Malware Analysis Report

2024-11-13 13:46

Sample ID 240719-dgv24szbrk
Target 5a33e9b9c627ea6bce5e8d0ca829176e_JaffaCakes118
SHA256 6064b9d452f32cf09e464f17381b9f04fe929c8ed35f43772def8556eadec550
Tags
dcrat infostealer persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6064b9d452f32cf09e464f17381b9f04fe929c8ed35f43772def8556eadec550

Threat Level: Known bad

The file 5a33e9b9c627ea6bce5e8d0ca829176e_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

dcrat infostealer persistence rat

DcRat

DCRat payload

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Scheduled Task/Job: Scheduled Task

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-19 02:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-19 02:59

Reported

2024-07-19 03:01

Platform

win7-20240705-en

Max time kernel

118s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5a33e9b9c627ea6bce5e8d0ca829176e_JaffaCakes118.exe"

Signatures

DcRat

rat infostealer dcrat

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\All Users\\Adobe\\Updater6\\explorer.exe\"" C:\dhcpbroker\intocrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\777f1042-3af1-11ef-b4bd-d2f1755c8afd\\csrss.exe\"" C:\dhcpbroker\intocrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Windows Defender\\de-DE\\dwm.exe\"" C:\dhcpbroker\intocrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Program Files\\Windows Media Player\\it-IT\\WMIADAP.exe\"" C:\dhcpbroker\intocrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\VideoLAN\\VLC\\lua\\http\\css\\ui-lightness\\wininit.exe\"" C:\dhcpbroker\intocrt.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\wininit.exe C:\dhcpbroker\intocrt.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\560854153607923c4c5f107085a7db67be01f252 C:\dhcpbroker\intocrt.exe N/A
File created C:\Program Files\Windows Defender\de-DE\dwm.exe C:\dhcpbroker\intocrt.exe N/A
File created C:\Program Files\Windows Defender\de-DE\6cb0b6c459d5d3455a3da700e713f2e2529862ff C:\dhcpbroker\intocrt.exe N/A
File created C:\Program Files\Windows Media Player\it-IT\WMIADAP.exe C:\dhcpbroker\intocrt.exe N/A
File created C:\Program Files\Windows Media Player\it-IT\75a57c1bdf437c0c81ad56e81f43c7323ed35745 C:\dhcpbroker\intocrt.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rescache\rc0000\WMIADAP.exe C:\dhcpbroker\intocrt.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\NumberOfSubdomains = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "42" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "0" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "229" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "276" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E9522481-457A-11EF-971E-EA452A02DA21} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "276" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "22" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "122" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "224" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000082ebb0b9d6f3f0458e93e15bd38f268f0000000002000000000010660000000100002000000000d4de0b41f85d967fe8ca613298f85d823ffe19514744f2faf1fe6fea400602000000000e80000000020000200000006c9dda90866808bbc17eea5b4e72ada836148001fb646918425359feb56066bd20000000b0fa964fbd6a0192f4986dea6d3f1cf8931858352120434ad69e1522df698de1400000000d0c300244a40c4068822c14c7e6991a899cb9ef1360ec730ba24ac7197fd242c49d0a1e344cbdc35745776870829133bb9207455d862f7bcdeb42e63fbe09dc C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70c94ac087d9da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "42" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "122" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "122" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000082ebb0b9d6f3f0458e93e15bd38f268f00000000020000000000106600000001000020000000f5c1e9976c9896ebd26e81211f39114dede39ca9c0b1bd03653fb01a4daacde9000000000e8000000002000020000000b56ea86c48f0ae364aa340b2b2d6d0cefc20693b2fb878c4f2687b311f400c8c40010000660a4c6e3517813a9b02df582c9cb50f085e329d6503c375e5b57095fb6de0cb0bebf03f0c8edecc93e7ad9d8bcddd2c36b617b6bb4a89ec9bb892a916008a87de28447f4e535007819555d868a62e289c3eeef9e1ce482d4d8f390d9818fdeb26dd47b2d6baaba3763532d4d955d690c28fdf307e983f4ff0053b83e683139b77dd8609a371c3a47c7cb83e2b316560fe02b165b7fd91245014ebfa8e5a157ebf16c3e1a55a835c9846a78ef1ba55dde7da8a08211f9579c2edfaf9bb78e0e7b9bff085a8abb477dca90777778336bb5afac6dc8c707b4e89a3bed5eac2871e9edf7f9fe3f5c0b1844747c5dad77c77fc66d450ddcab5f01a7feb09f1633ac54fb4ce62333b8ceaf9e6eecaa7ab46351e1486765fb453b6d1dcd882e86ed1696c5ab9986865b6d07023a5ce54f57f7cb5870144ad3cbee9e27340d8feaf1ad140000000df8e9713a6694af67bdf5234e0f9603eb32ee84860b9f27a7eda20cc6fd4b83f78316980dff578c4c616b33714cb1e65de1da3f7ffebf9f1f2c94909a3cd9a81 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "0" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "229" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "427519835" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "22" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "224" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "229" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "42" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "22" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "224" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "276" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\dhcpbroker\intocrt.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\wininit.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\dhcpbroker\intocrt.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\wininit.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2540 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\5a33e9b9c627ea6bce5e8d0ca829176e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\skinchanger_csgo_08.02.2021.exe
