Malware Analysis Report

2025-08-10 14:19

Sample ID 241003-xwyw4avhnd
Target 10337612da603f1161073c76d05d688f_JaffaCakes118
SHA256 ced6fbce9082d81bfcd1667693a93057a0a19c00af72d6d797681fd84b9ee54a
Tags
ramnit banker discovery spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ced6fbce9082d81bfcd1667693a93057a0a19c00af72d6d797681fd84b9ee54a

Threat Level: Known bad

The file 10337612da603f1161073c76d05d688f_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ramnit banker discovery spyware stealer trojan upx worm

Ramnit

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-03 19:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-03 19:12

Reported

2024-10-03 19:15

Platform

win7-20240903-en

Max time kernel

118s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\10337612da603f1161073c76d05d688f_JaffaCakes118.dll,#1

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\rundll32Srvmgr.exe C:\Windows\SysWOW64\rundll32Srv.exe N/A
File created C:\Windows\SysWOW64\rundll32Srv.exe C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Windows\SysWOW64\rundll32Srv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Windows\SysWOW64\rundll32Srv.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayermgr.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\pxBF49.tmp C:\Windows\SysWOW64\rundll32Srv.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32Srvmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\DesktopLayermgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32Srv.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7DF74801-81BB-11EF-A58E-EA7747D117E6} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434144642" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1152 wrote to memory of 2680 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1152 wrote to memory of 2680 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1152 wrote to memory of 2680 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1152 wrote to memory of 2680 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1152 wrote to memory of 2680 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1152 wrote to memory of 2680 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1152 wrote to memory of 2680 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2680 wrote to memory of 2400 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32Srv.exe
PID 2680 wrote to memory of 2400 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32Srv.exe
PID 2680 wrote to memory of 2400 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32Srv.exe
PID 2680 wrote to memory of 2400 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32Srv.exe
PID 2400 wrote to memory of 2964 N/A C:\Windows\SysWOW64\rundll32Srv.exe C:\Windows\SysWOW64\rundll32Srvmgr.exe
PID 2400 wrote to memory of 2964 N/A C:\Windows\SysWOW64\rundll32Srv.exe C:\Windows\SysWOW64\rundll32Srvmgr.exe
PID 2400 wrote to memory of 2964 N/A C:\Windows\SysWOW64\rundll32Srv.exe C:\Windows\SysWOW64\rundll32Srvmgr.exe
PID 2400 wrote to memory of 2964 N/A C:\Windows\SysWOW64\rundll32Srv.exe C:\Windows\SysWOW64\rundll32Srvmgr.exe
PID 2400 wrote to memory of 316 N/A C:\Windows\SysWOW64\rundll32Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2400 wrote to memory of 316 N/A C:\Windows\SysWOW64\rundll32Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2400 wrote to memory of 316 N/A C:\Windows\SysWOW64\rundll32Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2400 wrote to memory of 316 N/A C:\Windows\SysWOW64\rundll32Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 316 wrote to memory of 2340 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files (x86)\Microsoft\DesktopLayermgr.exe
PID 316 wrote to memory of 2340 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files (x86)\Microsoft\DesktopLayermgr.exe
PID 316 wrote to memory of 2340 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files (x86)\Microsoft\DesktopLayermgr.exe
PID 316 wrote to memory of 2340 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files (x86)\Microsoft\DesktopLayermgr.exe
PID 316 wrote to memory of 2336 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 316 wrote to memory of 2336 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 316 wrote to memory of 2336 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 316 wrote to memory of 2336 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2336 wrote to memory of 2732 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2336 wrote to memory of 2732 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2336 wrote to memory of 2732 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2336 wrote to memory of 2732 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\10337612da603f1161073c76d05d688f_JaffaCakes118.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\10337612da603f1161073c76d05d688f_JaffaCakes118.dll,#1

C:\Windows\SysWOW64\rundll32Srv.exe

C:\Windows\SysWOW64\rundll32Srv.exe

C:\Windows\SysWOW64\rundll32Srvmgr.exe

C:\Windows\SysWOW64\rundll32Srvmgr.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files (x86)\Microsoft\DesktopLayermgr.exe

"C:\Program Files (x86)\Microsoft\DesktopLayermgr.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2336 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2680-1-0x000000006D040000-0x000000006D072000-memory.dmp

memory/2400-20-0x0000000000230000-0x000000000023F000-memory.dmp

C:\Windows\SysWOW64\rundll32Srvmgr.exe

MD5 f8434f362add5334f4f050f4b4b373a7
SHA1 f5915cb0d72c8faffe11126bc29da1b1db8092bc
SHA256 d34b378ede04c585c2bff8cf32112904e8512ee80c5a9fbb34ba224d8dbc868b
SHA512 6c6b4ea2b0e37a346145ee2814789d9da4c2688aff1c3e1cced16a620e8dc81566670336a3fe8a510b1754bbac6c3c6ac20aa7e20359b9c322bb220b50ac30b9

memory/316-35-0x0000000000240000-0x0000000000241000-memory.dmp

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

MD5 2c60a0eb60587e6e9dbd389576a30d91
SHA1 9fc335861b437bb6cb3079fb07e420d8f39a4b12
SHA256 e8452f0b8c328b8737d3244729cfb9b5e4295167bfda075b2679c0c9978ab631
SHA512 10f7f201c1c6a36d23df72bf333663de844b7dc1b7ab7cdfeb787e66bff2bc47cda3dbe96db2d6ecb2b33364923c8334310ba1a00937e7de3e1cf8e4869e3697

\Users\Admin\AppData\Local\Temp\~TMBFF6.tmp

MD5 9b98d47916ead4f69ef51b56b0c2323c
SHA1 290a80b4ded0efc0fd00816f373fcea81a521330
SHA256 96e0ae104c9662d0d20fdf59844c2d18334e5847b6c4fc7f8ce4b3b87f39887b
SHA512 68b67021f228d8d71df4deb0b6388558b2f935a6aa466a12199cd37ada47ee588ea407b278d190d3a498b0ef3f5f1a2573a469b7ea5561ab2e7055c45565fe94

memory/2964-54-0x0000000000400000-0x000000000042A000-memory.dmp

\Users\Admin\AppData\Local\Temp\~TMBFD6.tmp

MD5 d124f55b9393c976963407dff51ffa79
SHA1 2c7bbedd79791bfb866898c85b504186db610b5d
SHA256 ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512 278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

memory/2964-41-0x0000000000400000-0x000000000042A000-memory.dmp

memory/316-38-0x0000000000400000-0x0000000000447000-memory.dmp

memory/2400-25-0x0000000000400000-0x0000000000447000-memory.dmp

memory/2680-10-0x0000000000650000-0x0000000000697000-memory.dmp

memory/2400-8-0x0000000000400000-0x0000000000447000-memory.dmp

memory/2680-6-0x0000000000650000-0x0000000000697000-memory.dmp

memory/2680-5-0x000000006D040000-0x000000006D072000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabE013.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarE48B.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 029a4686934291622278557d3b62d630
SHA1 2bd7cd5d48278c2d2e0098797774787c12ab7e7e
SHA256 c2cff780d943912ef92a5276defc9ccae0f60ccc41fc38347b6f22a68f1b775d
SHA512 51317575caacc574139f22ab3d43acfeb27077d13f0b9636fe4e39f3d269600eb7eb32d5e24f9c8cedd15256f3be2f462ca9e0755b6da0aaa769ca018943ba94

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a1e66ef24b05630de689acead3ccb4fa
SHA1 54b94eb03f12ec3eddaf77366b0fccfd1cc2666f
SHA256 ceca37387039a4f9ffc2e2f4062ea8a2f1459d1a136370242078ddc5eb576e65
SHA512 92171b93cb50cb61881e6cbb483bd6f1b350d5243161dd6be942e68fe9e2c5bb3d06392718039df8815a37e24b611e56f78be23274bc1dfd49a063150d0291bb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fb04257a70d4d8bd987e435987e49842
SHA1 b67a84ea5f06e460d38b8c854346dd9301e546b3
SHA256 a8d1a5ca11aa8d77367bdce91042a4450166e1148a95d011f3dbe2e241c9af4c
SHA512 05c32551b5569ccd7cdd56ff37397aa53283417f568bc6fb4ad34897b4c3e841677fe53ac65ba18f686adcb4b6a93ac9da2b91024ffd184cbc0a17a0863aa179

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ec442f438ad62def7e907da93af4b88e
SHA1 4152ef8518d3365b97a82b48c933de36ecea195e
SHA256 9bf641fbf83557dee2e92c88b966da53236d306b75b00bfd6753d73a391311e7
SHA512 25a6149f3ef53529ef5e5b2da947e0e4dd21956307bfb8ec3588643210d85d55e7f848ef5f8a7a3b70a496d51d532138b402df536ce5b849d9b64a808e751ccb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 487721468cfcb1b3e97c22553aa8abcb
SHA1 2c9fde576c8b19a8cd33bb4c1e9fcbc39dc30d77
SHA256 e7487c9dc0f2b8654cc575e33411c466a8c55da64542db252accd4b9a7a32c49
SHA512 317b42101ac1eaba731aee14142389ce284526e58896ba68efc6acd97c9c5e487691e974f2122f40d74d40a0f1fd36163ccc67786f4353f4c2ca3f4c5aade42f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 60f70f42b288756e51cedcb198e33204
SHA1 32bbf08c117a98d138139ebc899971dd835281b8
SHA256 84494334d6bd6e84eb8aa51d9928746fff243afbdc0e567dbd72fb5ad8000e21
SHA512 4063f48a2da28605d89e2232982e74fb087c4a0781ae1e51ed2ee51598e00d1dc2bd04eda7c3e12e75ff353c4757cbf0b97fee7523642ddd865c0c6f639bbb3c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0858dbc60af965c0cd21f4fe8be841e8
SHA1 98145f0c4f489bec9202df83a3b171f1b155feb2
SHA256 20fd90800f82737d31b9e886ecf11feee54c5cdb9b67c96a349211bbaa494345
SHA512 94012fb788b4e85f1aa2084ba7b81b5e9b9a533e61505951884e0312e286486a0822838dba11208de0b761a90f7fda7cb6785a604fcb193c3e73211dae7994c5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 54bcd18acb3df8ac8c7012338b556e57
SHA1 73de28f8abf9f75822b15a2ee1959120649a219a
SHA256 151751b707ee884a2427cb26012a72c899454a8f1fbd448770c707a4ed667501
SHA512 fa83eb0869da79b665ad0cf7343cbb6b009112ccec36d2f35e57cfef2da28a421402c349f89096f7b97db57623f345c6b35486991b27644ed6b08e45fd3caa1b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 910bc30d64757c8a2b00cf80debbd462
SHA1 33a71b19adf725b5b8fbcc72db5cf67d9e4fdcd1
SHA256 6e2afa038de86d962b5f13a988b2d6412fc4b6122b1c4b95bbba18dc41049293
SHA512 d512e21ecab51eb5559d4ed222092ea609933c250bd2d26941f7a76dc042d818046e77fdf622298be2b667df56d6adf99af608dc10226fa33ccac49ad69898d5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0f5c71a86406bc9f5ec0d376dd3a2423
SHA1 2cf235a5764c46e06caf60f4c28cb628c3a9d8bd
SHA256 dcd5ed32c6dc1c89f68fb7baa452253522959b10df7498f030b69b03c63e2c50
SHA512 4a0de1277fe00a8c75b8d9df12ce6a766932e89a534c8cf0d3eb5311b73517da856f98c99f0e2c29a51ae6ab09ef6886290eaea24d3c44dce644b5733d2c3ec2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 52d3c413e450a67b78660015ba80f2cd
SHA1 9d229fbe6ebd3701b5bfeb944ece0fd2186e4eec
SHA256 9f22a6bc59fd4773e35ce466ae7fe1b8911f6916dfdc35712e0e7e2c49d943d5
SHA512 89db7700b0b9761ec0574020ec4d8c74512328ee542f5c41e5ba0856e35be394e59a859459552ef1855dcee585efe2059b4272fb523f9476c3c906d75fda568d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a531a5e5ab7778d807eee900982145dd
SHA1 55c87641d6adb9eee95542c69d8b4aab3e5a8ea6
SHA256 35b7e379c9c60376da3c7d5e69a0d89eef8de80c2d250c4f034dc4c05aba212a
SHA512 88a5df7aaefb559e61d3ad2ebe0189facc7933bc11d2df3045ac80e9530ca4b2553241ef14bb451b8b71afcd240150dc18d810e3d7174ea7842f0bcae72546a2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2764c1b58df58efc4ecbfa2e57c802fe
SHA1 872a6cce205c1adb5eaa0c0657ed5635a26c5cda
SHA256 1b30f86e87e142ecae774fe84a4ca05b5e72c44806e5622eb3bb3dc4523795ab
SHA512 e1f6ab1f64c3028876d2bb3283f782f14519b867b5aa45e8fa870f9f63e820bc8e9f5911f707bece776bde7b09d3b7c7700e0b935b8fc570c172ca3c02d26e57

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 db0f7c847a90212f6e4f030a6f6b3c17
SHA1 4b8fbfbad935330ddc7d4d061bb33ffa1db354c4
SHA256 085410ee6536bb062927b363883a8e43bea846342c8651c64a6fea7675c90304
SHA512 94022c4cbafb9e637435df3820d2930a991d59d6e857f028f1695c1a1fcaffd23ecf6137c6b79e21dc76d639634ff3673939d42d6b321b7e6fdd408bff31fd8c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9b08f5551a90bf73d9818a3db7ce8d80
SHA1 b521589a1e57885909b540aded494819f07b8d9a
SHA256 93b967f67f302e2fa379c45f3c01f2230465789c44deca93db33adaafd5a41f5
SHA512 f5d42969e195e996beedc21d17f910de34dedde0e9b6ba4a576c1f790d62346c605ddc2d1d826dbdf16c169160801a7d165aaf44edf2b750e644b36f0751b40f

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-03 19:12

Reported

2024-10-03 19:15

Platform

win10v2004-20240802-en

Max time kernel

93s

Max time network

147s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\10337612da603f1161073c76d05d688f_JaffaCakes118.dll,#1

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32Srvmgr.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayermgr.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\rundll32Srv.exe C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\SysWOW64\rundll32Srvmgr.exe C:\Windows\SysWOW64\rundll32Srv.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\px8CFE.tmp C:\Windows\SysWOW64\rundll32Srv.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Windows\SysWOW64\rundll32Srv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Windows\SysWOW64\rundll32Srv.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayermgr.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\DesktopLayermgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32Srv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32Srvmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1431331834" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7FD70BEA-81BB-11EF-BFD9-66FD5BE5AD11} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1486175737" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1431331834" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135176" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31135176" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135176" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31135176" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1486175737" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434747752" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4540 wrote to memory of 5048 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4540 wrote to memory of 5048 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4540 wrote to memory of 5048 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5048 wrote to memory of 3496 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32Srv.exe
PID 5048 wrote to memory of 3496 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32Srv.exe
PID 5048 wrote to memory of 3496 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32Srv.exe
PID 3496 wrote to memory of 4900 N/A C:\Windows\SysWOW64\rundll32Srv.exe C:\Windows\SysWOW64\rundll32Srvmgr.exe
PID 3496 wrote to memory of 4900 N/A C:\Windows\SysWOW64\rundll32Srv.exe C:\Windows\SysWOW64\rundll32Srvmgr.exe
PID 3496 wrote to memory of 4900 N/A C:\Windows\SysWOW64\rundll32Srv.exe C:\Windows\SysWOW64\rundll32Srvmgr.exe
PID 3496 wrote to memory of 4028 N/A C:\Windows\SysWOW64\rundll32Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 3496 wrote to memory of 4028 N/A C:\Windows\SysWOW64\rundll32Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 3496 wrote to memory of 4028 N/A C:\Windows\SysWOW64\rundll32Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 4028 wrote to memory of 776 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files (x86)\Microsoft\DesktopLayermgr.exe
PID 4028 wrote to memory of 776 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files (x86)\Microsoft\DesktopLayermgr.exe
PID 4028 wrote to memory of 776 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files (x86)\Microsoft\DesktopLayermgr.exe
PID 4028 wrote to memory of 3472 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4028 wrote to memory of 3472 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3472 wrote to memory of 4480 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3472 wrote to memory of 4480 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3472 wrote to memory of 4480 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\10337612da603f1161073c76d05d688f_JaffaCakes118.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\10337612da603f1161073c76d05d688f_JaffaCakes118.dll,#1

C:\Windows\SysWOW64\rundll32Srv.exe

C:\Windows\SysWOW64\rundll32Srv.exe

C:\Windows\SysWOW64\rundll32Srvmgr.exe

C:\Windows\SysWOW64\rundll32Srvmgr.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files (x86)\Microsoft\DesktopLayermgr.exe

"C:\Program Files (x86)\Microsoft\DesktopLayermgr.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4900 -ip 4900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 776 -ip 776

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3472 CREDAT:17410 /prefetch:2

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 776 -s 10176

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 10176

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 110.11.19.2.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/5048-1-0x000000006D040000-0x000000006D072000-memory.dmp

C:\Windows\SysWOW64\rundll32Srv.exe

MD5 2c60a0eb60587e6e9dbd389576a30d91
SHA1 9fc335861b437bb6cb3079fb07e420d8f39a4b12
SHA256 e8452f0b8c328b8737d3244729cfb9b5e4295167bfda075b2679c0c9978ab631
SHA512 10f7f201c1c6a36d23df72bf333663de844b7dc1b7ab7cdfeb787e66bff2bc47cda3dbe96db2d6ecb2b33364923c8334310ba1a00937e7de3e1cf8e4869e3697

memory/3496-4-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Program Files (x86)\Microsoft\DesktopLayermgr.exe

MD5 f8434f362add5334f4f050f4b4b373a7
SHA1 f5915cb0d72c8faffe11126bc29da1b1db8092bc
SHA256 d34b378ede04c585c2bff8cf32112904e8512ee80c5a9fbb34ba224d8dbc868b
SHA512 6c6b4ea2b0e37a346145ee2814789d9da4c2688aff1c3e1cced16a620e8dc81566670336a3fe8a510b1754bbac6c3c6ac20aa7e20359b9c322bb220b50ac30b9

memory/4900-20-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4028-19-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~TM8D4C.tmp

MD5 4f3387277ccbd6d1f21ac5c07fe4ca68
SHA1 e16506f662dc92023bf82def1d621497c8ab5890
SHA256 767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA512 9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

memory/4900-28-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4028-26-0x00000000004B0000-0x00000000004B1000-memory.dmp

memory/3496-11-0x00000000005A0000-0x00000000005AF000-memory.dmp

memory/3496-13-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 1c22da1a91e0cea40d82919c5a90295d
SHA1 9671b1b0f396b0f81893ad3a3b72a3293f4a43b6
SHA256 d55e46eda70ab824d5f036793f9876c69828adffd3dc51d3688198abf42c46d3
SHA512 cf8d01819f2cd00c20c8b57631b403b44683703c9592486e82380794e0261af337727cdf9202032d53cd6cece9fec463287c8b47be6827b934e67745638bc4e4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 6de4427d02d49cee2c46a8fead1fafa8
SHA1 bee49bf0e4452ca72442face8e655bf4a8c3af17
SHA256 46d5cd7ff558e5c788807eb674587359c6a660cef091eb420676977e49833d53
SHA512 c80311bb92f9f49de96d06e9a76a3ef0310365999f00f401fd003d438b66744a88f093b5887e1723c6b8179798697ec24c4b2bda489323337f6cec6d28ef6434

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver2035.tmp

MD5 1a545d0052b581fbb2ab4c52133846bc
SHA1 62f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512 bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WLXU5DI6\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee