c |
| SHA512 | 947e661d7a8af1ac6a0cc5eb98826d56aeb6048458c1db0891e5d00fe34ed9aad1d0bdddb31d84a12ef2b6585efd4ef08842c5a1fb0b086afc9d4982a7d693e0 |
C:\Temp\SonarSolutionsBuild.sfx.exe
| MD5 | 3174874c54ba496c13faeaf3c9a89e57 |
| SHA1 | 2b871e0e3540eb0ecfe2288777b9e7dc76c3cce7 |
| SHA256 | 3810a8fdb92b8a253d858772c0d34796b9b326a01820d1ca6afb2dfe777d2541 |
| SHA512 | 52f9df197394057a5fb495ac662c942b6177462f8ae952fedc507ab60e8ff5828fb4a439f2cb20e22dfdfd336e7290337f043da3e93be7d1a06a3dfcc80caf36 |
C:\Temp\sonspamstart.vbs
| MD5 | 68f47f42c9c8df4f547695c0060f7663 |
| SHA1 | 01e85ff16492d39879958fa9471a9fd0e0013206 |
| SHA256 | cb9f11054febd994ffc33d95139a5f3dc11cd6cb7ab8f87c02452854eae8081e |
| SHA512 | 7ddc5350f703ca3dfa1791fdcb36475a1cf7385864e97ada728f56803e5d3fa8d4b73235241734c3dbcccb9030fb89bb0cca356a3baa9b173c6060bfd95c200d |
C:\Temp\sonspamstart2.vbs
| MD5 | 1f44ba5ac2e01f3db75315c14585b636 |
| SHA1 | 3ae7ef5ec39345c7d25fbbe5e225f8fbdc4b019d |
| SHA256 | 16d9996f0ee8e527a6bc5304581d8a4761b1e93edc7f8fb52074219c00c6a1f2 |
| SHA512 | 4fa90f5e97ad9e31c34229bc03b21ccc7a0a203246d2c7c7690b110ee2b8cf89c5d484f01150a43998481f2ad4879f3e83fbf5a06fe3b298f52a7e14a718aabd |
C:\Temp\sonspam2.bat
| MD5 | 397b15d0dc10df35388eeaabf030bff1 |
| SHA1 | 6d4c5835723063203fe43bd5cd5872acf5b84e47 |
| SHA256 | 7cfb2f6ab63ab48188df3066b3a537273b77271dbfd5f22480f2f503e338adb9 |
| SHA512 | 2147a3a9248873e87dd97555b33672f33d36c661460ebda1bfbd08cbd6066274f03b7969323ce94c205f557bdbe7a743bb938e95eedd484069dfb7c6df757e97 |
C:\Temp\sonspam.bat
| MD5 | b85cf59bcba86d882ff114d44ce2789d |
| SHA1 | efdd4b718ed0d0f8af4caabad936afb03a5447df |
| SHA256 | e26d9dec5f2cd1a0d4975da2976923c258b3edde78af028e65bd58129199a597 |
| SHA512 | e466ff1c1ee7ccecaa8dcd00e1ebe809bcb51df412e25c4bf06a940f72a29105485effe7789b152ba85048882c32438ebc8cca6c06df23d8b172d96bdc70e2ef |
C:\Temp\installer.sfx.exe
| MD5 | eb3b0596ae7cb54396a1815beaede97f |
| SHA1 | f5116c7e301dd50b0c2eeb3c4459ed75321a603e |
| SHA256 | c6f2cf9b85b2ffe92ba9e2f525f024b953fa325f024c8801e3ac9523490fcf10 |
| SHA512 | ce004159f8080278db308d8046e1616e997631617fd7c8928709e2fb8a4d8ded04de4bc3321d8cdf78a8f538726adb1e56c1bc4b1279d9454ace8ba257fba231 |
\Temp\SonarSolutionsBuild.exe
| MD5 | 9b8723149c4c4aee50f53a2f08be3a02 |
| SHA1 | a06614bd0e1bb8856b8fdc1b941b3adad9e58194 |
| SHA256 | db0b39d546fdbfe699c81dbf6f14b705bd00314102438ee5d101a2918cfc38bd |
| SHA512 | 26cc5abcc47d46a756fa489eb1237b6af420c8a6167372d6789be96a8b833c4a9814882bb07d829b21139e000b2ef59058422c89641fa0b3893f8eb8a150abe2 |
C:\Temp\installer.exe
| MD5 | 849eb64e16678f93dab5d31e6f62eb95 |
| SHA1 | ee92d61555b766921daa006a56c62d2e43e01fb5 |
| SHA256 | 3724cd2e908f3a69f1f55c41d6e6e1cfb2bad3fcba3557138e0eadd5e5e9e058 |
| SHA512 | d9cded5e8d425f5528981d1faa5820f1f2330f00c80d2699947a5eedb3895a24d9f6cf4b2c8a9fec523d9746131f608f270a717baf4b5631eeb0d1ce8aab6c8a |
\Users\Admin\AppData\Local\Temp\RarSFX0\sonarsolution.exe
| MD5 | b44452a72e44157f12e331bd4623052e |
| SHA1 | e02b7cfd576c64938827925fe215f9fce6075ac4 |
| SHA256 | 8f0cfa70cb8e16d2ea45230505617978bf044940cb7fd66c9ddac41c7929dd7c |
| SHA512 | 698a36fb6347013ac827d3930b0d570e36870b9f40910653e72b50fec536c8429bcdcb31e9b1a7cd37bc4626402da564507307114ee2b07ba32ef701f3c27aa4 |
memory/2776-118-0x0000000001060000-0x00000000010E1000-memory.dmp
C:\Users\Admin\AppData\Roaming\intoreview\2vQqQbwd8RhA8xKo91WLCCkE4UKwEW.vbe
| MD5 | 1b9c939adc33ae74ac644998287149cc |
| SHA1 | 633bd684184d9e12d13aa6c3267d80bd5d87393c |
| SHA256 | 5af62663f4979b00b469cbe2f54205027a61198207ed9ac673edbc3a818e55cb |
| SHA512 | 142da58ffa84e6a849247c6c593e70a405e944a171e9b1247af633fc2272a0c15b6d1fef20f35a757d8d0a6a49da8d4b9a2b0e9585288b9af1acabdb7e0fd3ae |
C:\Users\Admin\AppData\Roaming\intoreview\FSog5bgYZXx2rSOcSWQCeQM8Sp92ad.bat
| MD5 | 68dc7eb71a7f95c046a63052c8331e92 |
| SHA1 | 77224c83ad1398efab03ccfca520a83460e16d03 |
| SHA256 | 1d300057e2e7b1d5452d2a1eda0f95ec44b81909c02f9b3e21f86fa9001299e7 |
| SHA512 | 9aa8970385ba3f8e5356699486304c54432d9535b67cef37e670ae611897c2abad58fcee6e665906c62d962fc9f773363ebe36d66666cbef1e8c35aea4ccc128 |
C:\Users\Admin\AppData\Roaming\intoreview\azAF0affuCzvkcFTrlYsaov0B4h3QE.vbe
| MD5 | 3d85f3996a95493013590846632e86f6 |
| SHA1 | 9b9e935e3ae296a16d0fb08b7809d39d17f715e5 |
| SHA256 | b19f5cce6fe7ac54964e3dc373a4c54020ca89f9f7eb602a06f830c9be70f00a |
| SHA512 | bcaf9930653a75640daec31a839c9a38fc1678abf8e2c96ffb56fbe05dfb15abbbb3040ac066003e5bd485c56aac9d3ee89f689d49b72a5fc328d64f13b8df65 |
C:\Users\Admin\AppData\Roaming\intoreview\wAxlVMFS3VFYmsuYtMNI.exe
| MD5 | 31e8f1b92ffcdd66676fcb134b225e15 |
| SHA1 | 5c5e5795a4671c0dd1702fc4e7d1ad63f9643c58 |
| SHA256 | 3dd4b0cb1041bc1948404df23c0d2d362da355a90c1d2ef472a7b298cda39110 |
| SHA512 | fcb0dc3b0b9893fe954fda85f36a1aae77ecc290d95db4e7844b73061f6364e1e3a5fe4ea8054185f54116052fc6ab6c0e05a1a3c31136bb904febc43c2c542f |
memory/2776-108-0x0000000001060000-0x00000000010E1000-memory.dmp
memory/2408-107-0x0000000003480000-0x0000000003501000-memory.dmp
memory/2804-149-0x0000000003AB0000-0x0000000003D14000-memory.dmp
memory/2804-151-0x0000000003AB0000-0x0000000003D14000-memory.dmp
memory/2108-155-0x0000000000400000-0x0000000000664000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Sonar.exe
| MD5 | 0bb0a48942451a8258bc7087fd24a2a7 |
| SHA1 | b69aa2a06e26754ea43a4763dd300b358331e29c |
| SHA256 | dedeee5bb27b2884138832f38f2e93298224cca0ed6fae80b4b08de9c24c2cd7 |
| SHA512 | b41318045fddc4c113a1ff30021a2f1ea442f72ed1eac8946d5b5e598b94b31ffb18e32fcfcf4fe3c097a5258c4bf72a5abf2048b83fbc2b54151d7e3b4fd585 |
memory/2804-153-0x0000000003AB0000-0x0000000003D14000-memory.dmp
memory/2804-152-0x0000000003AB0000-0x0000000003D14000-memory.dmp
C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe
| MD5 | a1f2423f375be02b22175a9de219a17e |
| SHA1 | d3f0dcee37bce0952a8841dea578ba431588f621 |
| SHA256 | d7da0aa06c6167b3d04faa2c808b1b68adacfb5fdd4475df76f0c75eb47eac71 |
| SHA512 | e10e3be553e698edb5ef10ecac0b132203248e9b3792a3749f78c46acea0d9d4932ac07c874eb6ffd46d837bdf580d8f8778245f97c8efe7bb1fd975375537a4 |
\Users\Admin\AppData\Local\Temp\RarSFX1\php5ts.dll
| MD5 | c9aff68f6673fae7580527e8c76805b6 |
| SHA1 | bb62cc1db82cfe07a8c08a36446569dfc9c76d10 |
| SHA256 | 9b2c8b8c4cec301c4303f58ca4e8b261d516f10feb24573b092dfccc263baea4 |
| SHA512 | c7836f46e535046562046fdd8d3264cd712a78c0f41eab152c88ea91b17d34f000e2387ded7e9e7b3410332354aabf8ca7d37729eb68e46ab5ce58936e63ac56 |
C:\Users\Admin\AppData\Roaming\intoreview\KmpmfO2s07oawbng8shc259m1CtPFQ.bat
| MD5 | 8c56e629a1aec270a35c4e9958b43bfb |
| SHA1 | aa0b74c4d84fecdc34556bd4c7713bb618a5ba92 |
| SHA256 | ec8e5b756c10b043930c325e6765e969aa54609b8caba84f3f2d67430d1ae7bc |
| SHA512 | a9e50c407c5c5cb621ee9aab8124bf38707d103aa21875a5fd07c7cdb7c4bce1a049ce70d0bbc75ce8008526cc3fe02a48165dcf4cb124a7ab69784b2750c43a |
memory/2992-165-0x00000000002F0000-0x0000000000428000-memory.dmp
memory/2868-177-0x0000000001340000-0x0000000001478000-memory.dmp
memory/2108-178-0x0000000000400000-0x0000000000664000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-18 08:51
Reported
2024-07-18 08:54
Platform
win10v2004-20240709-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
DcRat
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation | C:\Temp\installer.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation | C:\Temp\SonarSolutionsBuild.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\intoreview\wAxlVMFS3VFYmsuYtMNI.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\56a5b0a28bb4b14956977dfe6def40a9_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation | C:\Temp\Sonar Solution bps.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation | C:\Temp\Sonar Build.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RarSFX0\sonarsolution.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation | C:\Temp\Sonar Solution.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation | C:\Temp\installer.sfx.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation | C:\Temp\SonarSolutionsBuild.sfx.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Temp\Sonar Solution bps.exe | N/A |
| N/A | N/A | C:\Temp\Sonar Solution.exe | N/A |
| N/A | N/A | C:\Temp\Sonar Build.exe | N/A |
| N/A | N/A | C:\Temp\installer.sfx.exe | N/A |
| N/A | N/A | C:\Temp\SonarSolutionsBuild.sfx.exe | N/A |
| N/A | N/A | C:\Temp\installer.exe | N/A |
