Analysis Overview
SHA256
486d1f139f0396f4cc8e840babc60b0a3001246d53c4b4fed1356f8000618f81
Threat Level: Known bad
The file 0ffe211e164a0a07cfec3790cab189e0_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Ramnit
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of UnmapMainImage
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-03 18:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-03 18:02
Reported
2024-10-03 18:05
Platform
win7-20240903-en
Max time kernel
119s
Max time network
127s
Command Line
Signatures
Ramnit
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32mgr.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32mgrmgr.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32mgrmgrmgr.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32mgr.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32mgr.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32mgrmgr.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32mgrmgr.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\rundll32mgr.exe | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\SysWOW64\rundll32mgrmgr.exe | C:\Windows\SysWOW64\rundll32mgr.exe | N/A |
| File created | C:\Windows\SysWOW64\rundll32mgrmgrmgr.exe | C:\Windows\SysWOW64\rundll32mgrmgr.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32mgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32mgrmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32mgrmgrmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B0116FF1-81B1-11EF-89F5-527E38F5B48B} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B01632B1-81B1-11EF-89F5-527E38F5B48B} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B00F0E91-81B1-11EF-89F5-527E38F5B48B} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32mgr.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32mgr.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32mgr.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32mgr.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32mgrmgr.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32mgrmgr.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32mgrmgr.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32mgrmgr.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32mgrmgrmgr.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32mgrmgrmgr.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32mgrmgrmgr.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32mgrmgrmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32mgr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32mgrmgr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32mgrmgrmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32mgr.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32mgrmgr.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32mgrmgrmgr.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0ffe211e164a0a07cfec3790cab189e0_JaffaCakes118.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0ffe211e164a0a07cfec3790cab189e0_JaffaCakes118.dll,#1
C:\Windows\SysWOW64\rundll32mgr.exe
C:\Windows\SysWOW64\rundll32mgr.exe
C:\Windows\SysWOW64\rundll32mgrmgr.exe
C:\Windows\SysWOW64\rundll32mgrmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Windows\SysWOW64\rundll32mgrmgrmgr.exe