PID 2540 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\5a33e9b9c627ea6bce5e8d0ca829176e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\skinchanger_csgo_08.02.2021.exe
PID 2540 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\5a33e9b9c627ea6bce5e8d0ca829176e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\skinchanger_csgo_08.02.2021.exe
PID 2540 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\5a33e9b9c627ea6bce5e8d0ca829176e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\skinchanger_csgo_08.02.2021.exe
PID 2540 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\5a33e9b9c627ea6bce5e8d0ca829176e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\DCrmiZ.exe
PID 2540 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\5a33e9b9c627ea6bce5e8d0ca829176e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\DCrmiZ.exe
PID 2540 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\5a33e9b9c627ea6bce5e8d0ca829176e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\DCrmiZ.exe
PID 2540 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\5a33e9b9c627ea6bce5e8d0ca829176e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\DCrmiZ.exe
PID 2060 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\DCrmiZ.exe C:\Windows\SysWOW64\WScript.exe
PID 2060 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\DCrmiZ.exe C:\Windows\SysWOW64\WScript.exe
PID 2060 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\DCrmiZ.exe C:\Windows\SysWOW64\WScript.exe
PID 2060 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\DCrmiZ.exe C:\Windows\SysWOW64\WScript.exe
PID 2740 wrote to memory of 1944 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 1944 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 1944 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 1944 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1944 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\dhcpbroker\intocrt.exe
PID 1944 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\dhcpbroker\intocrt.exe
PID 1944 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\dhcpbroker\intocrt.exe
PID 1944 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\dhcpbroker\intocrt.exe
PID 2036 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\skinchanger_csgo_08.02.2021.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2036 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\skinchanger_csgo_08.02.2021.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2036 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\skinchanger_csgo_08.02.2021.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2036 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\skinchanger_csgo_08.02.2021.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2028 wrote to memory of 1988 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2028 wrote to memory of 1988 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2028 wrote to memory of 1988 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2028 wrote to memory of 1988 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2752 wrote to memory of 824 N/A C:\dhcpbroker\intocrt.exe C:\Windows\system32\schtasks.exe
PID 2752 wrote to memory of 824 N/A C:\dhcpbroker\intocrt.exe C:\Windows\system32\schtasks.exe
PID 2752 wrote to memory of 824 N/A C:\dhcpbroker\intocrt.exe C:\Windows\system32\schtasks.exe
PID 2752 wrote to memory of 884 N/A C:\dhcpbroker\intocrt.exe C:\Windows\system32\schtasks.exe
PID 2752 wrote to memory of 884 N/A C:\dhcpbroker\intocrt.exe C:\Windows\system32\schtasks.exe
PID 2752 wrote to memory of 884 N/A C:\dhcpbroker\intocrt.exe C:\Windows\system32\schtasks.exe
PID 2752 wrote to memory of 1940 N/A C:\dhcpbroker\intocrt.exe C:\Windows\system32\schtasks.exe
PID 2752 wrote to memory of 1940 N/A C:\dhcpbroker\intocrt.exe C:\Windows\system32\schtasks.exe
PID 2752 wrote to memory of 1940 N/A C:\dhcpbroker\intocrt.exe C:\Windows\system32\schtasks.exe
PID 2752 wrote to memory of 2472 N/A C:\dhcpbroker\intocrt.exe C:\Windows\system32\schtasks.exe
PID 2752 wrote to memory of 2472 N/A C:\dhcpbroker\intocrt.exe C:\Windows\system32\schtasks.exe
PID 2752 wrote to memory of 2472 N/A C:\dhcpbroker\intocrt.exe C:\Windows\system32\schtasks.exe
PID 2752 wrote to memory of 2108 N/A C:\dhcpbroker\intocrt.exe C:\Windows\system32\schtasks.exe
PID 2752 wrote to memory of 2108 N/A C:\dhcpbroker\intocrt.exe C:\Windows\system32\schtasks.exe
PID 2752 wrote to memory of 2108 N/A C:\dhcpbroker\intocrt.exe C:\Windows\system32\schtasks.exe
PID 2752 wrote to memory of 2480 N/A C:\dhcpbroker\intocrt.exe C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\wininit.exe
PID 2752 wrote to memory of 2480 N/A C:\dhcpbroker\intocrt.exe C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\wininit.exe
PID 2752 wrote to memory of 2480 N/A C:\dhcpbroker\intocrt.exe C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\wininit.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\5a33e9b9c627ea6bce5e8d0ca829176e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\5a33e9b9c627ea6bce5e8d0ca829176e_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\skinchanger_csgo_08.02.2021.exe

"C:\Users\Admin\AppData\Local\Temp\skinchanger_csgo_08.02.2021.exe"

C:\Users\Admin\AppData\Local\Temp\DCrmiZ.exe

"C:\Users\Admin\AppData\Local\Temp\DCrmiZ.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\dhcpbroker\LboxPbvRMQFdTG327MfoAXtGOluFbW.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\dhcpbroker\KTNvVUs7rCbjeE6SfbcNAGzeGA6bfl.bat" "

C:\dhcpbroker\intocrt.exe

"C:\dhcpbroker\intocrt.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://java.com/download

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2028 CREDAT:275457 /prefetch:2

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Updater6\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\777f1042-3af1-11ef-b4bd-d2f1755c8afd\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\de-DE\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\it-IT\WMIADAP.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\wininit.exe'" /rl HIGHEST /f

C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\wininit.exe

"C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\wininit.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 java.com udp
GB 92.123.142.98:80 java.com tcp
GB 92.123.142.98:80 java.com tcp
US 8.8.8.8:53 www.java.com udp
GB 92.123.142.120:80 www.java.com tcp
GB 92.123.142.120:80 www.java.com tcp
GB 92.123.142.120:443 www.java.com tcp
US 8.8.8.8:53 static.ocecdn.oraclecloud.com udp
GB 104.82.139.43:443 static.ocecdn.oraclecloud.com tcp
GB 104.82.139.43:443 static.ocecdn.oraclecloud.com tcp
US 8.8.8.8:53 s.go-mpulse.net udp
GB 95.100.244.132:443 s.go-mpulse.net tcp
GB 95.100.244.132:443 s.go-mpulse.net tcp
GB 92.123.142.120:443 www.java.com tcp
GB 92.123.142.120:443 www.java.com tcp
US 8.8.8.8:53 c.go-mpulse.net udp
GB 2.18.108.132:443 c.go-mpulse.net tcp
GB 2.18.108.132:443 c.go-mpulse.net tcp
GB 92.123.142.120:443 www.java.com tcp
US 8.8.8.8:53 c.oracleinfinity.io udp
US 8.8.8.8:53 www.oracle.com udp
GB 92.123.142.128:443 c.oracleinfinity.io tcp
GB 92.123.142.128:443 c.oracleinfinity.io tcp
GB 95.100.246.138:443 www.oracle.com tcp
GB 95.100.246.138:443 www.oracle.com tcp
US 8.8.8.8:53 dc.oracleinfinity.io udp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
RU 188.120.226.148:80 188.120.226.148 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2540-0-0x000007FEF5953000-0x000007FEF5954000-memory.dmp

memory/2540-1-0x0000000000B00000-0x0000000000EF8000-memory.dmp

memory/2540-2-0x000007FEF5950000-0x000007FEF633C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\skinchanger_csgo_08.02.2021.exe

MD5 d1f66e48b6142bc32afbb7c3643f95cf
SHA1 d25c69dfb6636dec0b3785e976d95abee5dbd75d
SHA256 f30235dde35a1e71d2885f6f84adaa6a16214692e984211c64d1ad7b5adc10a8
SHA512 9a2be6d06914c9f02f40581e65246ea80dbacbafca8bc9343bf5c09f5544c1024d39a3af91ff0cad898d0217b0fdf993fa25db1e781a0a05aa1f469791552b17