| N/A | N/A | C:\Temp\SonarSolutionsBuild.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\sonarsolution.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\Sonar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\intoreview\wAxlVMFS3VFYmsuYtMNI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\Sonar.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Windows Portable Devices\e6c9b481da804f07baff8eff543b0a1441069b5d | C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe | N/A |
| File created | C:\Program Files\Java\jre-1.8\lib\7a0fd90576e08807bde2cc57bcf9854bbce05fe3 | C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe | N/A |
| File created | C:\Program Files\Uninstall Information\66fc9ff0ee96c2b21f0cfded48750ae9e3032bf3 | C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe | N/A |
| File created | C:\Program Files\Windows Security\BrowserCore\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d | C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\cmd.exe | C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\ebf1f9fa8afd6d1932bd65bc4cc3af89a4c8e228 | C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe | N/A |
| File created | C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe | C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe | N/A |
| File created | C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe | C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\cmd.exe | C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe | N/A |
| File created | C:\Program Files\Java\jre-1.8\lib\explorer.exe | C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe | N/A |
| File created | C:\Program Files\Uninstall Information\sihost.exe | C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SoftwareDistribution\fontdrvhost.exe | C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe | N/A |
| File created | C:\Windows\SoftwareDistribution\5b884080fd4f94e2695da25c503f9e33b9605b83 | C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe | N/A |
| File created | C:\Windows\ServiceState\WinHttpAutoProxySvc\Data\sysmon.exe | C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe | N/A |
| File created | C:\Windows\de-DE\sihost.exe | C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe | N/A |
| File created | C:\Windows\de-DE\66fc9ff0ee96c2b21f0cfded48750ae9e3032bf3 | C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings | C:\Users\Admin\AppData\Roaming\intoreview\wAxlVMFS3VFYmsuYtMNI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\56a5b0a28bb4b14956977dfe6def40a9_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings | C:\Temp\Sonar Solution.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings | C:\Temp\Sonar Build.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\RarSFX0\sonarsolution.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\56a5b0a28bb4b14956977dfe6def40a9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\56a5b0a28bb4b14956977dfe6def40a9_JaffaCakes118.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Temp\sonspamstart3.vbs"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Temp\sonspam3.bat" "
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Temp\sonspam3.bat" any_word
C:\Temp\Sonar Solution bps.exe
"Sonar Solution bps.exe" -p123908VDS -dC:\Temp
C:\Temp\Sonar Solution.exe
"C:\Temp\Sonar Solution.exe"
C:\Temp\Sonar Build.exe
"C:\Temp\Sonar Build.exe"
C:\Windows\SysWOW64\attrib.exe
ATTRIB +S +H -R C:\Temp
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Temp\sonspamstart.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Temp\sonspamstart2.vbs"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Temp\sonspam.bat" "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Temp\sonspam2.bat" "
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Temp\sonspam.bat" any_word
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Temp\sonspam2.bat" any_word
C:\Temp\installer.sfx.exe
"installer.sfx.exe" -p123908VDS -dC:\Temp
C:\Temp\SonarSolutionsBuild.sfx.exe
"SonarSolutionsBuild.sfx.exe" -p123908VDS -dC:\Temp
C:\Temp\installer.exe
"C:\Temp\installer.exe"
C:\Temp\SonarSolutionsBuild.exe
"C:\Temp\SonarSolutionsBuild.exe"
C:\Windows\SysWOW64\attrib.exe
ATTRIB +S +H -R C:\Temp
C:\Windows\SysWOW64\attrib.exe
ATTRIB +S +H -R C:\Temp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\sonarsolution.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\sonarsolution.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Sonar.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Sonar.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\intoreview\2vQqQbwd8RhA8xKo91WLCCkE4UKwEW.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\intoreview\FSog5bgYZXx2rSOcSWQCeQM8Sp92ad.bat" "
C:\Users\Admin\AppData\Roaming\intoreview\wAxlVMFS3VFYmsuYtMNI.exe
wAxlVMFS3VFYmsuYtMNI.exe -p172e198e773020af341caa2dc63175b338442b45
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\intoreview\azAF0affuCzvkcFTrlYsaov0B4h3QE.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\intoreview\KmpmfO2s07oawbng8shc259m1CtPFQ.bat" "
C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe
"C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\cmd.exe'" /rl HIGHEST /f
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\de-DE\sihost.exe'" /rl HIGHEST /f
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "'C:\PerfLogs\System.exe'" /rl HIGHEST /f
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Temp\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "sihost" /sc ONLOGON /tr "'C:\PerfLogs\sihost.exe'" /rl HIGHEST /f
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Java\jre-1.8\lib\explorer.exe'" /rl HIGHEST /f
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\sihost.exe'" /rl HIGHEST /f
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe
"C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| RU | 95.181.152.61:80 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| RU | 95.181.152.61:80 | tcp | |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Temp\sonspamstart3.vbs
| MD5 | 2bbf5501471e1aac194788329d51c1f6 |
| SHA1 | d6567dac174a790c4c9c0260ebc26f1e907e11c6 |
| SHA256 | b30b02a7f47e28833f61fae076a6f5d4f65ad8be8a2f7e149823f16865f24c84 |
| SHA512 | 2ef72434ac17b1b5f9cd6acb75bba79694b8b07707a4f8627f32b490e0c28c85a4aecc96af0888e0e3783478d91d5de96ae6d08a380a26b5b5bc36e70f7ce2c5 |
C:\Temp\sonspam3.bat
| MD5 | d03ef1a5b47192022b84cf3cbe846746 |
| SHA1 | 69fe029ecc4b2b54668cac671327f47898a16098 |
| SHA256 | 01fb9348f5ac22ba4c66238383e0f3282afb73426e58a008d982c796115ca43f |
| SHA512 | b8cb805dffc485f0b83f18d801454f7e1b5bf04266d3685a0da5c0ad3d22cc3e81329a5e03b2f3b1c125220b5653418112b7239138eb3e6b423517b7cf29711a |
C:\Temp\Sonar Solution bps.exe
| MD5 | 042e5cb5d7b65e74dccd2e353058bb4f |
| SHA1 | e91f4bfd50dbf648a6c90799615d177fa4bdc9a9 |
| SHA256 | e36d1de190713bf60677894938ec31b1115f106cb3155eea129bab9f7ab15674 |
| SHA512 | 36d39fe0287a43377ac479049e9e91d5cc2d78fcd620e1b95c26440b62ff70abfe9fc8180bfd0e630d53472d22a75888063cb67228680554ffe246232335f247 |
C:\Temp\Sonar Solution.exe
| MD5 | 557d4c09c4da24b8d5c59a91c3033093 |
| SHA1 | d0a604bbfe5638138cc76644c8762563762eedb0 |
| SHA256 | b33051a22664cdea693fbc3d6f6fa017505e6a40a65f5ebe484281d6bf661de3 |
| SHA512 | 0aeff6d7376dafd0bcb04e62921ad4333cbaa792b81ec8a748bf9c198c43fccfc7534e6309335f1e66b50bcbb43729e6f53dc711163113e4ffc9e628b045206e |
C:\Temp\Sonar Build.exe
| MD5 | b4b602c182251256d93cd3ac38c80ea1 |
| SHA1 | 702caa8790a2dc43302bf4a837f1a1ffda558121 |
| SHA256 | dd0ac90dc00a212e95eb4ec74475cdde57e1575195a369335cbbdbe8a367927c |
| SHA512 | 947e661d7a8af1ac6a0cc5eb98826d56aeb6048458c1db0891e5d00fe34ed9aad1d0bdddb31d84a12ef2b6585efd4ef08842c5a1fb0b086afc9d4982a7d693e0 |
C:\Temp\installer.sfx.exe
| MD5 | eb3b0596ae7cb54396a1815beaede97f |
| SHA1 | f5116c7e301dd50b0c2eeb3c4459ed75321a603e |
| SHA256 | c6f2cf9b85b2ffe92ba9e2f525f024b953fa325f024c8801e3ac9523490fcf10 |
| SHA512 | ce004159f8080278db308d8046e1616e997631617fd7c8928709e2fb8a4d8ded04de4bc3321d8cdf78a8f538726adb1e56c1bc4b1279d9454ace8ba257fba231 |
C:\Temp\sonspamstart.vbs
| MD5 | 68f47f42c9c8df4f547695c0060f7663 |
| SHA1 | 01e85ff16492d39879958fa9471a9fd0e0013206 |
| SHA256 | cb9f11054febd994ffc33d95139a5f3dc11cd6cb7ab8f87c02452854eae8081e |
| SHA512 | 7ddc5350f703ca3dfa1791fdcb36475a1cf7385864e97ada728f56803e5d3fa8d4b73235241734c3dbcccb9030fb89bb0cca356a3baa9b173c6060bfd95c200d |
C:\Temp\sonspam.bat
| MD5 | b85cf59bcba86d882ff114d44ce2789d |
| SHA1 | efdd4b718ed0d0f8af4caabad936afb03a5447df |
| SHA256 | e26d9dec5f2cd1a0d4975da2976923c258b3edde78af028e65bd58129199a597 |
| SHA512 | e466ff1c1ee7ccecaa8dcd00e1ebe809bcb51df412e25c4bf06a940f72a29105485effe7789b152ba85048882c32438ebc8cca6c06df23d8b172d96bdc70e2ef |
C:\Temp\sonspamstart2.vbs
| MD5 | 1f44ba5ac2e01f3db75315c14585b636 |
| SHA1 | 3ae7ef5ec39345c7d25fbbe5e225f8fbdc4b019d |
| SHA256 | 16d9996f0ee8e527a6bc5304581d8a4761b1e93edc7f8fb52074219c00c6a1f2 |
| SHA512 | 4fa90f5e97ad9e31c34229bc03b21ccc7a0a203246d2c7c7690b110ee2b8cf89c5d484f01150a43998481f2ad4879f3e83fbf5a06fe3b298f52a7e14a718aabd |
C:\Temp\sonspam2.bat
| MD5 | 397b15d0dc10df35388eeaabf030bff1 |
| SHA1 | 6d4c5835723063203fe43bd5cd5872acf5b84e47 |
| SHA256 | 7cfb2f6ab63ab48188df3066b3a537273b77271dbfd5f22480f2f503e338adb9 |
| SHA512 | 2147a3a9248873e87dd97555b33672f33d36c661460ebda1bfbd08cbd6066274f03b7969323ce94c205f557bdbe7a743bb938e95eedd484069dfb7c6df757e97 |
C:\Temp\SonarSolutionsBuild.sfx.exe
| MD5 | 3174874c54ba496c13faeaf3c9a89e57 |
| SHA1 | 2b871e0e3540eb0ecfe2288777b9e7dc76c3cce7 |
| SHA256 | 3810a8fdb92b8a253d858772c0d34796b9b326a01820d1ca6afb2dfe777d2541 |
| SHA512 | 52f9df197394057a5fb495ac662c942b6177462f8ae952fedc507ab60e8ff5828fb4a439f2cb20e22dfdfd336e7290337f043da3e93be7d1a06a3dfcc80caf36 |
C:\Temp\installer.exe
| MD5 | 849eb64e16678f93dab5d31e6f62eb95 |
| SHA1 | ee92d61555b766921daa006a56c62d2e43e01fb5 |
| SHA256 | 3724cd2e908f3a69f1f55c41d6e6e1cfb2bad3fcba3557138e0eadd5e5e9e058 |
| SHA512 | d9cded5e8d425f5528981d1faa5820f1f2330f00c80d2699947a5eedb3895a24d9f6cf4b2c8a9fec523d9746131f608f270a717baf4b5631eeb0d1ce8aab6c8a |
C:\Temp\SonarSolutionsBuild.exe
| MD5 | 9b8723149c4c4aee50f53a2f08be3a02 |
| SHA1 | a06614bd0e1bb8856b8fdc1b941b3adad9e58194 |
| SHA256 | db0b39d546fdbfe699c81dbf6f14b705bd00314102438ee5d101a2918cfc38bd |
| SHA512 | 26cc5abcc47d46a756fa489eb1237b6af420c8a6167372d6789be96a8b833c4a9814882bb07d829b21139e000b2ef59058422c89641fa0b3893f8eb8a150abe2 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\sonarsolution.exe
| MD5 | b44452a72e44157f12e331bd4623052e |
| SHA1 | e02b7cfd576c64938827925fe215f9fce6075ac4 |
| SHA256 | 8f0cfa70cb8e16d2ea45230505617978bf044940cb7fd66c9ddac41c7929dd7c |
| SHA512 | 698a36fb6347013ac827d3930b0d570e36870b9f40910653e72b50fec536c8429bcdcb31e9b1a7cd37bc4626402da564507307114ee2b07ba32ef701f3c27aa4 |
memory/2016-83-0x0000000000AC0000-0x0000000000B41000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Sonar.exe
| MD5 | 0bb0a48942451a8258bc7087fd24a2a7 |
| SHA1 | b69aa2a06e26754ea43a4763dd300b358331e29c |
| SHA256 | dedeee5bb27b2884138832f38f2e93298224cca0ed6fae80b4b08de9c24c2cd7 |
| SHA512 | b41318045fddc4c113a1ff30021a2f1ea442f72ed1eac8946d5b5e598b94b31ffb18e32fcfcf4fe3c097a5258c4bf72a5abf2048b83fbc2b54151d7e3b4fd585 |
memory/208-99-0x0000000000400000-0x0000000000664000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX1\php5ts.dll
| MD5 | c9aff68f6673fae7580527e8c76805b6 |
| SHA1 | bb62cc1db82cfe07a8c08a36446569dfc9c76d10 |
| SHA256 | 9b2c8b8c4cec301c4303f58ca4e8b261d516f10feb24573b092dfccc263baea4 |
| SHA512 | c7836f46e535046562046fdd8d3264cd712a78c0f41eab152c88ea91b17d34f000e2387ded7e9e7b3410332354aabf8ca7d37729eb68e46ab5ce58936e63ac56 |
memory/2016-112-0x0000000000AC0000-0x0000000000B41000-memory.dmp
C:\Users\Admin\AppData\Roaming\intoreview\2vQqQbwd8RhA8xKo91WLCCkE4UKwEW.vbe
| MD5 | 1b9c939adc33ae74ac644998287149cc |
| SHA1 | 633bd684184d9e12d13aa6c3267d80bd5d87393c |
| SHA256 | 5af62663f4979b00b469cbe2f54205027a61198207ed9ac673edbc3a818e55cb |
| SHA512 | 142da58ffa84e6a849247c6c593e70a405e944a171e9b1247af633fc2272a0c15b6d1fef20f35a757d8d0a6a49da8d4b9a2b0e9585288b9af1acabdb7e0fd3ae |
C:\Users\Admin\AppData\Roaming\intoreview\FSog5bgYZXx2rSOcSWQCeQM8Sp92ad.bat
| MD5 | 68dc7eb71a7f95c046a63052c8331e92 |
| SHA1 | 77224c83ad1398efab03ccfca520a83460e16d03 |
| SHA256 | 1d300057e2e7b1d5452d2a1eda0f95ec44b81909c02f9b3e21f86fa9001299e7 |
| SHA512 | 9aa8970385ba3f8e5356699486304c54432d9535b67cef37e670ae611897c2abad58fcee6e665906c62d962fc9f773363ebe36d66666cbef1e8c35aea4ccc128 |
C:\Users\Admin\AppData\Roaming\intoreview\wAxlVMFS3VFYmsuYtMNI.exe
| MD5 | 31e8f1b92ffcdd66676fcb134b225e15 |
| SHA1 | 5c5e5795a4671c0dd1702fc4e7d1ad63f9643c58 |
| SHA256 | 3dd4b0cb1041bc1948404df23c0d2d362da355a90c1d2ef472a7b298cda39110 |
| SHA512 | fcb0dc3b0b9893fe954fda85f36a1aae77ecc290d95db4e7844b73061f6364e1e3a5fe4ea8054185f54116052fc6ab6c0e05a1a3c31136bb904febc43c2c542f |
C:\Users\Admin\AppData\Roaming\intoreview\azAF0affuCzvkcFTrlYsaov0B4h3QE.vbe
| MD5 | 3d85f3996a95493013590846632e86f6 |
| SHA1 | 9b9e935e3ae296a16d0fb08b7809d39d17f715e5 |
| SHA256 | b19f5cce6fe7ac54964e3dc373a4c54020ca89f9f7eb602a06f830c9be70f00a |
| SHA512 | bcaf9930653a75640daec31a839c9a38fc1678abf8e2c96ffb56fbe05dfb15abbbb3040ac066003e5bd485c56aac9d3ee89f689d49b72a5fc328d64f13b8df65 |
C:\Users\Admin\AppData\Roaming\intoreview\KmpmfO2s07oawbng8shc259m1CtPFQ.bat
| MD5 | 8c56e629a1aec270a35c4e9958b43bfb |
| SHA1 | aa0b74c4d84fecdc34556bd4c7713bb618a5ba92 |
| SHA256 | ec8e5b756c10b043930c325e6765e969aa54609b8caba84f3f2d67430d1ae7bc |
| SHA512 | a9e50c407c5c5cb621ee9aab8124bf38707d103aa21875a5fd07c7cdb7c4bce1a049ce70d0bbc75ce8008526cc3fe02a48165dcf4cb124a7ab69784b2750c43a |
C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe
| MD5 | a1f2423f375be02b22175a9de219a17e |
| SHA1 | d3f0dcee37bce0952a8841dea578ba431588f621 |
| SHA256 | d7da0aa06c6167b3d04faa2c808b1b68adacfb5fdd4475df76f0c75eb47eac71 |
| SHA512 | e10e3be553e698edb5ef10ecac0b132203248e9b3792a3749f78c46acea0d9d4932ac07c874eb6ffd46d837bdf580d8f8778245f97c8efe7bb1fd975375537a4 |
memory/5068-130-0x0000022EC2370000-0x0000022EC24A8000-memory.dmp
memory/208-131-0x0000000000400000-0x0000000000664000-memory.dmp