C:\Windows\SysWOW64\rundll32mgrmgrmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:584 CREDAT:275457 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2848 CREDAT:275457 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2788 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.bing.com | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
\Windows\SysWOW64\rundll32mgr.exe
| MD5 | 6cd9867676d7745d3d892b9b1eeb087c |
| SHA1 | e27cd410d1e1cd2795931b2e9b4525ef2535ce8a |
| SHA256 | 372e00e34f497e57ddc1762cc01ed91ff77e3d6c6745b37f209d29da9c2c3d94 |
| SHA512 | 5ab8bc024bedf78e585940e9d4e2e8b287591deadd4fe97880008b94609e1518ad430fba934f2c22227723f48deb72053a49bcf48d40e4fd85fd38069eba99e2 |
memory/2096-12-0x0000000000400000-0x0000000000450000-memory.dmp
memory/2100-1-0x0000000010000000-0x00000000100A0000-memory.dmp
memory/2100-10-0x0000000000210000-0x0000000000260000-memory.dmp
memory/2100-9-0x0000000000210000-0x0000000000260000-memory.dmp
memory/2100-8-0x0000000010000000-0x00000000100A0000-memory.dmp
\Windows\SysWOW64\rundll32mgrmgr.exe
| MD5 | 9f643774ee392ba1e6c40644a9aa7de6 |
| SHA1 | 8c55f086c5610977b4a84c0e0d77bfdf95bbe0d5 |
| SHA256 | 307f2832c7cc23dfecff7b9787f454bed0fc1e31f63950cff5660fabae333003 |
| SHA512 | 4b0effc99a0baa1de5d2a7f310c8c628e5ae5553ff5e31c7408751baddd9fd88fb22a12098cac22ec51edae84437cbb9fc0bd5f2ed645e7c6f30bfd69c08925b |
memory/2096-16-0x0000000000320000-0x0000000000359000-memory.dmp
memory/2096-21-0x0000000000320000-0x0000000000359000-memory.dmp
memory/2096-28-0x0000000000340000-0x0000000000341000-memory.dmp
memory/2096-34-0x000000007741F000-0x0000000077420000-memory.dmp
memory/2096-33-0x0000000000400000-0x000000000041A000-memory.dmp
memory/2096-31-0x00000000003E0000-0x00000000003E1000-memory.dmp
memory/2096-30-0x0000000000400000-0x000000000041A000-memory.dmp
memory/2096-29-0x0000000000400000-0x000000000041A000-memory.dmp
memory/3032-27-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2096-26-0x0000000000400000-0x000000000041A000-memory.dmp
memory/2096-25-0x0000000000400000-0x000000000041A000-memory.dmp
memory/2096-24-0x0000000000400000-0x000000000041A000-memory.dmp
memory/2096-23-0x0000000000400000-0x000000000041A000-memory.dmp
memory/2096-37-0x0000000000400000-0x000000000041A000-memory.dmp
C:\Windows\SysWOW64\rundll32mgrmgrmgr.exe
| MD5 | 551161ba25d6c58cf6a4afe7587f7dcb |
| SHA1 | 3f36d947c0d082433bb121a9914b4841ffbfb5af |
| SHA256 | f676ab20252c6ff437c7e3db1a8a3875715bf1a5a59812439f296cb5cd724b58 |
| SHA512 | f68a52bcfafccaf9b4390f7cdd9a57544d82a1f41656aeaf98f46ddc0198e636a790088cf8b734244cc5144a00704a8430e469c46284387d04c5a38cba17b00e |
memory/3032-63-0x000000007741F000-0x0000000077420000-memory.dmp
memory/2736-53-0x0000000000400000-0x0000000000421000-memory.dmp
memory/3032-52-0x00000000002B0000-0x00000000002D1000-memory.dmp
memory/3032-51-0x00000000002B0000-0x00000000002D1000-memory.dmp
memory/3032-55-0x0000000000050000-0x0000000000051000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B0116FF1-81B1-11EF-89F5-527E38F5B48B}.dat
| MD5 | ed7ced3ced533fecebec573a97230647 |
| SHA1 | ffb3106a7c3becb33f91552b1e96430b267d7366 |
| SHA256 | 095e353fceccb7488bd8f42461ab60c59762967c3ad12101745c1df3ee6ce4e3 |
| SHA512 | ea9fd2c944b530a6d0340f7e9b085df2eb72854bd627ead2b2a4271c81d0ea1cede4ef9dc0f430191cd1996d1a4776494f0cb37b1a42384660b6ea7afb9a4246 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B00F0E91-81B1-11EF-89F5-527E38F5B48B}.dat
| MD5 | 7e7ec0f96a8216e84941bd09c548beee |
| SHA1 | 21ddf0ad73da3215c8a43f09290b8dc3d45d5d56 |
| SHA256 | 061a20cf68ff0146d62a6ba8df3fd7115740273ffb22d7ecc9b4acd71e3d451c |
| SHA512 | e2544a515a764e32dcfcf01ee858d379dd917ad5e9d8832d43ee33b9a2423ff21c87e78720b6eb1a5e0c38bd718f176bf65b9e6e40e382081b30f4cfadd10971 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B00F0E91-81B1-11EF-89F5-527E38F5B48B}.dat
| MD5 | 7aef8553281f15431929e0ac913f6247 |
| SHA1 | 4fbde9ab40bdb9bdd9bf25007a0bb8b86ebbdd59 |
| SHA256 | ff3f4d09ce42737820e1c99bd727b202c4596557cfc6e0ad460786a25502bd15 |
| SHA512 | d1293203fb4efaa62ec5eb0e6bdecdecd49a12e28b2b59b03ab07c20a16586ba4f534fe422bf25ba1c11ed5598ab50efad189b2834b2de829ebf81cb758ceed8 |
C:\Users\Admin\AppData\Local\Temp\CabE488.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarE527.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0f022da353b4521dd504c902f86b5982 |
| SHA1 | da7aa9a1d71a630520925e1a3f94a627682073fc |
| SHA256 | 6a23717102a35b97190874395d1c77ed6786f6fd179812e7793285187bdc2abf |
| SHA512 | 2f3ae96ce747a7070023529ddb5462dd224c5b2280466988d827a49c92872df25187683a99290db48b6178aa9f457c3eb48848e518c4642b38141a9ece7bb728 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 86ccba6a17c602de77b34d3a016f056e |
| SHA1 | cc167bd2e1682a0ae0991ca80493f701a9d9e71c |
| SHA256 | 3551e5f0b3c63673c8a6bef68c646ff5659d6ad3e273a46773f08f237e6e279e |
| SHA512 | 4d9e7f71fc61e0bec2893426e8673a0ed78fe8d245dad9946ea10c4e7ca8ddfa4423056eb4c4e437907e40b28f644ba12bf779927c0ba16f4cb094d9a587e39f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 94a6a405370658b680f53e9b3b5c4526 |
| SHA1 | d0ee39e67c5c4b4b64ac7fbdf3ad302255a22951 |
| SHA256 | e9169e3fab8e121345189b6912f9834fa55444f639e95039d6bf802f4ce3477d |
| SHA512 | 9e23e16c3cb182c54204bbf1c6e5704d8086e2491c1023a047e7d880dccec3094c032a69fe789cb3edeef70a0fe2f38f129135d4cfb5cd71e347eb401ef5192e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b932cc05c9f92e3a8f59d936769e7456 |
| SHA1 | 3591132db25d8b8814b47ba61c85df7d1bfac85a |
| SHA256 | 458e9e7c6a93ae82c9b87ea040a345533e765926ce4ad2139176d8826477586b |
| SHA512 | c56c94349ecce2ba128a5f8dc37142655e3b51f23664176d03bbeeecdbf19c2ecb8781984973dc7869e020f3daddd6a5147293e53d55c29aea9771cd431c8050 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 23a2adf98b60cbe6f19b2346f4db620f |
| SHA1 | f9508d28d117d81f335a8a54b9bd077a73953b3a |
| SHA256 | 5d7f950a5be408285a95970d906be5dc0f0376e422a0a2a3124016a48937eab3 |
| SHA512 | 564c96a03c3f5fe287351a439b8dc8e92bd07c4f571ae8c8e22677cf1acdc6feb773c1412cbb023edece00ab3396df0a09f843dbad53ff04b0f7d0e5c35ebb87 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c732f4bf6fcbb29adabc37475af21854 |
| SHA1 | 8ed3f2a023b08fe1bf5412c6c9496ce240c057c3 |
| SHA256 | 326bd9f6c80a18d0b920a76e67eaf7c61b6d11636fecdb07f17cd351620f3ebb |
| SHA512 | c04c8f9c7bfddf2e944fc2935a9399ee6eeaa625da0fb30b4be18c3463c4c4a1bef6aa83bbf9c68b5c6dbd9b3da2b09c1e6e9419a06fb4c3aebff74f5e70d75a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b2ca2d2769d788bbde07f7a071ecb4f8 |
| SHA1 | 01354e12e55cf474b61001257008b40c6469a82a |
| SHA256 | e4f6904e124fa97da7f1caf3a0af227a3f06808b8e640e0b3fe7a3f8a5a07ed8 |
| SHA512 | 46f403378c585131273b3bee2e1f872aa772729f67a72679d12baad3c9605c7efdfb69492ad9004bce53500296235a4dd59aeb7db478024e0702ccb80d2affde |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9510da2383a1a2bf8044abe9aa186105 |
| SHA1 | 55c3cab0c960dfe3d71a742896f1eec428047124 |
| SHA256 | b791c42af4c2df337fa3e2177c1abc81dc17c0836755cdf145be352c46eae9ae |
| SHA512 | 7e25db9276f6804e27083d919b4477f26ed36dfd91ce73841299ded3ec3bf2df2fdbaf96b9b86d0d94f6a0a5082ecb549e4cadb83a2e595fd7c00c2e8aa3d02e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2a33bca4b4ffafd6b3ece083a85d6a0a |
| SHA1 | 28514e01e0daa98afb72c58dcd066b16ba158d88 |
| SHA256 | e125ffab0f1317d81c086d0b19ee675cef062d2a3c598bf58ba465440cb9776e |
| SHA512 | 1eab9dece8c52508ed3292df434e2cb0025e50bc9132a283ddeef0fea16d532976a570c5572f50599b48f075895d83a4a030844c17adebee9d10d862a22e9c67 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 381a13147c823acdd983427ec01f5408 |
| SHA1 | 8d493e088778136c6cf2ea07f9b4318c15d3dc4b |
| SHA256 | 8b203e2da8d846a318ab012b116bc10731201077ea5700ed8ebcbd954f1d5e99 |
| SHA512 | 625c511ead1a7a5953621b877db9807c7912cb148075ff329ea2944d6b7f3f1e296321708190cb73d8859014c22bb9f6882cde72ea97076e777ac6e2808e58de |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6c94dc6a5cfbc9ed5218b6c0c92144fd |
| SHA1 | 50d939cffcbbf7cf71f46f642dd71cf472ed3c6c |
| SHA256 | d43d328bfe2c9a46a9d6ad1f238e36eb391e40aa84e04c8e3a3ba2ec3fc018f5 |
| SHA512 | c16ee12c2ee852e206ab979df448800637fa888ecf9244d0b9c2d22ea1f1d632c60c55175cc6912e3f95a7601dce74f1635eb36486e4b00bffef2e0ea88242cc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 19e108e6f343c828c1677fc1a8139854 |
| SHA1 | 3194f3a5190469fb328c83e623d705593a08118f |
| SHA256 | cffee7ac8a24d478d45bfee79fb9fac701cfe440b3526ce9d6168f1f36f20857 |
| SHA512 | dfe9389dd8b5d4f063acd75f4f6662d1b888858e1a6cb3270140b60a1c54b31a3037f60b4a0be9893188fc4f7ac00adc3750d74c7ffdf5cccedeffef1a22dc2d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d0d5a7adad09ce00fee32493bb68d24f |
| SHA1 | 3459ebab357aa73c6273812ad0c2fedaf47ff45e |
| SHA256 | 3ed58795c5599471779d1b3ded505e5db3a42c01b73934528b26baa56eafdc78 |
| SHA512 | d6e03abb4aeda5868f46d690614bec34f28d78d5b24117c803c201248d78d42a015c65e6fc72c46cb8f7d945bf3e21129283ffc3bbf5d58188eda33b75353eec |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 242aaa3d2889f14c35a5348fd3f3b2a9 |
| SHA1 | c124a02bc8a155ce895634717e9a50ac612c198b |
| SHA256 | bd828df3ec69dc9f9743761aee4b11bc4c99ac3ec232973a7079274c2f52784c |
| SHA512 | bd90cf59b5d31bc7965469e1e1d712762fd3b266ff91ee052724fec94e21276e3a56e359b63d1cbac729c4241ad88ec2e97d86669ceb0f3f102ea22407893d5a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d0bd8b82c8de62b4563efedea6756ff7 |
| SHA1 | 5544b6392a9b68f054308732cdd36fc9bcd4cd9e |
| SHA256 | 1c03539ef42ba85b0ad46aa018577fadfd912a687951cbb3fa1d19fec09323ac |
| SHA512 | b00629defe53c9b4ca99c0f77bbdb3171e49d9a7262426180fe3251ef621ddd416ab35ead80790e4b51d60de2259bb4e1354eb3610a383a86eee87a346dab2bc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b3c1603cf0d73b5a7fd97f6d10a70e52 |
| SHA1 | 7f5673298f529180508b16edb68d1d3af4521aaf |
| SHA256 | 0d6f9e4b5b7a7510277551b5c4362c7ee2013e8371ac3353adb352f299719153 |
| SHA512 | 97ed27e6a65a3de83010d08efb52d889db0173bf296b6d0e782e36a1c362d73320880d4f00a09b888a4c39e13e4a297dedd930b6c2f3067ef5413aeba77fda1e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1f6bead250908b676f275d8202e37bd7 |
| SHA1 | 362263d68f278498bd2d3e3fc60223224f9b9f55 |
| SHA256 | 87bcd1e4335a3ef01b11801a7dba9ab1a86e03e8be1bdbff97e3b42db3aa04aa |
| SHA512 | 3176afef018f99f7ccc8ad7e19fb1a27853d5ab4f2eb282f56f1369d65fe644a463856e9a6ff1b765526dcff810a3ecd24ee87cf13d52c7a4ca76f4599555950 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b1fd1067f80341af522b3945db940702 |
| SHA1 | c948b3332b2d608250ba6cea9b3bdd4fa29ef3cb |
| SHA256 | 7c52b6b7236e2468efb15a8d230a324e1d239bfdd5ca8ad4ac7610bccb927a09 |
| SHA512 | 862a62d220fdd5f96c67bb392177bce1866bde4d454295ad427feea4a4769cd316cef74705a4a727a611c66da1754b6a18bcf3d1327c8f4c3e5238684c0a21ec |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ff580d5d114511d8dbdbdce2e5958c7e |
| SHA1 | 9ea63d67c9eccf4ba46901fbbd3ff60b7ea9ab50 |
| SHA256 | 225f7ad196dbce7a751b0c2f2233a584b0b6cbb896b53bfbd44433067c4c0be1 |
| SHA512 | ea03eba262ad6948c7296c65a58b4a7d88a490b699ed3f19de2f91348e61d87fc88bcc427a3566d0a96259169a572f64976b98e311acc60548f1df40d4b237e0 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-03 18:02
Reported
2024-10-03 18:05
Platform
win10v2004-20240802-en
Max time kernel
94s
Max time network
142s
Command Line
Signatures
Ramnit
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32mgr.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32mgrmgr.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32mgrmgrmgr.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\rundll32mgr.exe | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\SysWOW64\rundll32mgrmgr.exe | C:\Windows\SysWOW64\rundll32mgr.exe | N/A |
| File created | C:\Windows\SysWOW64\rundll32mgrmgrmgr.exe | C:\Windows\SysWOW64\rundll32mgrmgr.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32mgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32mgrmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32mgrmgrmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2229944062" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135166" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31135166" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434743538" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B0392D0C-81B1-11EF-9A03-CE3473C70610} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B03469D9-81B1-11EF-9A03-CE3473C70610} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2225568964" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135166" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2228537826" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B03206B2-81B1-11EF-9A03-CE3473C70610} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31135166" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2225568964" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2228537826" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135166" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2225568964" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135166" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2225568964" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135166" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135166" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31135166" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2229944062" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32mgr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32mgrmgr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32mgrmgrmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32mgrmgr.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32mgr.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32mgrmgrmgr.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0ffe211e164a0a07cfec3790cab189e0_JaffaCakes118.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0ffe211e164a0a07cfec3790cab189e0_JaffaCakes118.dll,#1
C:\Windows\SysWOW64\rundll32mgr.exe
C:\Windows\SysWOW64\rundll32mgr.exe
C:\Windows\SysWOW64\rundll32mgrmgr.exe
C:\Windows\SysWOW64\rundll32mgrmgr.exe
C:\Windows\SysWOW64\rundll32mgrmgrmgr.exe
C:\Windows\SysWOW64\rundll32mgrmgrmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4864 CREDAT:17410 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2936 CREDAT:17410 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3412 CREDAT:17410 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.bing.com | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.209.201.84.in-addr.arpa | udp |
Files
memory/1096-0-0x0000000010000000-0x00000000100A0000-memory.dmp
C:\Windows\SysWOW64\rundll32mgr.exe
| MD5 | 6cd9867676d7745d3d892b9b1eeb087c |
| SHA1 | e27cd410d1e1cd2795931b2e9b4525ef2535ce8a |
| SHA256 | 372e00e34f497e57ddc1762cc01ed91ff77e3d6c6745b37f209d29da9c2c3d94 |
| SHA512 | 5ab8bc024bedf78e585940e9d4e2e8b287591deadd4fe97880008b94609e1518ad430fba934f2c22227723f48deb72053a49bcf48d40e4fd85fd38069eba99e2 |
memory/836-5-0x0000000000400000-0x0000000000450000-memory.dmp
C:\Windows\SysWOW64\rundll32mgrmgr.exe
| MD5 | 9f643774ee392ba1e6c40644a9aa7de6 |
| SHA1 | 8c55f086c5610977b4a84c0e0d77bfdf95bbe0d5 |
| SHA256 | 307f2832c7cc23dfecff7b9787f454bed0fc1e31f63950cff5660fabae333003 |
| SHA512 | 4b0effc99a0baa1de5d2a7f310c8c628e5ae5553ff5e31c7408751baddd9fd88fb22a12098cac22ec51edae84437cbb9fc0bd5f2ed645e7c6f30bfd69c08925b |
memory/1628-9-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1628-13-0x0000000000400000-0x000000000041A000-memory.dmp
memory/1628-14-0x0000000000400000-0x000000000041A000-memory.dmp
memory/2904-24-0x0000000000400000-0x0000000000421000-memory.dmp
C:\Windows\SysWOW64\rundll32mgrmgrmgr.exe
| MD5 | 551161ba25d6c58cf6a4afe7587f7dcb |
| SHA1 | 3f36d947c0d082433bb121a9914b4841ffbfb5af |
| SHA256 | f676ab20252c6ff437c7e3db1a8a3875715bf1a5a59812439f296cb5cd724b58 |
| SHA512 | f68a52bcfafccaf9b4390f7cdd9a57544d82a1f41656aeaf98f46ddc0198e636a790088cf8b734244cc5144a00704a8430e469c46284387d04c5a38cba17b00e |
memory/836-32-0x0000000000060000-0x0000000000061000-memory.dmp
memory/836-27-0x0000000000400000-0x000000000041A000-memory.dmp
memory/836-26-0x0000000000400000-0x000000000041A000-memory.dmp
memory/1628-20-0x0000000000400000-0x000000000041A000-memory.dmp
memory/1628-15-0x0000000000400000-0x000000000041A000-memory.dmp
memory/836-23-0x0000000000400000-0x000000000041A000-memory.dmp
memory/1628-22-0x0000000000850000-0x0000000000851000-memory.dmp
memory/2904-43-0x0000000000420000-0x0000000000421000-memory.dmp
memory/1628-39-0x0000000000400000-0x000000000041A000-memory.dmp
memory/836-37-0x0000000076F32000-0x0000000076F33000-memory.dmp
memory/836-36-0x0000000000400000-0x000000000041A000-memory.dmp
memory/1628-35-0x0000000000420000-0x0000000000425000-memory.dmp
memory/836-46-0x0000000076F32000-0x0000000076F33000-memory.dmp
memory/2904-45-0x0000000000400000-0x000000000041A000-memory.dmp
memory/836-47-0x0000000000400000-0x000000000041A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B0392D0C-81B1-11EF-9A03-CE3473C70610}.dat
| MD5 | 44141538680c56555080fe3f533719e9 |
| SHA1 | 2c3f9f7e911d266e061feae5c0922b4e9db8b308 |
| SHA256 | 175d940fe98d07d168d26140b72ff8ba09ce22f6266ff9df7e64ec7d842671c7 |
| SHA512 | 6e19c6d14c19cee17932f8165cc48ae5145cf8c0c7c0daf4515a7827f586c28a1628b44a5f6063d5ad3c331be4d03776122166c623c82e5992f4cb118277dc66 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B03469D9-81B1-11EF-9A03-CE3473C70610}.dat
| MD5 | 72ad745556f3c5fcacee104955abdd67 |
| SHA1 | c80db3debeed29d52bf3aaca208a652889877c04 |
| SHA256 | b91b7ce9e81d74d515cb490a90188fc4ac053ab8064051ccd35f12b9b17393b0 |
| SHA512 | 7fc3f5ddd77438e9cf774424fe1d22f0d8370b423e0dfd515b0e8d60d0cca60f3c4c8be7afed5ac2d60e3e983bcbf22cc9f177a20c1137434acdb23f7c4309df |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B0392D0C-81B1-11EF-9A03-CE3473C70610}.dat
| MD5 | a8d9550081936de540aaafed724e2520 |
| SHA1 | f72b4dea10d09175c9f3d4390910777e00fdb0e4 |
| SHA256 | bcc5bc992678caed77abda905991d1c0173e3bc51b51f922f51490b5cb748231 |
| SHA512 | f4c5ad9c8687c9a8c8c02e58307c408d8b8af9a82cbf76a2dd4ea2e0d834193eca729d45af97e046d993a97b741a52880debb3ae13fe15a5063adede64f4192f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | 6de4427d02d49cee2c46a8fead1fafa8 |
| SHA1 | bee49bf0e4452ca72442face8e655bf4a8c3af17 |
| SHA256 | 46d5cd7ff558e5c788807eb674587359c6a660cef091eb420676977e49833d53 |
| SHA512 | c80311bb92f9f49de96d06e9a76a3ef0310365999f00f401fd003d438b66744a88f093b5887e1723c6b8179798697ec24c4b2bda489323337f6cec6d28ef6434 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | 07e9cbd2a190e74b437b18fc990d83f7 |
| SHA1 | 1626408a6d0b00799e31460dcdb69bc84f95070e |
| SHA256 | bb440cd9e5aa5d997c2bfd40d56bcee202da3efd38438a32cc2fa3e4e8199710 |
| SHA512 | ee1aa18fe30b63ec0894c0cb4f3b9eab5048c9c8e03c78e84ebdf9d5b74ed628102df25b79c555ed6bd99fde61afc9a93e819d1de6f2e10f29bdfd4f06d43266 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | 568f695afd16ac3b8fbb88d8de34c27c |
| SHA1 | 9a5478dedcdd9fe947d4fdb11847ebf764b6e22e |
| SHA256 | e266affc22ca7f488529884c4157b1279037607581bcc012a775c7dccf0c5c1a |
| SHA512 | 0f07d8913be939ee95ec478f4b1a15920adca305dcf604a4d806c9ce3de6cbac2bf942babdbd32486d159585477256c56e8ddbdfcc449d303e13896a7b1648f8 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver6C51.tmp
| MD5 | 1a545d0052b581fbb2ab4c52133846bc |
| SHA1 | 62f3266a9b9925cd6d98658b92adec673cbe3dd3 |
| SHA256 | 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1 |
| SHA512 | bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | c32df5944cee799a1c783de6d949dc3b |
| SHA1 | ca94f3df879ed1e12124f8be91faf92da53f9d33 |
| SHA256 | 1c36932abc179576a55d7e732ed989987816c52dfd45484b0178f44aa6b3ff41 |
| SHA512 | e11de91818e8d09add217a60de2f89111beeda01c46c85b931b76121f3451b73603fe936c06e4b5dd3bd87f7609cf714086b44f7a2db07f883c7e5d3909ba01a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FGWUB7UN\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |