Malware Analysis Report

2025-08-05 10:56

Sample ID 241005-jh7eesxeqa
Target 16c669febc9180a25d967de726a83065_JaffaCakes118
SHA256 f28599ac1925dcfeaf87e6456e97cb203650af4f3e886b4470b20752787be580
Tags
ramnit banker discovery persistence spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f28599ac1925dcfeaf87e6456e97cb203650af4f3e886b4470b20752787be580

Threat Level: Known bad

The file 16c669febc9180a25d967de726a83065_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ramnit banker discovery persistence spyware stealer trojan upx worm

Modifies WinLogon for persistence

Ramnit

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

UPX packed file

Drops file in Program Files directory

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Suspicious use of FindShellTrayWindow

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-05 07:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-05 07:41

Reported

2024-10-05 07:43

Platform

win7-20240903-en

Max time kernel

150s

Max time network

142s

Command Line

\SystemRoot\System32\smss.exe

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" C:\Windows\SysWOW64\svchost.exe N/A

Ramnit

trojan spyware stealer worm banker ramnit

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\dmlconf.dat C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\dmlconf.dat C:\Windows\SysWOW64\svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l2-1-0.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.ServiceModel.Resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.Speech.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libgme_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\settings.html C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\logsession.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\libxslt.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.Speech.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\libvlc.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libavcodec_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_mpjpeg_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libvmem_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\sunmscapi.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Net.Resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Windows Media Player\WMPDMCCore.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEEXCH.DLL C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\DVD Maker\OmdProject.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\dt_socket.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libinflate_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_display_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\cpu.html C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office14\VISSHE.DLL C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\gui\libskins2_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Windows Media Player\wmpnssci.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\hxdsui.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\Welcome.html C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\installer.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_yuy2_sse2_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\picturePuzzle.html C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\settings.html C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXEV.DLL C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_dummy_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libcolorthres_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\msado15.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\WindowsAccessBridge-64.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_ps_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\wlsrvc.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\UIAutomationProvider.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Services.Design.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libmad_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\misc\libfingerprinter_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_av1_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Windows Media Player\wmpshare.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\PresentationBuildTasks.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libhds_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\mshwjpn.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Management.Instrumentation.Resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_es_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Windows Media Player\WMPDMC.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\slideShow.html C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\slideShow.html C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\notificationserver.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.Printing.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Entity.Resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libaudio_format_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AXSLE.dll C:\Windows\SysWOW64\svchost.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\16c669febc9180a25d967de726a83065_JaffaCakes118mgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\16c669febc9180a25d967de726a83065_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1552 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\16c669febc9180a25d967de726a83065_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\16c669febc9180a25d967de726a83065_JaffaCakes118mgr.exe
PID 1552 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\16c669febc9180a25d967de726a83065_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\16c669febc9180a25d967de726a83065_JaffaCakes118mgr.exe
PID 1552 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\16c669febc9180a25d967de726a83065_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\16c669febc9180a25d967de726a83065_JaffaCakes118mgr.exe
PID 1552 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\16c669febc9180a25d967de726a83065_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\16c669febc9180a25d967de726a83065_JaffaCakes118mgr.exe
PID 2656 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\16c669febc9180a25d967de726a83065_JaffaCakes118mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2656 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\16c669febc9180a25d967de726a83065_JaffaCakes118mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2656 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\16c669febc9180a25d967de726a83065_JaffaCakes118mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2656 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\16c669febc9180a25d967de726a83065_JaffaCakes118mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 1552 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\16c669febc9180a25d967de726a83065_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 1552 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\16c669febc9180a25d967de726a83065_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 1552 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\16c669febc9180a25d967de726a83065_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 1552 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\16c669febc9180a25d967de726a83065_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2688 wrote to memory of 2596 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2688 wrote to memory of 2596 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2688 wrote to memory of 2596 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2688 wrote to memory of 2596 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2688 wrote to memory of 2596 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2688 wrote to memory of 2596 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2688 wrote to memory of 2596 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2688 wrote to memory of 2596 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2688 wrote to memory of 2596 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2688 wrote to memory of 2596 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1136 wrote to memory of 2292 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1136 wrote to memory of 2292 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1136 wrote to memory of 2292 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1136 wrote to memory of 2292 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1136 wrote to memory of 2292 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1136 wrote to memory of 2292 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1136 wrote to memory of 2292 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1136 wrote to memory of 2292 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1136 wrote to memory of 2292 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1136 wrote to memory of 2292 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2688 wrote to memory of 1716 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2688 wrote to memory of 1716 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2688 wrote to memory of 1716 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2688 wrote to memory of 1716 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2688 wrote to memory of 1716 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2688 wrote to memory of 1716 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2688 wrote to memory of 1716 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2688 wrote to memory of 1716 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2688 wrote to memory of 1716 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2688 wrote to memory of 1716 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1136 wrote to memory of 2640 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1136 wrote to memory of 2640 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1136 wrote to memory of 2640 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1136 wrote to memory of 2640 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1136 wrote to memory of 2640 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1136 wrote to memory of 2640 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1136 wrote to memory of 2640 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1136 wrote to memory of 2640 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1136 wrote to memory of 2640 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1136 wrote to memory of 2640 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1716 wrote to memory of 256 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\smss.exe
PID 1716 wrote to memory of 256 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\smss.exe
PID 1716 wrote to memory of 256 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\smss.exe
PID 1716 wrote to memory of 256 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\smss.exe
PID 1716 wrote to memory of 256 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\smss.exe
PID 1716 wrote to memory of 332 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 1716 wrote to memory of 332 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 1716 wrote to memory of 332 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 1716 wrote to memory of 332 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 1716 wrote to memory of 332 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 1716 wrote to memory of 380 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\wininit.exe
PID 1716 wrote to memory of 380 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\wininit.exe

Processes

C:\Windows\System32\smss.exe

\SystemRoot\System32\smss.exe

C:\Windows\system32\csrss.exe

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

C:\Windows\system32\wininit.exe

wininit.exe

C:\Windows\system32\csrss.exe

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\services.exe

C:\Windows\system32\services.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\sppsvc.exe

C:\Users\Admin\AppData\Local\Temp\16c669febc9180a25d967de726a83065_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\16c669febc9180a25d967de726a83065_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\16c669febc9180a25d967de726a83065_JaffaCakes118mgr.exe

C:\Users\Admin\AppData\Local\Temp\16c669febc9180a25d967de726a83065_JaffaCakes118mgr.exe

C:\Program Files (x86)\Microsoft\WaterMark.exe

"C:\Program Files (x86)\Microsoft\WaterMark.exe"

C:\Program Files (x86)\Microsoft\WaterMark.exe

"C:\Program Files (x86)\Microsoft\WaterMark.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -Embedding

Network

Country Destination Domain Proto
NL 91.220.62.30:443 tcp
US 8.8.8.8:53 google.com udp
GB 142.250.187.206:80 google.com tcp
NL 91.220.62.30:443 tcp
US 8.8.8.8:53 rterybrstutnrsbberve.com udp
IE 34.253.216.9:443 rterybrstutnrsbberve.com tcp
IE 34.253.216.9:443 rterybrstutnrsbberve.com tcp
US 8.8.8.8:53 erwbtkidthetcwerc.com udp
IE 34.253.216.9:443 erwbtkidthetcwerc.com tcp
IE 34.253.216.9:443 erwbtkidthetcwerc.com tcp
US 8.8.8.8:53 rvbwtbeitwjeitv.com udp
US 204.95.99.221:443 rvbwtbeitwjeitv.com tcp
US 204.95.99.221:443 rvbwtbeitwjeitv.com tcp
GB 142.250.187.206:80 google.com tcp
US 8.8.8.8:53 google.com udp
GB 142.250.187.206:80 google.com tcp

Files

memory/1552-1-0x0000000000400000-0x0000000000448000-memory.dmp

memory/1552-9-0x00000000001C0000-0x00000000001E9000-memory.dmp

memory/1552-16-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2656-15-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1136-47-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2688-63-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2596-67-0x00000000000C0000-0x00000000000C1000-memory.dmp

memory/2292-101-0x0000000020010000-0x0000000020022000-memory.dmp

memory/2596-100-0x0000000020010000-0x0000000020022000-memory.dmp

memory/2596-99-0x00000000000D0000-0x00000000000D1000-memory.dmp

memory/2596-102-0x0000000020010000-0x0000000020022000-memory.dmp

memory/2596-98-0x00000000000C0000-0x00000000000C1000-memory.dmp

memory/2596-97-0x00000000000E0000-0x00000000000E1000-memory.dmp

memory/2596-79-0x0000000020010000-0x0000000020022000-memory.dmp

memory/2596-65-0x0000000020010000-0x0000000020022000-memory.dmp

memory/1136-62-0x00000000778FF000-0x0000000077900000-memory.dmp

memory/1136-61-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2688-60-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2688-59-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1136-58-0x0000000000160000-0x0000000000161000-memory.dmp

C:\Program Files (x86)\Microsoft\WaterMark.exe

MD5 da387bb5ecf64c32251d4b13773a0d23
SHA1 c197b3a2d51900c7b9d7d0bba3feef81d48cf5b5
SHA256 c92f502e604f3dcdd2ddacb06a1ad6f7fc8f56de8b15001a911a63a81ea8535d
SHA512 4f8e1513b2913f4aaf60883638ad37e5c48aa7426ccc6ae227856c6edcdd26f9d6ddb81a2c76d4768def6ba97fc09859d6e00d3fbf68ad58595a0eb09494dbb2

memory/1552-27-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2656-24-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2656-22-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2656-21-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1552-14-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1552-13-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1552-12-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1552-11-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1552-10-0x00000000001C0000-0x00000000001E9000-memory.dmp

memory/2688-107-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2596-421-0x0000000020010000-0x0000000020022000-memory.dmp

memory/1716-375-0x0000000077900000-0x0000000077901000-memory.dmp

memory/1136-374-0x00000000778FF000-0x0000000077900000-memory.dmp

memory/1136-373-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2688-372-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2688-721-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1136-724-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

MD5 07080e3d4e8d45831d07ad84c0a0aefe
SHA1 3ce802e8d8038f84a3723c067bbee1f87537beb9
SHA256 b98555f40911dc9c59b74a050930c4b085a0935213e4d8d8e51ca7ddbfeee704
SHA512 ccbe78fe813cbca4f388db0f208a7363caeb5f31906cb99c4d2ab7d478b7413fcd43b51db15f1600e80ba346d3747432ea8538358ae030c9430639a5d52ab192

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

MD5 f339ba4d9f79b4e25a911e1544008efa
SHA1 53838d61c91286f916961927a080c43773830b97
SHA256 986e0f60cc874cfb699aaa64f5252947743b74a9d1c8f5e708601dd63693a928
SHA512 c47a725c2e0cb8bd15ccb96621bce43bb507754f8c5cdb7866d63dbf804d8e9158e993154fc903d0a70be6dba85a6a7ec0e8ce824d5c1543093f2e84fe0127b2

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-05 07:41

Reported

2024-10-05 07:43

Platform

win10v2004-20240802-en

Max time kernel

96s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\16c669febc9180a25d967de726a83065_JaffaCakes118.exe"

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\pxB630.tmp C:\Users\Admin\AppData\Local\Temp\16c669febc9180a25d967de726a83065_JaffaCakes118mgr.exe N/A
File created C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Users\Admin\AppData\Local\Temp\16c669febc9180a25d967de726a83065_JaffaCakes118mgr.exe N/A
File created C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe N/A
File created C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Users\Admin\AppData\Local\Temp\16c669febc9180a25d967de726a83065_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Users\Admin\AppData\Local\Temp\16c669febc9180a25d967de726a83065_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\pxB67F.tmp C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe N/A
File created C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\pxB630.tmp C:\Users\Admin\AppData\Local\Temp\16c669febc9180a25d967de726a83065_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\16c669febc9180a25d967de726a83065_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\16c669febc9180a25d967de726a83065_JaffaCakes118mgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "188510468" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{36A8222A-82ED-11EF-9A03-5ED96FC588C3} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135482" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135482" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "185385265" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135482" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135482" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135482" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{36A7FB1A-82ED-11EF-9A03-5ED96FC588C3} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "185072870" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "188666756" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "188510468" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{36A59985-82ED-11EF-9A03-5ED96FC588C3} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "185072870" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "185385265" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434879056" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2000 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\16c669febc9180a25d967de726a83065_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\16c669febc9180a25d967de726a83065_JaffaCakes118mgr.exe
PID 2000 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\16c669febc9180a25d967de726a83065_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\16c669febc9180a25d967de726a83065_JaffaCakes118mgr.exe
PID 2000 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\16c669febc9180a25d967de726a83065_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\16c669febc9180a25d967de726a83065_JaffaCakes118mgr.exe
PID 2000 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\16c669febc9180a25d967de726a83065_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2000 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\16c669febc9180a25d967de726a83065_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2000 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\16c669febc9180a25d967de726a83065_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 1456 wrote to memory of 3820 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
PID 1456 wrote to memory of 3820 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
PID 1456 wrote to memory of 3820 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
PID 3820 wrote to memory of 3976 N/A C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 3820 wrote to memory of 3976 N/A C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 3820 wrote to memory of 3976 N/A C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 1456 wrote to memory of 3924 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1456 wrote to memory of 3924 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1456 wrote to memory of 3924 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1456 wrote to memory of 3924 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1456 wrote to memory of 3924 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1456 wrote to memory of 3924 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1456 wrote to memory of 3924 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1456 wrote to memory of 3924 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1456 wrote to memory of 3924 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 3976 wrote to memory of 4176 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 3976 wrote to memory of 4176 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 3976 wrote to memory of 4176 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 3976 wrote to memory of 4176 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 3976 wrote to memory of 4176 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 3976 wrote to memory of 4176 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 3976 wrote to memory of 4176 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 3976 wrote to memory of 4176 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 3976 wrote to memory of 4176 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1456 wrote to memory of 1932 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1456 wrote to memory of 1932 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1456 wrote to memory of 3516 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1456 wrote to memory of 3516 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3976 wrote to memory of 2708 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3976 wrote to memory of 2708 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3976 wrote to memory of 3456 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3976 wrote to memory of 3456 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2708 wrote to memory of 2608 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2708 wrote to memory of 2608 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2708 wrote to memory of 2608 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1932 wrote to memory of 4128 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1932 wrote to memory of 4128 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1932 wrote to memory of 4128 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3516 wrote to memory of 5044 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3516 wrote to memory of 5044 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3516 wrote to memory of 5044 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\16c669febc9180a25d967de726a83065_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\16c669febc9180a25d967de726a83065_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\16c669febc9180a25d967de726a83065_JaffaCakes118mgr.exe

C:\Users\Admin\AppData\Local\Temp\16c669febc9180a25d967de726a83065_JaffaCakes118mgr.exe

C:\Program Files (x86)\Microsoft\WaterMark.exe

"C:\Program Files (x86)\Microsoft\WaterMark.exe"

C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe

"C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"

C:\Program Files (x86)\Microsoft\WaterMark.exe

"C:\Program Files (x86)\Microsoft\WaterMark.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3924 -ip 3924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4176 -ip 4176

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 204

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2708 CREDAT:17410 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3516 CREDAT:17410 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1932 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 66.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 52.111.227.13:443 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/2000-0-0x0000000000400000-0x0000000000448000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\16c669febc9180a25d967de726a83065_JaffaCakes118mgr.exe

MD5 da387bb5ecf64c32251d4b13773a0d23
SHA1 c197b3a2d51900c7b9d7d0bba3feef81d48cf5b5
SHA256 c92f502e604f3dcdd2ddacb06a1ad6f7fc8f56de8b15001a911a63a81ea8535d
SHA512 4f8e1513b2913f4aaf60883638ad37e5c48aa7426ccc6ae227856c6edcdd26f9d6ddb81a2c76d4768def6ba97fc09859d6e00d3fbf68ad58595a0eb09494dbb2

memory/2000-5-0x0000000000401000-0x0000000000402000-memory.dmp

memory/2120-4-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2000-13-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2000-15-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2120-26-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1456-46-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1456-52-0x0000000000060000-0x0000000000061000-memory.dmp

memory/3820-64-0x0000000000401000-0x0000000000416000-memory.dmp

memory/4176-68-0x00000000010D0000-0x00000000010D1000-memory.dmp

memory/3924-67-0x0000000000A20000-0x0000000000A21000-memory.dmp

memory/3820-66-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3820-63-0x0000000000401000-0x0000000000404000-memory.dmp

memory/3820-62-0x0000000000416000-0x0000000000420000-memory.dmp

memory/3976-61-0x0000000000430000-0x0000000000431000-memory.dmp

memory/1456-57-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Program Files (x86)\Microsoft\WaterMark.exe

MD5 16c669febc9180a25d967de726a83065
SHA1 a71cfe2dcbd34521128b6c3f9340358eda6e3de6
SHA256 f28599ac1925dcfeaf87e6456e97cb203650af4f3e886b4470b20752787be580
SHA512 dc56797fcc0cfecd7af8fab5a37972894f2203cad7c62bc2339cc74bae487fe49bbf49cdd431275974bd8276dbda1e40521303ea30ae41c411d4cf507a848ebb

memory/3820-49-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3976-70-0x0000000000400000-0x0000000000448000-memory.dmp

memory/1456-32-0x0000000000400000-0x0000000000448000-memory.dmp

memory/3976-72-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1456-71-0x0000000077A82000-0x0000000077A83000-memory.dmp

memory/1456-69-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2000-20-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2000-14-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2000-12-0x00000000030B0000-0x00000000030B1000-memory.dmp

memory/2000-11-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2000-9-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2000-8-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2000-7-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1456-74-0x0000000000070000-0x0000000000071000-memory.dmp

memory/1456-73-0x0000000077A82000-0x0000000077A83000-memory.dmp

memory/1456-76-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3976-77-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{36A7FB1A-82ED-11EF-9A03-5ED96FC588C3}.dat

