Malware Analysis Report

2025-01-19 07:06

Sample ID 240626-fc85aaycpq
Target 10c30b617298dff59705da9fb038394e_JaffaCakes118
SHA256 9391da6d8fc9a7f07b81aac67ec99d63159fae2ec3b8b13b63f6e043b535c50b
Tags
ramnit banker spyware stealer trojan upx worm persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9391da6d8fc9a7f07b81aac67ec99d63159fae2ec3b8b13b63f6e043b535c50b

Threat Level: Known bad

The file 10c30b617298dff59705da9fb038394e_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ramnit banker spyware stealer trojan upx worm persistence

Ramnit

Modifies WinLogon for persistence

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in System32 directory

Drops file in Program Files directory

Program crash

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of UnmapMainImage

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-26 04:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 04:44

Reported

2024-06-26 04:47

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\10c30b617298dff59705da9fb038394e_JaffaCakes118.dll,#1

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\rundll32mgr.exe C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\px4A57.tmp C:\Windows\SysWOW64\rundll32mgr.exe N/A
File created C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\rundll32mgr.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\rundll32mgr.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425538973" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{D504574D-3376-11EF-BCA5-F2AC8AF4D319} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{D501F50E-3376-11EF-BCA5-F2AC8AF4D319} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 744 wrote to memory of 4232 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 744 wrote to memory of 4232 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 744 wrote to memory of 4232 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4232 wrote to memory of 920 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 4232 wrote to memory of 920 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 4232 wrote to memory of 920 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 920 wrote to memory of 4388 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 920 wrote to memory of 4388 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 920 wrote to memory of 4388 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 4388 wrote to memory of 2924 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 4388 wrote to memory of 2924 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 4388 wrote to memory of 2924 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 4388 wrote to memory of 2924 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 4388 wrote to memory of 2924 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 4388 wrote to memory of 2924 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 4388 wrote to memory of 2924 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 4388 wrote to memory of 2924 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 4388 wrote to memory of 2924 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 4388 wrote to memory of 740 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4388 wrote to memory of 740 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4388 wrote to memory of 4064 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4388 wrote to memory of 4064 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 740 wrote to memory of 3912 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 740 wrote to memory of 3912 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 740 wrote to memory of 3912 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4064 wrote to memory of 4992 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4064 wrote to memory of 4992 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4064 wrote to memory of 4992 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\10c30b617298dff59705da9fb038394e_JaffaCakes118.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\10c30b617298dff59705da9fb038394e_JaffaCakes118.dll,#1

C:\Windows\SysWOW64\rundll32mgr.exe

C:\Windows\SysWOW64\rundll32mgr.exe

C:\Program Files (x86)\Microsoft\WaterMark.exe

"C:\Program Files (x86)\Microsoft\WaterMark.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2924 -ip 2924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 204

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:740 CREDAT:17410 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4064 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp

Files

memory/4232-0-0x0000000010000000-0x0000000010033000-memory.dmp

C:\Windows\SysWOW64\rundll32mgr.exe

MD5 076b881c26b76c254df2d24b1410d64c
SHA1 0c3591cde9733b69f8f19be8458638a0a343adbf
SHA256 e778aab6e5d2cd6372eacdb27867e5df7d4555d8497299461814d8ce51961100
SHA512 5cff93b35a6497837d4dc53393bdc3e81753ef8c08b98ff880d457268208ae1ece6578450b9898dfb4b0d43c1a250b15f9e148ab4e85ff3a9a5db144c728afe8

memory/920-5-0x0000000000400000-0x0000000000427000-memory.dmp

memory/920-8-0x0000000000400000-0x0000000000421000-memory.dmp

memory/920-6-0x0000000000400000-0x0000000000421000-memory.dmp

memory/920-12-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4388-24-0x0000000003100000-0x0000000003101000-memory.dmp

memory/4388-28-0x0000000000400000-0x0000000000421000-memory.dmp

memory/920-26-0x0000000000401000-0x0000000000416000-memory.dmp

memory/920-25-0x0000000000416000-0x0000000000420000-memory.dmp

memory/4388-32-0x0000000077EC2000-0x0000000077EC3000-memory.dmp

memory/4388-31-0x0000000000870000-0x0000000000871000-memory.dmp

memory/2924-30-0x0000000000880000-0x0000000000881000-memory.dmp

memory/2924-29-0x00000000008A0000-0x00000000008A1000-memory.dmp

memory/4388-33-0x0000000000400000-0x0000000000427000-memory.dmp

memory/920-15-0x0000000000400000-0x0000000000421000-memory.dmp

memory/920-11-0x0000000000400000-0x0000000000421000-memory.dmp

memory/920-10-0x0000000000400000-0x0000000000421000-memory.dmp

memory/920-7-0x0000000000400000-0x0000000000421000-memory.dmp

memory/920-9-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4388-34-0x0000000000070000-0x0000000000071000-memory.dmp

memory/4388-35-0x0000000077EC2000-0x0000000077EC3000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D501F50E-3376-11EF-BCA5-F2AC8AF4D319}.dat

MD5 3a459b6862dc0161d540489d93a36a4b
SHA1 bed779ce081a3b0f0103143a0343333d8c2a0a52
SHA256 234af64c4d1766d29018226bc1861c89dca6539c222199f9f8e610a462ecf408
SHA512 5d74aa0b492b460995ce937cc0b11f45aae7ebb61a0168e8321ff54183f57aa2451bed763cb4cafa00ae789d3b8e42d7320781e043e96ff6f2cf21f9b5d567a3

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D504574D-3376-11EF-BCA5-F2AC8AF4D319}.dat

MD5 e85ba23a54ad26addef31d4200173caa
SHA1 f714f64e602406738d58fa354ee2803c08023966
SHA256 f06390bf1387a4eb6bf3b287a3999d9b1ad548c42dfe16e2933172699e320774
SHA512 3dfdd27fea0d71ca08a83ef2c7b864b289edcfb8537e8643753b3211437d387e479c032c90ea2fa1ad3a85fb9186e0b943b1a0527d75c4de1e1f34e90d071b0f

memory/4388-38-0x0000000000400000-0x0000000000421000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 04:44

Reported

2024-06-26 04:47

Platform

win7-20240508-en

Max time kernel

150s

Max time network

148s

Command Line

\SystemRoot\System32\smss.exe

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" C:\Windows\SysWOW64\svchost.exe N/A

Ramnit

trojan spyware stealer worm banker ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\rundll32mgr.exe C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\SysWOW64\dmlconf.dat C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\dmlconf.dat C:\Windows\SysWOW64\svchost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libspudec_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\nssckbi.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\UIAutomationClient.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.IdentityModel.Resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Management.Instrumentation.Resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\mobile_equalizer.html C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libjpeg_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationProvider.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.Speech.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationClient.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libsvcdsub_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libgme_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_splitter\libclone_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\dt_shmem.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\PurblePlace.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\UIAutomationClientsideProviders.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.RunTime.Serialization.Resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\flyout.html C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\klist.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office14\MSOHEV.DLL C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationClient.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libflac_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Windows Defender\MSASCui.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\CoolType.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\libEGL.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Internet Explorer\Timeline.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-runtime-l1-1-0.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.Speech.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_chromecast_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libextract_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\AccessibleHandler.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationProvider.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libnsv_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Windows Defender\MpCommu.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Internet Explorer\Timeline_is.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Services.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.Client.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Windows Mail\wabmig.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\mraut.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\libxslt.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\about.html C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.DynamicData.Design.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libmad_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libvdummy_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ieproxy.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\w2k_lsa_auth.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Speech.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WindowsFormsIntegration.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libdirectory_demux_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libh26x_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libsatip_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libdolby_surround_decoder_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2284 wrote to memory of 2272 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2284 wrote to memory of 2272 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2284 wrote to memory of 2272 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2284 wrote to memory of 2272 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2284 wrote to memory of 2272 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2284 wrote to memory of 2272 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2284 wrote to memory of 2272 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2272 wrote to memory of 2620 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 2272 wrote to memory of 2620 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 2272 wrote to memory of 2620 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 2272 wrote to memory of 2620 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 2620 wrote to memory of 2668 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2620 wrote to memory of 2668 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2620 wrote to memory of 2668 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2620 wrote to memory of 2668 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2668 wrote to memory of 2524 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2668 wrote to memory of 2524 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2668 wrote to memory of 2524 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2668 wrote to memory of 2524 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2668 wrote to memory of 2524 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2668 wrote to memory of 2524 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2668 wrote to memory of 2524 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2668 wrote to memory of 2524 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2668 wrote to memory of 2524 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2668 wrote to memory of 2524 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2668 wrote to memory of 848 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2668 wrote to memory of 848 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2668 wrote to memory of 848 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2668 wrote to memory of 848 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2668 wrote to memory of 848 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2668 wrote to memory of 848 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2668 wrote to memory of 848 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2668 wrote to memory of 848 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2668 wrote to memory of 848 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2668 wrote to memory of 848 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 848 wrote to memory of 256 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\smss.exe
PID 848 wrote to memory of 256 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\smss.exe
PID 848 wrote to memory of 256 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\smss.exe
PID 848 wrote to memory of 256 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\smss.exe
PID 848 wrote to memory of 256 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\smss.exe
PID 848 wrote to memory of 336 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 848 wrote to memory of 336 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 848 wrote to memory of 336 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 848 wrote to memory of 336 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 848 wrote to memory of 336 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 848 wrote to memory of 384 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\wininit.exe
PID 848 wrote to memory of 384 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\wininit.exe
PID 848 wrote to memory of 384 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\wininit.exe
PID 848 wrote to memory of 384 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\wininit.exe
PID 848 wrote to memory of 384 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\wininit.exe
PID 848 wrote to memory of 396 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 848 wrote to memory of 396 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 848 wrote to memory of 396 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 848 wrote to memory of 396 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 848 wrote to memory of 396 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 848 wrote to memory of 432 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\winlogon.exe
PID 848 wrote to memory of 432 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\winlogon.exe
PID 848 wrote to memory of 432 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\winlogon.exe
PID 848 wrote to memory of 432 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\winlogon.exe
PID 848 wrote to memory of 432 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\winlogon.exe
PID 848 wrote to memory of 480 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\services.exe
PID 848 wrote to memory of 480 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\services.exe
PID 848 wrote to memory of 480 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\services.exe
PID 848 wrote to memory of 480 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\services.exe

Processes

C:\Windows\System32\smss.exe

\SystemRoot\System32\smss.exe

C:\Windows\system32\csrss.exe

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

C:\Windows\system32\wininit.exe

wininit.exe

C:\Windows\system32\csrss.exe

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\services.exe

C:\Windows\system32\services.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\10c30b617298dff59705da9fb038394e_JaffaCakes118.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\10c30b617298dff59705da9fb038394e_JaffaCakes118.dll,#1

C:\Windows\SysWOW64\rundll32mgr.exe

C:\Windows\SysWOW64\rundll32mgr.exe

C:\Program Files (x86)\Microsoft\WaterMark.exe

"C:\Program Files (x86)\Microsoft\WaterMark.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\wbem\WMIADAP.EXE

wmiadap.exe /F /T /R

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -Embedding

Network

Country Destination Domain Proto
NL 91.220.62.30:443 tcp
US 8.8.8.8:53 google.com udp
NL 91.220.62.30:443 tcp
US 8.8.8.8:53 bing.com udp
US 8.8.8.8:53 rterybrstutnrsbberve.com udp
US 8.8.8.8:53 rterybrstutnrsbberve.com udp
US 8.8.8.8:53 yahoo.com udp
US 8.8.8.8:53 erwbtkidthetcwerc.com udp
US 8.8.8.8:53 erwbtkidthetcwerc.com udp
US 8.8.8.8:53 rvbwtbeitwjeitv.com udp
US 8.8.8.8:53 rvbwtbeitwjeitv.com udp
US 8.8.8.8:53 google.com udp

Files

memory/2272-2-0x0000000010000000-0x0000000010033000-memory.dmp

memory/2272-1-0x0000000010000000-0x0000000010033000-memory.dmp

memory/2272-0-0x0000000010000000-0x0000000010033000-memory.dmp

memory/2272-5-0x00000000001B0000-0x00000000001D7000-memory.dmp

\Windows\SysWOW64\rundll32mgr.exe

MD5 076b881c26b76c254df2d24b1410d64c
SHA1 0c3591cde9733b69f8f19be8458638a0a343adbf
SHA256 e778aab6e5d2cd6372eacdb27867e5df7d4555d8497299461814d8ce51961100
SHA512 5cff93b35a6497837d4dc53393bdc3e81753ef8c08b98ff880d457268208ae1ece6578450b9898dfb4b0d43c1a250b15f9e148ab4e85ff3a9a5db144c728afe8

memory/2272-12-0x00000000001B0000-0x00000000001D7000-memory.dmp

memory/2620-13-0x0000000000400000-0x0000000000427000-memory.dmp

memory/2620-15-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2620-14-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2620-19-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2620-18-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2620-17-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2620-16-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2620-22-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2620-21-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2620-33-0x0000000000050000-0x0000000000077000-memory.dmp

memory/2620-32-0x0000000000050000-0x0000000000077000-memory.dmp

memory/2668-45-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2668-44-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2668-43-0x0000000000400000-0x0000000000427000-memory.dmp

memory/2668-46-0x00000000001A0000-0x00000000001A1000-memory.dmp

memory/2668-47-0x00000000772CF000-0x00000000772D0000-memory.dmp

memory/2524-51-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2524-49-0x0000000020010000-0x0000000020022000-memory.dmp

memory/2524-58-0x0000000020010000-0x0000000020022000-memory.dmp

memory/2524-65-0x0000000020010000-0x0000000020022000-memory.dmp

memory/2524-64-0x0000000000090000-0x0000000000091000-memory.dmp

memory/2524-63-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2524-62-0x00000000000A0000-0x00000000000A1000-memory.dmp

memory/2524-67-0x0000000020010000-0x0000000020022000-memory.dmp

memory/2524-72-0x0000000020010000-0x0000000020022000-memory.dmp

memory/2668-76-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/848-78-0x0000000020010000-0x000000002001B000-memory.dmp

memory/2668-92-0x00000000772CF000-0x00000000772D0000-memory.dmp

memory/848-93-0x0000000000380000-0x0000000000381000-memory.dmp

memory/848-91-0x0000000020010000-0x000000002001B000-memory.dmp

memory/848-87-0x0000000020010000-0x000000002001B000-memory.dmp

memory/848-97-0x0000000020010000-0x000000002001B000-memory.dmp

memory/848-96-0x0000000000390000-0x0000000000391000-memory.dmp

memory/848-95-0x0000000020010000-0x000000002001B000-memory.dmp

memory/848-94-0x0000000020010000-0x000000002001B000-memory.dmp

memory/848-331-0x00000000772D0000-0x00000000772D1000-memory.dmp

memory/2668-563-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2668-566-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2524-1007-0x0000000020010000-0x0000000020022000-memory.dmp

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

MD5 9d9b866171eb6fc9bf34a98bd927c799
SHA1 79b6ee6e30806824ea2f7bfa86a50a11db1dc94f
SHA256 7c0c6d7d6cd7ad8fe6db76dda416561d859c4c5907fa7d329fcde7595984463f
SHA512 6e5828dc189150ec06f4c5f24df13881ba0f154f68a8305d3919db90424e6e7b4a1aa9e779b80e6df707c27ed2ee8d94d04b7ff52fa25d5b0adbe9166c88bd82

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

MD5 381a7968c1eac800557ef9cec6b7dea0
SHA1 6bf8bba9039d3540042c493e2111405af7d27ac5
SHA256 c09e0c56db22ce327a70b6374a1ad93de387b86276bb3f40ef4b1d44b7a3a783
SHA512 04b91891d2c8be969d892cade8f13a4e4283d30819b17cfd61d17c417cb26b087bb651fdf54094266129ca0879564ce7574e2c424a4394659be5019a66cbe814