C:\Users\Admin\AppData\Local\Temp\DCrmiZ.exe

MD5 38e6a371b9b49ac702d736ce075720cf
SHA1 fc45fe7359a82b3dac083d7e7db8a81f8d4f3d43
SHA256 a043fa5ebafa40a931a1efcb3addf8e9a6e15c964d5fb3621a19640305e46e9c
SHA512 f4f37c236059ca103177a7afc896a9753a416d0cf9b1f47874aa25a2beafbf7a2b359091cac29fa33588532f2ca809b8d1c78ce6532cf7516ad23501520d0fd4

memory/2540-17-0x000007FEF5950000-0x000007FEF633C000-memory.dmp

C:\dhcpbroker\LboxPbvRMQFdTG327MfoAXtGOluFbW.vbe

MD5 08dc32b1d4cdcf5a2f704fc5ceabe2b7
SHA1 d166caaed25c6f0660bcadb4d914d2ca37338bd3
SHA256 afded55b6d7bd3c7971283d1483a1f678f9898744ce8de8d2e2338a52042cf9d
SHA512 8f5588dc392d9b23a7306a8196727364ddcece8f8df6ebf77a3230796119f0be4957d724936f589ec95a41e2ce5c3f596d6191bcac1c7ac84e3afa5b6aca5051

C:\dhcpbroker\KTNvVUs7rCbjeE6SfbcNAGzeGA6bfl.bat

MD5 b6d7b2fd5e3c8f474280e1ba4204842e
SHA1 2d4a6cf418bbbaaa62b1e1aaa83a093046a925cb
SHA256 f26d4068d07f5b1b1f49c33611cbc27a7faba8936e71b6c90911e160d5489c11
SHA512 e3cbd02b67d6de805e3083492fbf4339537b9f164f10bbfea24b29f2e527eb486992d56f53d111dc07f9ac68f343b90617f985d3462b4845511cab1f9fc1131e

C:\dhcpbroker\intocrt.exe

MD5 be47c79de361e8b5c036c6a025c5244b
SHA1 d68fa5f0de905e6ec474e7232da445bcdefc7c2c
SHA256 7775fde3daf8cf53361e33c23addc126dc1f3e9ddd9c4cf587a0e755e680086c
SHA512 aead9390e3ed14315cbd5d27022f3c4f9a396da3a1547db598f6258f62377c5836bb0f93d970c25a075950904732f753797856981baf52cf901e4c26c8c9afcf

memory/2752-32-0x0000000000B00000-0x0000000000B76000-memory.dmp

memory/2036-33-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\KBVHB2Z1\www.java[1].xml

MD5 c1ddea3ef6bbef3e7060a1a9ad89e4c5
SHA1 35e3224fcbd3e1af306f2b6a2c6bbea9b0867966
SHA256 b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db
SHA512 6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M7GT0RRO\favicon[1].ico

MD5 8e39f067cc4f41898ef342843171d58a
SHA1 ab19e81ce8ccb35b81bf2600d85c659e78e5c880
SHA256 872bad18b566b0833d6b496477daab46763cf8bdec342d34ac310c3ac045cefd
SHA512 47cd7f4ce8fcf0fc56b6ffe50450c8c5f71e3c379ecfcfd488d904d85ed90b4a8dafa335d0e9ca92e85b02b7111c9d75205d12073253eed681868e2a46c64890

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\hqw8ypt\imagestore.dat

MD5 8a8b57e816e9d652bd96849f8e64a753
SHA1 78a81ae72bc1e7f7ba0d42661d7e2d96e9cc5069
SHA256 32b20fbffdcff95e0db99983ab73d2b96a9b7518a569e28a14c1420013b50d43
SHA512 45e672278867dff27c9f6667b70ab2950652897735a789cd3d5b982ee6b5356928421e0f81d086ef877b643470c7d9296a9dad59969f78b9f45ed6c587f5a68d

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\KBVHB2Z1\www.java[1].xml

MD5 1986531c07cb31fdd5b21f2b6152336b
SHA1 19ced48b63e5fb5b20707349f2d6688a02caac56
SHA256 f0dcdfa3eb2ed159cef34f6716ffaf4cd8f8f17b0fce5bfcd54b31b6e03371f0
SHA512 45c8102a62e651bb548f63aeff583b72ba38c25567b06612959509d791dbba8064e8f36db383e77e0bc49745e8366ba8cd06845882c8ae48deb11969c7197b64

memory/2480-166-0x00000000009C0000-0x0000000000A36000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TarDF0B.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\CabDF0C.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ee2f05ffac4813e1fe3c43cb7bb2b884
SHA1 2a11fd19ea1ea4126a2fb77d7e8eb33d1abab70a
SHA256 290b0e43b5eda653aa427999f8ea9ff7bffc4f38230fe1a911714d92db8bc67a
SHA512 a5ddab0a3eaa26d798640bfe770bc7fd2353ef594ef85a33de985bd5d02e04525a32db8666d899c0f694c6a60ebfd3dde38c39412d0eb31d7699aa264f7359fe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8fb00789721552c180668acb0fb0bc7f
SHA1 dd5da9b8cf336533ac4567a43a8c0bffd7f51264
SHA256 f3db672d279926ef1bfb62cdb8d98976a1398826e9e42f09030b7b50621cc65e
SHA512 0e8053910ffe6326bc6fe9d399ff23e94927f954e939959162c604b75ecfa3369077aed65bbd3eda2475f1a907e44e9ab3b7aade64acaaa07bef515c14f653a8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7d0262bfd6f416f7c80bde1b72b3169c
SHA1 5a7349062f1f34a756cf24a1eea444fd9dfb48b1
SHA256 0347087249bf6e0b1a40384070dcaca7e26d28eadce63a1be5415b4a72f276e9
SHA512 8196a16f91415cba670d93683bd1d9b1813cc93ace2b9299ac30832315d88a368315d8c9439da4dfe144b487a9a11301648e535468eff135f123a752118908e9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2c7fb611c46dbb206da04251895eefb7
SHA1 5898c2d65da76f67c432c341e6398c2fcb08808f
SHA256 ff211c2563f7ed316f4519c4ee6e16ccb8e236d3706da80f23e57a094527d0c1
SHA512 dc6e9ea2f9e51ca5642d2b70253291d619016af379481f19072022efd2b496d81f31491289db9fd4990126de10b2b32d27dbfa699b0ca9ff17e3b965bea3f705

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7922bf71ff11fa35a10eea616af062db
SHA1 24e52e0992a7e3513e38d566c770872417d80793
SHA256 9c36cfa5f1e4004a92b28e27fdd212dbebd350c7c141ded3185028d347e91060
SHA512 75ade3beab9decf5013b876a8366be75e99b5b5cb7010b9e05c97d3fc97a2fc344b43b9e0b575623b057f219b1cca44291ac5cee42268639532d423985ce86ca

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fd5a808c92cc7e129d56c41843a94285
SHA1 6559ae1f8d873245d0f88e9beeeb2e44391e7a5c
SHA256 879fd0f3c0aa6b01675e2c594a46d28edc3992d66b7084c825f669423a31a007
SHA512 bfa206a5b14313d7cf87b508aab7f352a49b6253209473c52bd9ba44e71088c30950a009e680fd1df1bd65c281fb4c7e49197d8a5956fbc1eb2092c393a84a84

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 35ce9d51c2ead47fdb2ab8c9b98a66f7
SHA1 e623e05a16db49db5ad8334ffb7269f9785f5523
SHA256 6b56096d32650133a800453b76beb24e61c74e33f126c5bfa1af87efb67a9db2
SHA512 ff098d8bc521cc0bd8cc6c73b22ab67b668628821990f3e9d93e122b5b97069f490140e3ccd1e013b2ac33d46f556da55e9460a9ae4d171d52641376282d2917

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a7bdf10e4794663f9ca36750c61b8177
SHA1 6b4ac055ddebee251cc1a46b659b8951181e1934
SHA256 62182df761a28b11173d2c4cede7ca8f0eabdcb86d45be7f5e26318e0be102db
SHA512 2896ee06df9b43c596818ee4accdb9e6a145ca508ff2cca9c0c13dfdf593bab8173ebd633e691942c39c8197efd76289d062719dd701e6f910220660e240dc5a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 614a676a0b79c2b9b1d229b10973d0f5
SHA1 98744d7c06669ae4e80c003dad157751d9f8a154
SHA256 a1007a4574266b7b17d5a0960efe2d3d655e9417785d507ceeb237a83cce9f5a
SHA512 c0d2598ac2d36d502ae6a918d67ef0a936dfe43c07214db58db07d0826566946e46559d78bb0e82f9dcd1f0d9c697a96290b9b9fd804c4ac460f2d825c60d859

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f2d668d485ddd3d330f112a787e17b77
SHA1 ef6b110dd571afe1effdf795bb4a184f1bde70c0
SHA256 6ace8f4ffd94e40c4a6200867cf7228d5e1618c9f274a75b52a27fbdf52d8f2e
SHA512 a4b278874d6e0a16223da3f290e817f81dbab9675a58fcec3992bdbed04383e9f8787727aebf161ee9c2a11153cccbf02f5d709a2c915d49fd08bd166c1ffb2d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 402c9795775d198be9b393b78fb5c301
SHA1 e82a69a12d8c3193a3c887f68053ea6e5286d068
SHA256 a534a5197abaea893646da10fce9c5906fb0a26d60827d9deff8f05f9cf457f9
SHA512 b010070cdb7d331493aa7c097c3171092cf4ba967ef7462fadd898683aa5189051726435674ce2cb6701e6891a43316e70c83f600e8ef33661e323049cdd3093

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 179721a7c1fb074e97325d61bd178d9c
SHA1 bc4102cdf02f17677d86b30d50e9bcc98e33bf25
SHA256 360d8cc96016eb54b1cc1768c60f6b0e3e0df294369d18bf179c8226f4963517
SHA512 c191e11b5866863cb3fb36608e7bb2e0eb3f836b8f059cf1901412f8a97a89b6cad89e01efba103d8b82337ce1b941dde38cccdfbed245f5255179196cc80730

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 be2af73e165e7f0d0a20326ae06452e4
SHA1 2fa1d039ff8631e13c91236008d31315b7d7e4fa
SHA256 c94cc05867428940c70c5ca3da5b244a552f03392ce94d9bcc7c4dcae9aaa3bb
SHA512 036a01f3ebf16f1a3da0dc9e68edf7258cb9a2f8fa37d8ca80fdbaceef05370fdb1bfcb10c4ca3f32f424573430f250ebd2062b2f68bb692ab0609f83add9b64

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eaa7a4a48d4b98f753321edb220a87eb
SHA1 6015044c2f8db52c0d91aea8b4de5c8037adb6eb
SHA256 6a7dce2dff0f388dfd8a1a5875f041592d3d41beb14ecc1c29d7f01dd924fe63
SHA512 83c907c382ff359aa7d192f07e983e3cd0b15478872136fcf926f23897ec0c886e5259eab4f475c01ee9fb4bcedc516e9bc9e1b6805d997288e208b75e309570

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c88606d7dd5d3121a69c34ab1da4705c
SHA1 26386808b872507ec5b0446cbb273f46c618875a
SHA256 bf1f006d1feca6327f786a42437c1cd969d11db96a25420436207b87485e593a
SHA512 9cfaf1db4e8e0d91248b59989ed52ca40cefbc9fec33e6de7a11480227f3958219640dc52050c1c7f6e1040ac0f4834dfed85e63086ed220305d4e683d4f4b3a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ebd4c092b1d088860db7e425be0f6a90
SHA1 4258654cd1e8db399db70e3cb284d87cf32c7ca1
SHA256 e3918ca3e27f9af1decbd87c166ec44e4590a7ebb36e041e066f289c38527af7
SHA512 e52fb1327ed2959a3eb18c310d67c365f66749391a97726df3e2b1bed0c425f21949e8bc71f79ac1ae312745f6772f04389f88981a724f9d1ebd70ac1e20644d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ec0747369562efb8d8959fd23f8ac051
SHA1 fb6258aac9b14060b47c65bb638bcf8068fe39fe
SHA256 128faf5ff41b8d7a7fc16e5594ae41cca23ba47d590e27ac624d5af24388852b
SHA512 e1d125933f29297f4ce073fe6e4d8ff59aefaf118ee41b77fc665f6f7d45073b0151e008da12013aac0e8075236a23044e25891839c6a64c3ad3aa584c4e88db

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8a5e55e175ee8118eb9e8d5498371042
SHA1 5a602857aae91a492980b27eb74bb4f5832dc8c8
SHA256 ec804455635e210b9fc6ddeb801b92e258f002063034ace1ddee953306df301a
SHA512 66b478f065e8ee83322650ad748bc5f7d1ff60e39b9a17e0a857d5aa72b11e4f441642e9ef96bb7387147dd0fd00f7659dabb022bae290d4eb7abd6baa7f8392

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1125843e8c702a04fd9fa41536933721
SHA1 9576c8965431bb430a49c138b4b76b623431c2ac
SHA256 fdc3b7d38a606b921b372e33b29a44c7972bda2f25ee84f88eab7feb76652df5
SHA512 65075268f75b2d8bf6f57b0df8f9e1848843dc122067a3f7b5d2cdaaf3f7ed0db548676cb5340f621e80cec58d54c8c4628edf7a819aa8369d0f8dfa5fe396e0

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-19 02:59

Reported

2024-07-19 03:01

Platform

win10v2004-20240709-en

Max time kernel

146s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5a33e9b9c627ea6bce5e8d0ca829176e_JaffaCakes118.exe"

Signatures

DcRat

rat infostealer dcrat

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5a33e9b9c627ea6bce5e8d0ca829176e_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DCrmiZ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WaaSMedicAgent = "\"C:\\ProgramData\\Oracle\\Java\\.oracle_jre_usage\\WaaSMedicAgent.exe\"" C:\dhcpbroker\intocrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\Vss\\Writers\\Application\\Idle.exe\"" C:\dhcpbroker\intocrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Documents and Settings\\RuntimeBroker.exe\"" C:\dhcpbroker\intocrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\intocrt = "\"C:\\Recovery\\WindowsRE\\intocrt.exe\"" C:\dhcpbroker\intocrt.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Vss\Writers\Application\Idle.exe C:\dhcpbroker\intocrt.exe N/A
File created C:\Windows\Vss\Writers\Application\6ccacd8608530fba3a93e87ae2225c7032aa18c1 C:\dhcpbroker\intocrt.exe N/A
File created C:\Windows\Vss\Writers\Application\Idle.exe C:\dhcpbroker\intocrt.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\DCrmiZ.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\dhcpbroker\intocrt.exe N/A
N/A N/A C:\dhcpbroker\intocrt.exe N/A
N/A N/A C:\ProgramData\Oracle\Java\.oracle_jre_usage\WaaSMedicAgent.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\dhcpbroker\intocrt.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Oracle\Java\.oracle_jre_usage\WaaSMedicAgent.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
N/A N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 548 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\5a33e9b9c627ea6bce5e8d0ca829176e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\skinchanger_csgo_08.02.2021.exe
PID 548 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\5a33e9b9c627ea6bce5e8d0ca829176e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\skinchanger_csgo_08.02.2021.exe
PID 548 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\5a33e9b9c627ea6bce5e8d0ca829176e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\skinchanger_csgo_08.02.2021.exe
PID 548 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\5a33e9b9c627ea6bce5e8d0ca829176e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\DCrmiZ.exe
PID 548 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\5a33e9b9c627ea6bce5e8d0ca829176e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\DCrmiZ.exe
PID 548 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\5a33e9b9c627ea6bce5e8d0ca829176e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\DCrmiZ.exe
PID 4856 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\skinchanger_csgo_08.02.2021.exe C:\Program Files\Java\jre-1.8\bin\javaw.exe
PID 4856 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\skinchanger_csgo_08.02.2021.exe C:\Program Files\Java\jre-1.8\bin\javaw.exe
PID 4136 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\DCrmiZ.exe C:\Windows\SysWOW64\WScript.exe
PID 4136 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\DCrmiZ.exe C:\Windows\SysWOW64\WScript.exe
PID 4136 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\DCrmiZ.exe C:\Windows\SysWOW64\WScript.exe
PID 3600 wrote to memory of 4616 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3600 wrote to memory of 4616 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3600 wrote to memory of 4616 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4616 wrote to memory of 3048 N/A C:\Windows\SysWOW64\cmd.exe C:\dhcpbroker\intocrt.exe
PID 4616 wrote to memory of 3048 N/A C:\Windows\SysWOW64\cmd.exe C:\dhcpbroker\intocrt.exe
PID 3048 wrote to memory of 4448 N/A C:\dhcpbroker\intocrt.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3048 wrote to memory of 4448 N/A C:\dhcpbroker\intocrt.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3048 wrote to memory of 4060 N/A C:\dhcpbroker\intocrt.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3048 wrote to memory of 4060 N/A C:\dhcpbroker\intocrt.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3048 wrote to memory of 3336 N/A C:\dhcpbroker\intocrt.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3048 wrote to memory of 3336 N/A C:\dhcpbroker\intocrt.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3048 wrote to memory of 536 N/A C:\dhcpbroker\intocrt.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3048 wrote to memory of 536 N/A C:\dhcpbroker\intocrt.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3048 wrote to memory of 4148 N/A C:\dhcpbroker\intocrt.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage\WaaSMedicAgent.exe
PID 3048 wrote to memory of 4148 N/A C:\dhcpbroker\intocrt.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage\WaaSMedicAgent.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\5a33e9b9c627ea6bce5e8d0ca829176e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\5a33e9b9c627ea6bce5e8d0ca829176e_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\skinchanger_csgo_08.02.2021.exe

"C:\Users\Admin\AppData\Local\Temp\skinchanger_csgo_08.02.2021.exe"

C:\Users\Admin\AppData\Local\Temp\DCrmiZ.exe

"C:\Users\Admin\AppData\Local\Temp\DCrmiZ.exe"

C:\Program Files\Java\jre-1.8\bin\javaw.exe

"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -Xms64m -Xmx128m -jar "C:\Users\Admin\AppData\Local\Temp\skinchanger_csgo_08.02.2021.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\dhcpbroker\LboxPbvRMQFdTG327MfoAXtGOluFbW.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\dhcpbroker\KTNvVUs7rCbjeE6SfbcNAGzeGA6bfl.bat" "

C:\dhcpbroker\intocrt.exe

"C:\dhcpbroker\intocrt.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\Application\Idle.exe'" /rl HIGHEST /f

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Documents and Settings\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "intocrt" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\intocrt.exe'" /rl HIGHEST /f

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\ProgramData\Oracle\Java\.oracle_jre_usage\WaaSMedicAgent.exe'" /rl HIGHEST /f

C:\ProgramData\Oracle\Java\.oracle_jre_usage\WaaSMedicAgent.exe

"C:\ProgramData\Oracle\Java\.oracle_jre_usage\WaaSMedicAgent.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
RU 188.120.226.148:80 188.120.226.148 tcp
US 8.8.8.8:53 148.226.120.188.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
IE 52.111.236.21:443 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/548-0-0x0000000000670000-0x0000000000A68000-memory.dmp

memory/548-1-0x00007FF8B5743000-0x00007FF8B5745000-memory.dmp

memory/548-4-0x00007FF8B5740000-0x00007FF8B6201000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\skinchanger_csgo_08.02.2021.exe

MD5 d1f66e48b6142bc32afbb7c3643f95cf
SHA1 d25c69dfb6636dec0b3785e976d95abee5dbd75d
SHA256 f30235dde35a1e71d2885f6f84adaa6a16214692e984211c64d1ad7b5adc10a8
SHA512 9a2be6d06914c9f02f40581e65246ea80dbacbafca8bc9343bf5c09f5544c1024d39a3af91ff0cad898d0217b0fdf993fa25db1e781a0a05aa1f469791552b17

C:\Users\Admin\AppData\Local\Temp\DCrmiZ.exe

MD5 38e6a371b9b49ac702d736ce075720cf
SHA1 fc45fe7359a82b3dac083d7e7db8a81f8d4f3d43
SHA256 a043fa5ebafa40a931a1efcb3addf8e9a6e15c964d5fb3621a19640305e46e9c
SHA512 f4f37c236059ca103177a7afc896a9753a416d0cf9b1f47874aa25a2beafbf7a2b359091cac29fa33588532f2ca809b8d1c78ce6532cf7516ad23501520d0fd4

memory/4856-21-0x0000000000400000-0x0000000000413000-memory.dmp

memory/548-22-0x00007FF8B5740000-0x00007FF8B6201000-memory.dmp

memory/5032-26-0x0000026885DB0000-0x0000026886020000-memory.dmp

C:\dhcpbroker\LboxPbvRMQFdTG327MfoAXtGOluFbW.vbe

MD5 08dc32b1d4cdcf5a2f704fc5ceabe2b7
SHA1 d166caaed25c6f0660bcadb4d914d2ca37338bd3
SHA256 afded55b6d7bd3c7971283d1483a1f678f9898744ce8de8d2e2338a52042cf9d
SHA512 8f5588dc392d9b23a7306a8196727364ddcece8f8df6ebf77a3230796119f0be4957d724936f589ec95a41e2ce5c3f596d6191bcac1c7ac84e3afa5b6aca5051

memory/5032-43-0x0000026884490000-0x0000026884491000-memory.dmp

memory/5032-61-0x0000026884490000-0x0000026884491000-memory.dmp

memory/5032-82-0x0000026884490000-0x0000026884491000-memory.dmp

memory/5032-89-0x0000026884490000-0x0000026884491000-memory.dmp

memory/5032-101-0x0000026884490000-0x0000026884491000-memory.dmp

memory/5032-122-0x0000026884490000-0x0000026884491000-memory.dmp

C:\dhcpbroker\KTNvVUs7rCbjeE6SfbcNAGzeGA6bfl.bat

MD5 b6d7b2fd5e3c8f474280e1ba4204842e
SHA1 2d4a6cf418bbbaaa62b1e1aaa83a093046a925cb
SHA256 f26d4068d07f5b1b1f49c33611cbc27a7faba8936e71b6c90911e160d5489c11
SHA512 e3cbd02b67d6de805e3083492fbf4339537b9f164f10bbfea24b29f2e527eb486992d56f53d111dc07f9ac68f343b90617f985d3462b4845511cab1f9fc1131e

C:\dhcpbroker\intocrt.exe

MD5 be47c79de361e8b5c036c6a025c5244b
SHA1 d68fa5f0de905e6ec474e7232da445bcdefc7c2c
SHA256 7775fde3daf8cf53361e33c23addc126dc1f3e9ddd9c4cf587a0e755e680086c
SHA512 aead9390e3ed14315cbd5d27022f3c4f9a396da3a1547db598f6258f62377c5836bb0f93d970c25a075950904732f753797856981baf52cf901e4c26c8c9afcf

memory/3048-204-0x0000013100670000-0x00000131006E6000-memory.dmp

memory/5032-290-0x0000026885DB0000-0x0000026886020000-memory.dmp

memory/5032-318-0x0000026884490000-0x0000026884491000-memory.dmp