MD5 20b2bfcf7f977c30c55c30bbfa5b6658
SHA1 f804da8241e2628c4e72d1e467670d8e2fe2722a
SHA256 b337f91dadb09de39b735fcce8cd7e7dba4e6f9cca27b22898486eaad936b8cb
SHA512 3826f343eed153d05e07a96f0dac7fd5657938ac8b3c118fc85a296194556213c1c39bc094bd2723e5f69dc11735577cfcac6b62e8c837dc303068d25768c50d

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{36A8222A-82ED-11EF-9A03-5ED96FC588C3}.dat

MD5 38f735e0d2a9d52206ac7bb9f3792ac6
SHA1 8f4093528a17a83509e71f2ba728a891e617046e
SHA256 8eb611c4b8c474da1cb81ff15873e3ff2d9dfeebd6382cbc7d578786dd2caf4b
SHA512 a2826b6b402b72ac313aee6d180e8732540b8a0e4c72bcbd8bcf4015736db4da0248ac3e614e3b2e9af8dd4119e8c4e2c717e2e1074ffa5aca8eeb4628accc19

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{36A59985-82ED-11EF-9A03-5ED96FC588C3}.dat

MD5 e41cee613eddf30d2d7e762b70d319d0
SHA1 35993845648651f8de8390cb3f0c615d0037b452
SHA256 53cab9eb866c1a0315379bafbb9f5c4782cd5a5b6d8a18f2cf6f0f36ad88e7c7
SHA512 3985c864de4cf66c3afa12e2dc0fc46b374e21f0478ba3473fbcafea721ffcd3dc6f6f682ac8d93d195cee841e1858b9871c7ee8dfba717d4a7c5595db51ca14

memory/1456-81-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 db7c83e09ebc4317f2bf2df7f66b8513
SHA1 29d58ef43f72ce7cf79ce6109d038a6c9b4873f0
SHA256 1ae4c8aa37bf433bc5b3b45e017c95bf843c7dbbe348c78c7ab6f3cad0fda4b8
SHA512 6eb46ae0c3e091ba13b1c0e3fb6de568882940df7968d0e1297568ea5356a4691f2a869c7c9ac9e9642bcc2e4e1388d00b15c663276143e8cb5015ab89c27867

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 6ad0d33790f3a57a6178f4ed4ba8c590
SHA1 97ee180abfdefdfacd5b52c67967ba315a048fe5
SHA256 7d85781e4065492c293f4a5e38a8f6c2a8736064ef4930b5103e5da352320100
SHA512 f7ca0793ab2a3f467a45167e7de192202fff7ff656bed31d591b0b6f1ffadb6997b8914e151e8073cc52674b4166dccd617972fabad454f1682d269a8f379964

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 75e12349981ec0bb83c7050c8c137513
SHA1 bc85dae0dd6c095eb88739c8f9d23045c67aba40
SHA256 3f4fa3d42d0b228f26568f5cb053c44dffc72ed95c63525e80f1bbcfdecf1b52
SHA512 970b6fa8ee640399fbbb85e8b924ccf9ffc6ee5363b96d12fada8cb96426b4eb695db5be60baa06891754edca1a16f9520a7a7354a059a6b8a536f6a05b441c5

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver38B0.tmp

MD5 1a545d0052b581fbb2ab4c52133846bc
SHA1 62f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512 bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 fd474e667c4cb0a92df475c48a723071
SHA1 f9a794f103dc8d0b9e4b7b217aa033bb99e90cc0
SHA256 bc6c836021595e606007a95e0cb1388d9e2b4e7619fd2ffa13096f9e1da6f57d
SHA512 44dc78c9fb5e405946c42e18fd45b7f94ce7503f169169147eb7f58194351112a455d71242fc4c9267ccf63effda009eb6a698cdaf0b4e6564d7ac21154b011c

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FGWUB7UN\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

memory/3820-121-0x0000000000400000-0x0000000000429000-memory.dmp