Malware Analysis Report

2025-08-10 14:19

Sample ID 241003-wms4tayfkl
Target 0ffe211e164a0a07cfec3790cab189e0_JaffaCakes118
SHA256 486d1f139f0396f4cc8e840babc60b0a3001246d53c4b4fed1356f8000618f81
Tags
ramnit banker discovery spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

486d1f139f0396f4cc8e840babc60b0a3001246d53c4b4fed1356f8000618f81

Threat Level: Known bad

The file 0ffe211e164a0a07cfec3790cab189e0_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ramnit banker discovery spyware stealer trojan upx worm

Ramnit

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of UnmapMainImage

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-03 18:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-03 18:02

Reported

2024-10-03 18:05

Platform

win7-20240903-en

Max time kernel

119s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0ffe211e164a0a07cfec3790cab189e0_JaffaCakes118.dll,#1

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32mgrmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32mgrmgrmgr.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\rundll32mgr.exe C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\SysWOW64\rundll32mgrmgr.exe C:\Windows\SysWOW64\rundll32mgr.exe N/A
File created C:\Windows\SysWOW64\rundll32mgrmgrmgr.exe C:\Windows\SysWOW64\rundll32mgrmgr.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32mgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32mgrmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32mgrmgrmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B0116FF1-81B1-11EF-89F5-527E38F5B48B} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B01632B1-81B1-11EF-89F5-527E38F5B48B} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B00F0E91-81B1-11EF-89F5-527E38F5B48B} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32mgrmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32mgrmgrmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32mgrmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32mgrmgrmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2104 wrote to memory of 2100 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2104 wrote to memory of 2100 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2104 wrote to memory of 2100 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2104 wrote to memory of 2100 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2104 wrote to memory of 2100 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2104 wrote to memory of 2100 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2104 wrote to memory of 2100 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2100 wrote to memory of 2096 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 2100 wrote to memory of 2096 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 2100 wrote to memory of 2096 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 2100 wrote to memory of 2096 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 2096 wrote to memory of 3032 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Windows\SysWOW64\rundll32mgrmgr.exe
PID 2096 wrote to memory of 3032 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Windows\SysWOW64\rundll32mgrmgr.exe
PID 2096 wrote to memory of 3032 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Windows\SysWOW64\rundll32mgrmgr.exe
PID 2096 wrote to memory of 3032 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Windows\SysWOW64\rundll32mgrmgr.exe
PID 2096 wrote to memory of 584 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2096 wrote to memory of 584 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2096 wrote to memory of 584 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2096 wrote to memory of 584 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3032 wrote to memory of 2736 N/A C:\Windows\SysWOW64\rundll32mgrmgr.exe C:\Windows\SysWOW64\rundll32mgrmgrmgr.exe
PID 3032 wrote to memory of 2736 N/A C:\Windows\SysWOW64\rundll32mgrmgr.exe C:\Windows\SysWOW64\rundll32mgrmgrmgr.exe
PID 3032 wrote to memory of 2736 N/A C:\Windows\SysWOW64\rundll32mgrmgr.exe C:\Windows\SysWOW64\rundll32mgrmgrmgr.exe
PID 3032 wrote to memory of 2736 N/A C:\Windows\SysWOW64\rundll32mgrmgr.exe C:\Windows\SysWOW64\rundll32mgrmgrmgr.exe
PID 3032 wrote to memory of 2848 N/A C:\Windows\SysWOW64\rundll32mgrmgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3032 wrote to memory of 2848 N/A C:\Windows\SysWOW64\rundll32mgrmgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3032 wrote to memory of 2848 N/A C:\Windows\SysWOW64\rundll32mgrmgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3032 wrote to memory of 2848 N/A C:\Windows\SysWOW64\rundll32mgrmgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2736 wrote to memory of 2788 N/A C:\Windows\SysWOW64\rundll32mgrmgrmgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2736 wrote to memory of 2788 N/A C:\Windows\SysWOW64\rundll32mgrmgrmgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2736 wrote to memory of 2788 N/A C:\Windows\SysWOW64\rundll32mgrmgrmgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2736 wrote to memory of 2788 N/A C:\Windows\SysWOW64\rundll32mgrmgrmgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 584 wrote to memory of 532 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 584 wrote to memory of 532 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 584 wrote to memory of 532 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 584 wrote to memory of 532 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2848 wrote to memory of 2344 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2848 wrote to memory of 2344 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2848 wrote to memory of 2344 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2848 wrote to memory of 2344 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2788 wrote to memory of 2420 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2788 wrote to memory of 2420 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2788 wrote to memory of 2420 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2788 wrote to memory of 2420 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0ffe211e164a0a07cfec3790cab189e0_JaffaCakes118.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0ffe211e164a0a07cfec3790cab189e0_JaffaCakes118.dll,#1

C:\Windows\SysWOW64\rundll32mgr.exe

C:\Windows\SysWOW64\rundll32mgr.exe

C:\Windows\SysWOW64\rundll32mgrmgr.exe

C:\Windows\SysWOW64\rundll32mgrmgr.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\rundll32mgrmgrmgr.exe

C:\Windows\SysWOW64\rundll32mgrmgrmgr.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:584 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2848 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2788 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

\Windows\SysWOW64\rundll32mgr.exe

MD5 6cd9867676d7745d3d892b9b1eeb087c
SHA1 e27cd410d1e1cd2795931b2e9b4525ef2535ce8a
SHA256 372e00e34f497e57ddc1762cc01ed91ff77e3d6c6745b37f209d29da9c2c3d94
SHA512 5ab8bc024bedf78e585940e9d4e2e8b287591deadd4fe97880008b94609e1518ad430fba934f2c22227723f48deb72053a49bcf48d40e4fd85fd38069eba99e2

memory/2096-12-0x0000000000400000-0x0000000000450000-memory.dmp

memory/2100-1-0x0000000010000000-0x00000000100A0000-memory.dmp

memory/2100-10-0x0000000000210000-0x0000000000260000-memory.dmp

memory/2100-9-0x0000000000210000-0x0000000000260000-memory.dmp

memory/2100-8-0x0000000010000000-0x00000000100A0000-memory.dmp

\Windows\SysWOW64\rundll32mgrmgr.exe

MD5 9f643774ee392ba1e6c40644a9aa7de6
SHA1 8c55f086c5610977b4a84c0e0d77bfdf95bbe0d5
SHA256 307f2832c7cc23dfecff7b9787f454bed0fc1e31f63950cff5660fabae333003
SHA512 4b0effc99a0baa1de5d2a7f310c8c628e5ae5553ff5e31c7408751baddd9fd88fb22a12098cac22ec51edae84437cbb9fc0bd5f2ed645e7c6f30bfd69c08925b

memory/2096-16-0x0000000000320000-0x0000000000359000-memory.dmp

memory/2096-21-0x0000000000320000-0x0000000000359000-memory.dmp

memory/2096-28-0x0000000000340000-0x0000000000341000-memory.dmp

memory/2096-34-0x000000007741F000-0x0000000077420000-memory.dmp

memory/2096-33-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2096-31-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2096-30-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2096-29-0x0000000000400000-0x000000000041A000-memory.dmp

memory/3032-27-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2096-26-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2096-25-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2096-24-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2096-23-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2096-37-0x0000000000400000-0x000000000041A000-memory.dmp

C:\Windows\SysWOW64\rundll32mgrmgrmgr.exe

MD5 551161ba25d6c58cf6a4afe7587f7dcb
SHA1 3f36d947c0d082433bb121a9914b4841ffbfb5af
SHA256 f676ab20252c6ff437c7e3db1a8a3875715bf1a5a59812439f296cb5cd724b58
SHA512 f68a52bcfafccaf9b4390f7cdd9a57544d82a1f41656aeaf98f46ddc0198e636a790088cf8b734244cc5144a00704a8430e469c46284387d04c5a38cba17b00e

memory/3032-63-0x000000007741F000-0x0000000077420000-memory.dmp

memory/2736-53-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3032-52-0x00000000002B0000-0x00000000002D1000-memory.dmp

memory/3032-51-0x00000000002B0000-0x00000000002D1000-memory.dmp

memory/3032-55-0x0000000000050000-0x0000000000051000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B0116FF1-81B1-11EF-89F5-527E38F5B48B}.dat

MD5 ed7ced3ced533fecebec573a97230647
SHA1 ffb3106a7c3becb33f91552b1e96430b267d7366
SHA256 095e353fceccb7488bd8f42461ab60c59762967c3ad12101745c1df3ee6ce4e3
SHA512 ea9fd2c944b530a6d0340f7e9b085df2eb72854bd627ead2b2a4271c81d0ea1cede4ef9dc0f430191cd1996d1a4776494f0cb37b1a42384660b6ea7afb9a4246

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B00F0E91-81B1-11EF-89F5-527E38F5B48B}.dat

MD5 7e7ec0f96a8216e84941bd09c548beee
SHA1 21ddf0ad73da3215c8a43f09290b8dc3d45d5d56
SHA256 061a20cf68ff0146d62a6ba8df3fd7115740273ffb22d7ecc9b4acd71e3d451c
SHA512 e2544a515a764e32dcfcf01ee858d379dd917ad5e9d8832d43ee33b9a2423ff21c87e78720b6eb1a5e0c38bd718f176bf65b9e6e40e382081b30f4cfadd10971

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B00F0E91-81B1-11EF-89F5-527E38F5B48B}.dat

MD5 7aef8553281f15431929e0ac913f6247
SHA1 4fbde9ab40bdb9bdd9bf25007a0bb8b86ebbdd59
SHA256 ff3f4d09ce42737820e1c99bd727b202c4596557cfc6e0ad460786a25502bd15
SHA512 d1293203fb4efaa62ec5eb0e6bdecdecd49a12e28b2b59b03ab07c20a16586ba4f534fe422bf25ba1c11ed5598ab50efad189b2834b2de829ebf81cb758ceed8

C:\Users\Admin\AppData\Local\Temp\CabE488.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarE527.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0f022da353b4521dd504c902f86b5982
SHA1 da7aa9a1d71a630520925e1a3f94a627682073fc
SHA256 6a23717102a35b97190874395d1c77ed6786f6fd179812e7793285187bdc2abf
SHA512 2f3ae96ce747a7070023529ddb5462dd224c5b2280466988d827a49c92872df25187683a99290db48b6178aa9f457c3eb48848e518c4642b38141a9ece7bb728

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 86ccba6a17c602de77b34d3a016f056e
SHA1 cc167bd2e1682a0ae0991ca80493f701a9d9e71c
SHA256 3551e5f0b3c63673c8a6bef68c646ff5659d6ad3e273a46773f08f237e6e279e
SHA512 4d9e7f71fc61e0bec2893426e8673a0ed78fe8d245dad9946ea10c4e7ca8ddfa4423056eb4c4e437907e40b28f644ba12bf779927c0ba16f4cb094d9a587e39f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 94a6a405370658b680f53e9b3b5c4526
SHA1 d0ee39e67c5c4b4b64ac7fbdf3ad302255a22951
SHA256 e9169e3fab8e121345189b6912f9834fa55444f639e95039d6bf802f4ce3477d
SHA512 9e23e16c3cb182c54204bbf1c6e5704d8086e2491c1023a047e7d880dccec3094c032a69fe789cb3edeef70a0fe2f38f129135d4cfb5cd71e347eb401ef5192e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b932cc05c9f92e3a8f59d936769e7456
SHA1 3591132db25d8b8814b47ba61c85df7d1bfac85a
SHA256 458e9e7c6a93ae82c9b87ea040a345533e765926ce4ad2139176d8826477586b
SHA512 c56c94349ecce2ba128a5f8dc37142655e3b51f23664176d03bbeeecdbf19c2ecb8781984973dc7869e020f3daddd6a5147293e53d55c29aea9771cd431c8050

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 23a2adf98b60cbe6f19b2346f4db620f
SHA1 f9508d28d117d81f335a8a54b9bd077a73953b3a
SHA256 5d7f950a5be408285a95970d906be5dc0f0376e422a0a2a3124016a48937eab3
SHA512 564c96a03c3f5fe287351a439b8dc8e92bd07c4f571ae8c8e22677cf1acdc6feb773c1412cbb023edece00ab3396df0a09f843dbad53ff04b0f7d0e5c35ebb87

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c732f4bf6fcbb29adabc37475af21854
SHA1 8ed3f2a023b08fe1bf5412c6c9496ce240c057c3
SHA256 326bd9f6c80a18d0b920a76e67eaf7c61b6d11636fecdb07f17cd351620f3ebb
SHA512 c04c8f9c7bfddf2e944fc2935a9399ee6eeaa625da0fb30b4be18c3463c4c4a1bef6aa83bbf9c68b5c6dbd9b3da2b09c1e6e9419a06fb4c3aebff74f5e70d75a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b2ca2d2769d788bbde07f7a071ecb4f8
SHA1 01354e12e55cf474b61001257008b40c6469a82a
SHA256 e4f6904e124fa97da7f1caf3a0af227a3f06808b8e640e0b3fe7a3f8a5a07ed8
SHA512 46f403378c585131273b3bee2e1f872aa772729f67a72679d12baad3c9605c7efdfb69492ad9004bce53500296235a4dd59aeb7db478024e0702ccb80d2affde

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9510da2383a1a2bf8044abe9aa186105
SHA1 55c3cab0c960dfe3d71a742896f1eec428047124
SHA256 b791c42af4c2df337fa3e2177c1abc81dc17c0836755cdf145be352c46eae9ae
SHA512 7e25db9276f6804e27083d919b4477f26ed36dfd91ce73841299ded3ec3bf2df2fdbaf96b9b86d0d94f6a0a5082ecb549e4cadb83a2e595fd7c00c2e8aa3d02e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2a33bca4b4ffafd6b3ece083a85d6a0a
SHA1 28514e01e0daa98afb72c58dcd066b16ba158d88
SHA256 e125ffab0f1317d81c086d0b19ee675cef062d2a3c598bf58ba465440cb9776e
SHA512 1eab9dece8c52508ed3292df434e2cb0025e50bc9132a283ddeef0fea16d532976a570c5572f50599b48f075895d83a4a030844c17adebee9d10d862a22e9c67

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 381a13147c823acdd983427ec01f5408
SHA1 8d493e088778136c6cf2ea07f9b4318c15d3dc4b
SHA256 8b203e2da8d846a318ab012b116bc10731201077ea5700ed8ebcbd954f1d5e99
SHA512 625c511ead1a7a5953621b877db9807c7912cb148075ff329ea2944d6b7f3f1e296321708190cb73d8859014c22bb9f6882cde72ea97076e777ac6e2808e58de

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6c94dc6a5cfbc9ed5218b6c0c92144fd
SHA1 50d939cffcbbf7cf71f46f642dd71cf472ed3c6c
SHA256 d43d328bfe2c9a46a9d6ad1f238e36eb391e40aa84e04c8e3a3ba2ec3fc018f5
SHA512 c16ee12c2ee852e206ab979df448800637fa888ecf9244d0b9c2d22ea1f1d632c60c55175cc6912e3f95a7601dce74f1635eb36486e4b00bffef2e0ea88242cc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 19e108e6f343c828c1677fc1a8139854
SHA1 3194f3a5190469fb328c83e623d705593a08118f
SHA256 cffee7ac8a24d478d45bfee79fb9fac701cfe440b3526ce9d6168f1f36f20857
SHA512 dfe9389dd8b5d4f063acd75f4f6662d1b888858e1a6cb3270140b60a1c54b31a3037f60b4a0be9893188fc4f7ac00adc3750d74c7ffdf5cccedeffef1a22dc2d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d0d5a7adad09ce00fee32493bb68d24f
SHA1 3459ebab357aa73c6273812ad0c2fedaf47ff45e
SHA256 3ed58795c5599471779d1b3ded505e5db3a42c01b73934528b26baa56eafdc78
SHA512 d6e03abb4aeda5868f46d690614bec34f28d78d5b24117c803c201248d78d42a015c65e6fc72c46cb8f7d945bf3e21129283ffc3bbf5d58188eda33b75353eec

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 242aaa3d2889f14c35a5348fd3f3b2a9
SHA1 c124a02bc8a155ce895634717e9a50ac612c198b
SHA256 bd828df3ec69dc9f9743761aee4b11bc4c99ac3ec232973a7079274c2f52784c
SHA512 bd90cf59b5d31bc7965469e1e1d712762fd3b266ff91ee052724fec94e21276e3a56e359b63d1cbac729c4241ad88ec2e97d86669ceb0f3f102ea22407893d5a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d0bd8b82c8de62b4563efedea6756ff7
SHA1 5544b6392a9b68f054308732cdd36fc9bcd4cd9e
SHA256 1c03539ef42ba85b0ad46aa018577fadfd912a687951cbb3fa1d19fec09323ac
SHA512 b00629defe53c9b4ca99c0f77bbdb3171e49d9a7262426180fe3251ef621ddd416ab35ead80790e4b51d60de2259bb4e1354eb3610a383a86eee87a346dab2bc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b3c1603cf0d73b5a7fd97f6d10a70e52
SHA1 7f5673298f529180508b16edb68d1d3af4521aaf
SHA256 0d6f9e4b5b7a7510277551b5c4362c7ee2013e8371ac3353adb352f299719153
SHA512 97ed27e6a65a3de83010d08efb52d889db0173bf296b6d0e782e36a1c362d73320880d4f00a09b888a4c39e13e4a297dedd930b6c2f3067ef5413aeba77fda1e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1f6bead250908b676f275d8202e37bd7
SHA1 362263d68f278498bd2d3e3fc60223224f9b9f55
SHA256 87bcd1e4335a3ef01b11801a7dba9ab1a86e03e8be1bdbff97e3b42db3aa04aa
SHA512 3176afef018f99f7ccc8ad7e19fb1a27853d5ab4f2eb282f56f1369d65fe644a463856e9a6ff1b765526dcff810a3ecd24ee87cf13d52c7a4ca76f4599555950

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b1fd1067f80341af522b3945db940702
SHA1 c948b3332b2d608250ba6cea9b3bdd4fa29ef3cb
SHA256 7c52b6b7236e2468efb15a8d230a324e1d239bfdd5ca8ad4ac7610bccb927a09
SHA512 862a62d220fdd5f96c67bb392177bce1866bde4d454295ad427feea4a4769cd316cef74705a4a727a611c66da1754b6a18bcf3d1327c8f4c3e5238684c0a21ec

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ff580d5d114511d8dbdbdce2e5958c7e
SHA1 9ea63d67c9eccf4ba46901fbbd3ff60b7ea9ab50
SHA256 225f7ad196dbce7a751b0c2f2233a584b0b6cbb896b53bfbd44433067c4c0be1
SHA512 ea03eba262ad6948c7296c65a58b4a7d88a490b699ed3f19de2f91348e61d87fc88bcc427a3566d0a96259169a572f64976b98e311acc60548f1df40d4b237e0

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-03 18:02

Reported

2024-10-03 18:05

Platform

win10v2004-20240802-en

Max time kernel

94s

Max time network

142s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0ffe211e164a0a07cfec3790cab189e0_JaffaCakes118.dll,#1

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32mgrmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32mgrmgrmgr.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\rundll32mgr.exe C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\SysWOW64\rundll32mgrmgr.exe C:\Windows\SysWOW64\rundll32mgr.exe N/A
File created C:\Windows\SysWOW64\rundll32mgrmgrmgr.exe C:\Windows\SysWOW64\rundll32mgrmgr.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32mgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32mgrmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32mgrmgrmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2229944062" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135166" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31135166" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434743538" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B0392D0C-81B1-11EF-9A03-CE3473C70610} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B03469D9-81B1-11EF-9A03-CE3473C70610} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2225568964" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135166" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2228537826" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B03206B2-81B1-11EF-9A03-CE3473C70610} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31135166" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2225568964" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2228537826" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135166" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2225568964" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135166" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2225568964" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135166" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135166" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31135166" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2229944062" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32mgrmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32mgrmgrmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32mgrmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32mgrmgrmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3788 wrote to memory of 1096 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3788 wrote to memory of 1096 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3788 wrote to memory of 1096 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1096 wrote to memory of 836 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 1096 wrote to memory of 836 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 1096 wrote to memory of 836 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 836 wrote to memory of 1628 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Windows\SysWOW64\rundll32mgrmgr.exe
PID 836 wrote to memory of 1628 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Windows\SysWOW64\rundll32mgrmgr.exe
PID 836 wrote to memory of 1628 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Windows\SysWOW64\rundll32mgrmgr.exe
PID 1628 wrote to memory of 2904 N/A C:\Windows\SysWOW64\rundll32mgrmgr.exe C:\Windows\SysWOW64\rundll32mgrmgrmgr.exe
PID 1628 wrote to memory of 2904 N/A C:\Windows\SysWOW64\rundll32mgrmgr.exe C:\Windows\SysWOW64\rundll32mgrmgrmgr.exe
PID 1628 wrote to memory of 2904 N/A C:\Windows\SysWOW64\rundll32mgrmgr.exe C:\Windows\SysWOW64\rundll32mgrmgrmgr.exe
PID 836 wrote to memory of 2936 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 836 wrote to memory of 2936 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1628 wrote to memory of 3412 N/A C:\Windows\SysWOW64\rundll32mgrmgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1628 wrote to memory of 3412 N/A C:\Windows\SysWOW64\rundll32mgrmgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2904 wrote to memory of 4864 N/A C:\Windows\SysWOW64\rundll32mgrmgrmgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2904 wrote to memory of 4864 N/A C:\Windows\SysWOW64\rundll32mgrmgrmgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3412 wrote to memory of 2952 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3412 wrote to memory of 2952 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3412 wrote to memory of 2952 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2936 wrote to memory of 3540 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2936 wrote to memory of 3540 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2936 wrote to memory of 3540 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4864 wrote to memory of 3068 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4864 wrote to memory of 3068 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4864 wrote to memory of 3068 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0ffe211e164a0a07cfec3790cab189e0_JaffaCakes118.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0ffe211e164a0a07cfec3790cab189e0_JaffaCakes118.dll,#1

C:\Windows\SysWOW64\rundll32mgr.exe

C:\Windows\SysWOW64\rundll32mgr.exe

C:\Windows\SysWOW64\rundll32mgrmgr.exe

C:\Windows\SysWOW64\rundll32mgrmgr.exe

C:\Windows\SysWOW64\rundll32mgrmgrmgr.exe

C:\Windows\SysWOW64\rundll32mgrmgrmgr.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4864 CREDAT:17410 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2936 CREDAT:17410 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3412 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 67.209.201.84.in-addr.arpa udp

Files

memory/1096-0-0x0000000010000000-0x00000000100A0000-memory.dmp

C:\Windows\SysWOW64\rundll32mgr.exe

MD5 6cd9867676d7745d3d892b9b1eeb087c
SHA1 e27cd410d1e1cd2795931b2e9b4525ef2535ce8a
SHA256 372e00e34f497e57ddc1762cc01ed91ff77e3d6c6745b37f209d29da9c2c3d94
SHA512 5ab8bc024bedf78e585940e9d4e2e8b287591deadd4fe97880008b94609e1518ad430fba934f2c22227723f48deb72053a49bcf48d40e4fd85fd38069eba99e2

memory/836-5-0x0000000000400000-0x0000000000450000-memory.dmp

C:\Windows\SysWOW64\rundll32mgrmgr.exe

MD5 9f643774ee392ba1e6c40644a9aa7de6
SHA1 8c55f086c5610977b4a84c0e0d77bfdf95bbe0d5
SHA256 307f2832c7cc23dfecff7b9787f454bed0fc1e31f63950cff5660fabae333003
SHA512 4b0effc99a0baa1de5d2a7f310c8c628e5ae5553ff5e31c7408751baddd9fd88fb22a12098cac22ec51edae84437cbb9fc0bd5f2ed645e7c6f30bfd69c08925b

memory/1628-9-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1628-13-0x0000000000400000-0x000000000041A000-memory.dmp

memory/1628-14-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2904-24-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Windows\SysWOW64\rundll32mgrmgrmgr.exe

MD5 551161ba25d6c58cf6a4afe7587f7dcb
SHA1 3f36d947c0d082433bb121a9914b4841ffbfb5af
SHA256 f676ab20252c6ff437c7e3db1a8a3875715bf1a5a59812439f296cb5cd724b58
SHA512 f68a52bcfafccaf9b4390f7cdd9a57544d82a1f41656aeaf98f46ddc0198e636a790088cf8b734244cc5144a00704a8430e469c46284387d04c5a38cba17b00e

memory/836-32-0x0000000000060000-0x0000000000061000-memory.dmp

memory/836-27-0x0000000000400000-0x000000000041A000-memory.dmp

memory/836-26-0x0000000000400000-0x000000000041A000-memory.dmp

memory/1628-20-0x0000000000400000-0x000000000041A000-memory.dmp

memory/1628-15-0x0000000000400000-0x000000000041A000-memory.dmp

memory/836-23-0x0000000000400000-0x000000000041A000-memory.dmp

memory/1628-22-0x0000000000850000-0x0000000000851000-memory.dmp

memory/2904-43-0x0000000000420000-0x0000000000421000-memory.dmp

memory/1628-39-0x0000000000400000-0x000000000041A000-memory.dmp

memory/836-37-0x0000000076F32000-0x0000000076F33000-memory.dmp

memory/836-36-0x0000000000400000-0x000000000041A000-memory.dmp

memory/1628-35-0x0000000000420000-0x0000000000425000-memory.dmp

memory/836-46-0x0000000076F32000-0x0000000076F33000-memory.dmp

memory/2904-45-0x0000000000400000-0x000000000041A000-memory.dmp

memory/836-47-0x0000000000400000-0x000000000041A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B0392D0C-81B1-11EF-9A03-CE3473C70610}.dat

MD5 44141538680c56555080fe3f533719e9
SHA1 2c3f9f7e911d266e061feae5c0922b4e9db8b308
SHA256 175d940fe98d07d168d26140b72ff8ba09ce22f6266ff9df7e64ec7d842671c7
SHA512 6e19c6d14c19cee17932f8165cc48ae5145cf8c0c7c0daf4515a7827f586c28a1628b44a5f6063d5ad3c331be4d03776122166c623c82e5992f4cb118277dc66

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B03469D9-81B1-11EF-9A03-CE3473C70610}.dat

MD5 72ad745556f3c5fcacee104955abdd67
SHA1 c80db3debeed29d52bf3aaca208a652889877c04
SHA256 b91b7ce9e81d74d515cb490a90188fc4ac053ab8064051ccd35f12b9b17393b0
SHA512 7fc3f5ddd77438e9cf774424fe1d22f0d8370b423e0dfd515b0e8d60d0cca60f3c4c8be7afed5ac2d60e3e983bcbf22cc9f177a20c1137434acdb23f7c4309df

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B0392D0C-81B1-11EF-9A03-CE3473C70610}.dat

MD5 a8d9550081936de540aaafed724e2520
SHA1 f72b4dea10d09175c9f3d4390910777e00fdb0e4
SHA256 bcc5bc992678caed77abda905991d1c0173e3bc51b51f922f51490b5cb748231
SHA512 f4c5ad9c8687c9a8c8c02e58307c408d8b8af9a82cbf76a2dd4ea2e0d834193eca729d45af97e046d993a97b741a52880debb3ae13fe15a5063adede64f4192f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 6de4427d02d49cee2c46a8fead1fafa8
SHA1 bee49bf0e4452ca72442face8e655bf4a8c3af17
SHA256 46d5cd7ff558e5c788807eb674587359c6a660cef091eb420676977e49833d53
SHA512 c80311bb92f9f49de96d06e9a76a3ef0310365999f00f401fd003d438b66744a88f093b5887e1723c6b8179798697ec24c4b2bda489323337f6cec6d28ef6434

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 07e9cbd2a190e74b437b18fc990d83f7
SHA1 1626408a6d0b00799e31460dcdb69bc84f95070e
SHA256 bb440cd9e5aa5d997c2bfd40d56bcee202da3efd38438a32cc2fa3e4e8199710
SHA512 ee1aa18fe30b63ec0894c0cb4f3b9eab5048c9c8e03c78e84ebdf9d5b74ed628102df25b79c555ed6bd99fde61afc9a93e819d1de6f2e10f29bdfd4f06d43266

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 568f695afd16ac3b8fbb88d8de34c27c
SHA1 9a5478dedcdd9fe947d4fdb11847ebf764b6e22e
SHA256 e266affc22ca7f488529884c4157b1279037607581bcc012a775c7dccf0c5c1a
SHA512 0f07d8913be939ee95ec478f4b1a15920adca305dcf604a4d806c9ce3de6cbac2bf942babdbd32486d159585477256c56e8ddbdfcc449d303e13896a7b1648f8

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver6C51.tmp

MD5 1a545d0052b581fbb2ab4c52133846bc
SHA1 62f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512 bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 c32df5944cee799a1c783de6d949dc3b
SHA1 ca94f3df879ed1e12124f8be91faf92da53f9d33
SHA256 1c36932abc179576a55d7e732ed989987816c52dfd45484b0178f44aa6b3ff41
SHA512 e11de91818e8d09add217a60de2f89111beeda01c46c85b931b76121f3451b73603fe936c06e4b5dd3bd87f7609cf714086b44f7a2db07f883c7e5d3909ba01a

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FGWUB7UN\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee