Malware Analysis Report

2025-01-19 07:06

Sample ID 240625-3ppmqs1cjb
Target 0ff5c0c167cabc1fa9c1a27273a0df18_JaffaCakes118
SHA256 cce1caa13d3448164cbc79a53e95d712b92a306c9390d5125b3ce37c16a2ac36
Tags
ramnit banker persistence spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cce1caa13d3448164cbc79a53e95d712b92a306c9390d5125b3ce37c16a2ac36

Threat Level: Known bad

The file 0ff5c0c167cabc1fa9c1a27273a0df18_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ramnit banker persistence spyware stealer trojan upx worm

Ramnit

Modifies WinLogon for persistence

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious use of UnmapMainImage

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-25 23:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-25 23:41

Reported

2024-06-25 23:44

Platform

win7-20240221-en

Max time kernel

150s

Max time network

146s

Command Line

\SystemRoot\System32\smss.exe

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" C:\Windows\SysWOW64\svchost.exe N/A

Ramnit

trojan spyware stealer worm banker ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32mgr.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32mgr.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32mgr.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\dmlconf.dat C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Windows\SysWOW64\regsvr32mgr.exe C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Windows\SysWOW64\dmlconf.dat C:\Windows\SysWOW64\svchost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\misc\libgnutls_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\hxdsui.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationClient.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\profilerinterface.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\PresentationFramework.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_autodel_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\mshwgst.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jdwp.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Net.Resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libyuv_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\hxdsui.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSEngine.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\PresentationBuildTasks.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libmpc_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\misc\libexport_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_dummy_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\spu\libsubsdelay_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Windows Journal\JNTFiltr.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\settings.html C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.IdentityModel.Resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Entity.Design.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libvhs_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\currency.html C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Filters\odffilt.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\pidgenx.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\PresentationFramework.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Linq.Resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\settings.html C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\tnameserv.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Services.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_output\libwasapi_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\misc\libxml_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\d3dcompiler_47.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Microsoft.Build.Utilities.v3.5.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_srt_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\pipres.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\librtpvideo_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\cpu.html C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.DirectoryServices.AccountManagement.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libspeex_resampler_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libtospdif_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mpegvideo_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\imjplm.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\verify.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\plugin2\msvcr100.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Windows.Presentation.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libchorus_flanger_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_smem_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Windows Media Player\mpvis.DLL C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssv.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\WindowsFormsIntegration.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libgradfun_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Windows Journal\MSPVWCTL.DLL C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\gstreamer-lite.dll C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32mgr.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1584 wrote to memory of 2188 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1584 wrote to memory of 2188 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1584 wrote to memory of 2188 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1584 wrote to memory of 2188 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1584 wrote to memory of 2188 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1584 wrote to memory of 2188 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1584 wrote to memory of 2188 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2188 wrote to memory of 2088 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32mgr.exe
PID 2188 wrote to memory of 2088 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32mgr.exe
PID 2188 wrote to memory of 2088 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32mgr.exe
PID 2188 wrote to memory of 2088 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32mgr.exe
PID 2088 wrote to memory of 2756 N/A C:\Windows\SysWOW64\regsvr32mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2088 wrote to memory of 2756 N/A C:\Windows\SysWOW64\regsvr32mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2088 wrote to memory of 2756 N/A C:\Windows\SysWOW64\regsvr32mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2088 wrote to memory of 2756 N/A C:\Windows\SysWOW64\regsvr32mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2756 wrote to memory of 1048 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2756 wrote to memory of 1048 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2756 wrote to memory of 1048 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2756 wrote to memory of 1048 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2756 wrote to memory of 1048 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2756 wrote to memory of 1048 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2756 wrote to memory of 1048 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2756 wrote to memory of 1048 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2756 wrote to memory of 1048 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2756 wrote to memory of 1048 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2756 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2756 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2756 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2756 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2756 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2756 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2756 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2756 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2756 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2756 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1688 wrote to memory of 260 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\smss.exe
PID 1688 wrote to memory of 260 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\smss.exe
PID 1688 wrote to memory of 260 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\smss.exe
PID 1688 wrote to memory of 260 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\smss.exe
PID 1688 wrote to memory of 260 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\smss.exe
PID 1688 wrote to memory of 340 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 1688 wrote to memory of 340 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 1688 wrote to memory of 340 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 1688 wrote to memory of 340 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 1688 wrote to memory of 340 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 1688 wrote to memory of 396 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 1688 wrote to memory of 396 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 1688 wrote to memory of 396 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 1688 wrote to memory of 396 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 1688 wrote to memory of 396 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 1688 wrote to memory of 388 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\wininit.exe
PID 1688 wrote to memory of 388 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\wininit.exe
PID 1688 wrote to memory of 388 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\wininit.exe
PID 1688 wrote to memory of 388 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\wininit.exe
PID 1688 wrote to memory of 388 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\wininit.exe
PID 1688 wrote to memory of 436 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\winlogon.exe
PID 1688 wrote to memory of 436 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\winlogon.exe
PID 1688 wrote to memory of 436 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\winlogon.exe
PID 1688 wrote to memory of 436 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\winlogon.exe
PID 1688 wrote to memory of 436 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\winlogon.exe
PID 1688 wrote to memory of 480 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\services.exe
PID 1688 wrote to memory of 480 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\services.exe
PID 1688 wrote to memory of 480 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\services.exe
PID 1688 wrote to memory of 480 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\services.exe

Processes

C:\Windows\System32\smss.exe

\SystemRoot\System32\smss.exe

C:\Windows\system32\csrss.exe

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

C:\Windows\system32\csrss.exe

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

C:\Windows\system32\wininit.exe

wininit.exe

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\services.exe

C:\Windows\system32\services.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0ff5c0c167cabc1fa9c1a27273a0df18_JaffaCakes118.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\0ff5c0c167cabc1fa9c1a27273a0df18_JaffaCakes118.dll

C:\Windows\SysWOW64\regsvr32mgr.exe

C:\Windows\SysWOW64\regsvr32mgr.exe

C:\Program Files (x86)\Microsoft\WaterMark.exe

"C:\Program Files (x86)\Microsoft\WaterMark.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\wbem\WMIADAP.EXE

wmiadap.exe /F /T /R

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -Embedding

Network

Country Destination Domain Proto
NL 91.220.62.30:443 tcp
US 8.8.8.8:53 google.com udp
GB 142.250.179.238:80 google.com tcp
NL 91.220.62.30:443 tcp
US 8.8.8.8:53 rterybrstutnrsbberve.com udp
IE 34.253.216.9:443 rterybrstutnrsbberve.com tcp
IE 34.253.216.9:443 rterybrstutnrsbberve.com tcp
US 8.8.8.8:53 erwbtkidthetcwerc.com udp
IE 34.253.216.9:443 erwbtkidthetcwerc.com tcp
IE 34.253.216.9:443 erwbtkidthetcwerc.com tcp
US 8.8.8.8:53 rvbwtbeitwjeitv.com udp
US 204.95.99.221:443 rvbwtbeitwjeitv.com tcp
US 204.95.99.221:443 rvbwtbeitwjeitv.com tcp
GB 142.250.179.238:80 google.com tcp
US 8.8.8.8:53 google.com udp
GB 142.250.179.238:80 google.com tcp

Files

\Windows\SysWOW64\regsvr32mgr.exe

MD5 8c51fd9d6daa7b6137634de19a49452c
SHA1 db2a11cca434bacad2bf42adeecae38e99cf64f8
SHA256 528d190fc376cff62a83391a5ba10ae4ef0c02bedabd0360274ddc2784e11da3
SHA512 b93dd6c86d0618798a11dbaa2ded7dac659f6516ca4a87da7297601c27f340fffa4126a852c257654d562529273d8a3f639ec020ab54b879c68226deae549837

memory/2188-3-0x0000000000170000-0x00000000001A5000-memory.dmp

memory/2188-2-0x0000000074960000-0x000000007498C000-memory.dmp

memory/2088-11-0x00000000000D0000-0x00000000000D1000-memory.dmp

memory/2088-10-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2088-19-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2088-17-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2088-16-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2088-15-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2088-14-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2088-13-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2088-12-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2756-29-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2756-37-0x0000000000160000-0x0000000000161000-memory.dmp

memory/2756-38-0x0000000020010000-0x0000000020022000-memory.dmp

memory/1048-41-0x0000000000080000-0x0000000000081000-memory.dmp

memory/1048-39-0x0000000020010000-0x0000000020022000-memory.dmp

memory/1048-62-0x0000000000090000-0x0000000000091000-memory.dmp

memory/1048-61-0x0000000000080000-0x0000000000081000-memory.dmp

memory/1048-60-0x00000000000A0000-0x00000000000A1000-memory.dmp

memory/2756-59-0x000000007772F000-0x0000000077730000-memory.dmp

memory/1048-55-0x0000000020010000-0x0000000020022000-memory.dmp

memory/2756-53-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1048-49-0x0000000020010000-0x0000000020022000-memory.dmp

memory/1048-63-0x0000000020010000-0x0000000020022000-memory.dmp

memory/2756-68-0x0000000000060000-0x0000000000061000-memory.dmp

memory/1688-70-0x0000000020010000-0x000000002001B000-memory.dmp

memory/2756-69-0x0000000020010000-0x000000002001B000-memory.dmp

memory/1688-81-0x0000000020010000-0x000000002001B000-memory.dmp

memory/1688-83-0x0000000020010000-0x000000002001B000-memory.dmp

memory/1688-88-0x0000000020010000-0x000000002001B000-memory.dmp

memory/1688-87-0x0000000000430000-0x0000000000431000-memory.dmp

memory/1688-86-0x0000000020010000-0x000000002001B000-memory.dmp

memory/1688-85-0x0000000020010000-0x000000002001B000-memory.dmp

memory/1688-84-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2756-563-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

MD5 b5912d8fcd1cb2f1964032c8b7fa7890
SHA1 83f6ecbe5795f2c71a48241c8a19e207ac025dd5
SHA256 00db1994152b1e8be88cd6320ded86664d4b73439d202fb5113461dffcef1c9e
SHA512 76957b9bfd9a1edfa8abf70b008f2e6d6dc3c6552ad18843b5ff6a7d508d3893095de936aa32ddc3de11270914f461b29785bd34607b910d1ae35b2fa2a0004d

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

MD5 538283eaf3f31755a64d12f72927cab8
SHA1 f8d302deda0aeab394828374858c45f4c476d419
SHA256 0cb94134111a69173d93f4f9be7413dbfc5b08245cd19f1e37fc7dde5e020922
SHA512 db779176bb5e85da71bf78cc8e4036477cadf9d10b8137905d7117755e1079b96160f123b2cc19349e81c5b8db27a1f659b8a1febc3425aed392ecf25ba3098a

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-25 23:41

Reported

2024-06-25 23:44

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

151s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0ff5c0c167cabc1fa9c1a27273a0df18_JaffaCakes118.dll

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32mgr.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\regsvr32mgr.exe C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\px41CC.tmp C:\Windows\SysWOW64\regsvr32mgr.exe N/A
File created C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\regsvr32mgr.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\regsvr32mgr.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425520779" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{78952190-334C-11EF-BA70-FA71C8F1560D} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32mgr.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1520 wrote to memory of 4612 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1520 wrote to memory of 4612 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1520 wrote to memory of 4612 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4612 wrote to memory of 756 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32mgr.exe
PID 4612 wrote to memory of 756 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32mgr.exe
PID 4612 wrote to memory of 756 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32mgr.exe
PID 756 wrote to memory of 4888 N/A C:\Windows\SysWOW64\regsvr32mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 756 wrote to memory of 4888 N/A C:\Windows\SysWOW64\regsvr32mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 756 wrote to memory of 4888 N/A C:\Windows\SysWOW64\regsvr32mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 4888 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 4888 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 4888 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 4888 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 4888 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 4888 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 4888 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 4888 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 4888 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 4888 wrote to memory of 2140 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4888 wrote to memory of 2140 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4888 wrote to memory of 2664 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4888 wrote to memory of 2664 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2140 wrote to memory of 1392 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2140 wrote to memory of 1392 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2140 wrote to memory of 1392 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0ff5c0c167cabc1fa9c1a27273a0df18_JaffaCakes118.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\0ff5c0c167cabc1fa9c1a27273a0df18_JaffaCakes118.dll

C:\Windows\SysWOW64\regsvr32mgr.exe

C:\Windows\SysWOW64\regsvr32mgr.exe

C:\Program Files (x86)\Microsoft\WaterMark.exe

"C:\Program Files (x86)\Microsoft\WaterMark.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1248 -ip 1248

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1248 -s 204

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2140 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp

Files

C:\Windows\SysWOW64\regsvr32mgr.exe

MD5 8c51fd9d6daa7b6137634de19a49452c
SHA1 db2a11cca434bacad2bf42adeecae38e99cf64f8
SHA256 528d190fc376cff62a83391a5ba10ae4ef0c02bedabd0360274ddc2784e11da3
SHA512 b93dd6c86d0618798a11dbaa2ded7dac659f6516ca4a87da7297601c27f340fffa4126a852c257654d562529273d8a3f639ec020ab54b879c68226deae549837

memory/4612-1-0x00000000751F0000-0x000000007521C000-memory.dmp

memory/756-5-0x0000000000400000-0x0000000000435000-memory.dmp

memory/756-6-0x0000000000400000-0x0000000000421000-memory.dmp

memory/756-7-0x0000000000400000-0x0000000000421000-memory.dmp

memory/756-11-0x0000000000400000-0x0000000000421000-memory.dmp

memory/756-10-0x0000000000400000-0x0000000000421000-memory.dmp

memory/756-8-0x0000000000400000-0x0000000000421000-memory.dmp

memory/756-9-0x0000000000400000-0x0000000000421000-memory.dmp

memory/756-15-0x00000000008C0000-0x00000000008C1000-memory.dmp

memory/756-14-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4888-27-0x0000000000060000-0x0000000000061000-memory.dmp

memory/4888-30-0x0000000077842000-0x0000000077843000-memory.dmp

memory/4888-28-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4888-26-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1248-32-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

memory/1248-31-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

memory/4888-33-0x0000000000070000-0x0000000000071000-memory.dmp

memory/4888-34-0x0000000077842000-0x0000000077843000-memory.dmp

memory/4888-36-0x0000000000400000-0x0000000000421000-memory.dmp