Analysis Overview
SHA256
c58f710dae497c8f686c66372a5b311e9a266b3d88a7d195ee694b2517ccd2eb
Threat Level: Known bad
The file 7bcd9f2c6a2709ab2cff279e2942047a_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Ramnit family
Modifies WinLogon for persistence
Ramnit
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Installs/modifies Browser Helper Object
Drops file in System32 directory
UPX packed file
Drops file in Program Files directory
Program crash
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-29 04:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-29 04:41
Reported
2024-10-29 04:43
Platform
win7-20241010-en
Max time kernel
150s
Max time network
143s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" | C:\Windows\SysWOW64\svchost.exe | N/A |
Ramnit
Ramnit family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32mgr.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\WaterMark.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32mgr.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32mgr.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "\"1\\bin\\jusched.exe\"" | C:\Windows\SysWOW64\rundll32.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\dmlconf.dat | C:\Windows\SysWOW64\svchost.exe | N/A |
| File created | C:\Windows\SysWOW64\rundll32mgr.exe | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\SysWOW64\dmlconf.dat | C:\Windows\SysWOW64\svchost.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\demux\libmjpeg_plugin.dll | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Windows Journal\MSPVWCTL.DLL | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\codec\libjpeg_plugin.dll | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\ReachFramework.resources.dll | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Entity.Design.Resources.dll | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\uninstall.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\about.html | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.IO.Log.Resources.dll | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Windows.Presentation.dll | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\dialogs\browse_window.html | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\video_filter\libpsychedelic_plugin.dll | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\IpsMigrationPlugin.dll | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\mshwLatin.dll | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\PresentationFramework.resources.dll | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\spu\liblogo_plugin.dll | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Windows NT\Accessories\WordpadFilter.dll | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7-zip.dll | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\ink\Microsoft.Ink.dll | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationProvider.resources.dll | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\codec\librtpvideo_plugin.dll | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\meta_engine\libfolder_plugin.dll | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\video_filter\librotate_plugin.dll | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\settings.html | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\dcpr.dll | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\npt.dll | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\glass.dll | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\j2pcsc.dll | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\java.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\jsdt.dll | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\server\jvm.dll | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.IO.Log.dll | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_wasapi_plugin.dll | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\sunec.dll | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\access\libudp_plugin.dll | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\control\libgestures_plugin.dll | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_rtp_plugin.dll | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\settings.html | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\xul.dll | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\kinit.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\PresentationBuildTasks.resources.dll | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WindowsFormsIntegration.dll | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Linq.Resources.dll | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\video_filter\libvhs_plugin.dll | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\atl.dll | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\micaut.dll | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\Office14\AUTHZAX.DLL | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\nss3.dll | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\PresentationFramework.resources.dll | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\mobile_browse.html | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\codec\libcc_plugin.dll | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_transcode_plugin.dll | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\msadcfr.dll | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\epl-v10.html | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\api-ms-win-crt-math-l1-1-0.dll | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\video_filter\libgrain_plugin.dll | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Windows Photo Viewer\ImagingEngine.dll | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\glass.dll | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Linq.dll | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\audio_output\libdirectsound_plugin.dll | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\demux\libts_plugin.dll | C:\Windows\SysWOW64\svchost.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32mgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\WaterMark.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-FFFF-ABCDEFFEDCBA}\InprocServer32\ = "1\\bin\\ssv.dll" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}\InprocServer32\ = "1\\bin\\npjpi160.dll" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.jar\ = "jarfile" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ = "Java Plug-in 1.6.0" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\MiscStatus\1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-FFFF-ABCDEFFEDCBA}\MiscStatus\1\ = "2449" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\shell\open\command | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-FFFF-ABCDEFFEDCBA}\MiscStatus\1\ = "2449" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-FFFF-ABCDEFFEDCBA}\MiscStatus\1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\shell\open\command | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-java-jnlp-file | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}\InprocServer32 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\JNLPFile\EditFlags = 00000100 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\JNLPFile\Shell\Open | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\MiscStatus\ = "0" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-FFFF-ABCDEFFEDCBA}\MiscStatus | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaPlugin.FamilyVersionSupport | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.jnlp\ = "JNLPFile" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JNLPFile | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC}\InprocServer32 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\ = "Executable Jar File" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.jnlp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-FFFF-ABCDEFFEDCBA} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-FFFF-ABCDEFFEDCBA}\ = "Java Plug-in" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-FFFF-ABCDEFFEDCBA}\ = "Java Plug-in" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-FFFF-ABCDEFFEDCBA}\MiscStatus\1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-FFFF-ABCDEFFEDCBA}\MiscStatus\1\ = "2449" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-java-jnlp-file | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.jar | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JNLPFile\Shell\Open | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JNLPFile\Shell\Open\ = "&Launch" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBB}\InprocServer32\ = "1\\bin\\npjpi160.dll" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\InprocServer32\ = "1\\bin\\npjpi160.dll" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.jnlp\Content Type = "application/x-java-jnlp-file" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\JNLPFile\Shell | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaPlugin.160\CLSID | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC}\InprocServer32\ = "1\\bin\\npjpi160.dll" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-FFFF-ABCDEFFEDCBA}\MiscStatus\1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-FFFF-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-FFFF-ABCDEFFEDCBA}\ = "Java Plug-in" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-FFFF-ABCDEFFEDCBA}\MiscStatus\ = "0" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-FFFF-ABCDEFFEDCBA} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\ = "SSVHelper Class" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaPlugin\CLSID\ = "{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.jar | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\InprocServer32 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\shell\open | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\InprocServer32\ = "1\\bin\\npjpi160.dll" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaPlugin.FamilyVersionSupport\CLSID\ = "{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-FFFF-ABCDEFFEDCBA}\InprocServer32\ = "1\\bin\\ssv.dll" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JNLPFile\Shell\Open\Command | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-FFFF-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaPlugin\CLSID | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Microsoft\WaterMark.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Microsoft\WaterMark.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32mgr.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\WaterMark.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
C:\Windows\system32\wininit.exe
wininit.exe
C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7bcd9f2c6a2709ab2cff279e2942047a_JaffaCakes118.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7bcd9f2c6a2709ab2cff279e2942047a_JaffaCakes118.dll,#1
C:\Windows\SysWOW64\rundll32mgr.exe
C:\Windows\SysWOW64\rundll32mgr.exe
C:\Program Files (x86)\Microsoft\WaterMark.exe
"C:\Program Files (x86)\Microsoft\WaterMark.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| NL | 91.220.62.30:443 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 172.217.16.238:80 | google.com | tcp |
| NL | 91.220.62.30:443 | tcp | |
| US | 8.8.8.8:53 | rterybrstutnrsbberve.com | udp |
| IE | 34.253.216.9:443 | rterybrstutnrsbberve.com | tcp |
| IE | 34.253.216.9:443 | rterybrstutnrsbberve.com | tcp |
| US | 8.8.8.8:53 | erwbtkidthetcwerc.com | udp |
| IE | 34.253.216.9:443 | erwbtkidthetcwerc.com | tcp |
| IE | 34.253.216.9:443 | erwbtkidthetcwerc.com | tcp |
| US | 8.8.8.8:53 | rvbwtbeitwjeitv.com | udp |
| US | 204.95.99.221:443 | rvbwtbeitwjeitv.com | tcp |
| US | 204.95.99.221:443 | rvbwtbeitwjeitv.com | tcp |
| GB | 172.217.16.238:80 | google.com | tcp |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 172.217.16.238:80 | google.com | tcp |
Files
C:\Windows\SysWOW64\rundll32mgr.exe
| MD5 | b313c611c4280feba76564194b05c1eb |
| SHA1 | 16d9cbab9fb369ddcd6f6e33cdaf977fe3d34c8c |
| SHA256 | bd7b3cb1c8d032fe5dddbe74ce0cba8df770b7545e550f6bf216ab2cdd4ff87f |
| SHA512 | 691d9d8f27e83df242216087362f45d35e7387ec56169bd9af5b9309838be70c5c042fe6bc9c0152db870696df0a0e4f369950dd9d18c65403c72d8293f74f0b |
memory/612-10-0x0000000000400000-0x0000000000428000-memory.dmp
memory/612-3-0x000000006D6D0000-0x000000006D72A000-memory.dmp
memory/612-1-0x000000006D6D0000-0x000000006D72A000-memory.dmp
memory/612-0-0x000000006D6D0000-0x000000006D72A000-memory.dmp
memory/612-20-0x0000000000400000-0x0000000000428000-memory.dmp
memory/1592-29-0x0000000000400000-0x0000000000421000-memory.dmp
memory/1592-27-0x0000000000400000-0x0000000000421000-memory.dmp
memory/1592-26-0x0000000000400000-0x0000000000421000-memory.dmp
memory/1592-25-0x0000000000150000-0x0000000000151000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\java_install_reg.log
| MD5 | 1545b166d2f9c3c5fcd58f1ac904a051 |
| SHA1 | 31739ba0e1d5171615fa817b8eb8dbd3e34f1dc0 |
| SHA256 | 7eeffc594ea91bc524980b34e3ad87c09f16a91edd160129987cd8fd74973e96 |
| SHA512 | 8e89a36a2cfff443e542e5104ef51ab9ea245deb00ef7cf371a11e8c109b62f15e50b658ed45bee463f81443f9607d311e9f13daa1477c151ab8b88870d725c8 |
memory/1592-24-0x0000000000400000-0x0000000000421000-memory.dmp
memory/1592-23-0x0000000000400000-0x0000000000421000-memory.dmp
memory/1592-22-0x0000000000400000-0x0000000000421000-memory.dmp
memory/1592-21-0x0000000000400000-0x0000000000421000-memory.dmp
memory/1592-41-0x0000000000050000-0x0000000000078000-memory.dmp
memory/1592-39-0x0000000000050000-0x0000000000078000-memory.dmp
memory/2196-52-0x000000007791F000-0x0000000077920000-memory.dmp
memory/2196-51-0x0000000000830000-0x0000000000831000-memory.dmp
memory/2196-50-0x0000000000400000-0x0000000000421000-memory.dmp
memory/2196-53-0x0000000000400000-0x0000000000421000-memory.dmp
memory/2792-57-0x0000000000080000-0x0000000000081000-memory.dmp
memory/2792-55-0x0000000020010000-0x0000000020022000-memory.dmp
memory/2792-65-0x0000000000080000-0x0000000000081000-memory.dmp
memory/2792-64-0x00000000000A0000-0x00000000000A1000-memory.dmp
memory/2792-78-0x0000000020010000-0x0000000020022000-memory.dmp
memory/2792-76-0x0000000020010000-0x0000000020022000-memory.dmp
memory/2792-75-0x0000000000090000-0x0000000000091000-memory.dmp
memory/2792-71-0x0000000020010000-0x0000000020022000-memory.dmp
memory/2792-66-0x0000000020010000-0x0000000020022000-memory.dmp
memory/2196-82-0x0000000000060000-0x0000000000061000-memory.dmp
memory/2636-84-0x0000000020010000-0x000000002001B000-memory.dmp
memory/2196-83-0x0000000020010000-0x000000002001B000-memory.dmp
memory/2196-94-0x0000000000400000-0x0000000000421000-memory.dmp
memory/2636-95-0x0000000020010000-0x000000002001B000-memory.dmp
memory/2636-99-0x0000000020010000-0x000000002001B000-memory.dmp
memory/2636-105-0x0000000020010000-0x000000002001B000-memory.dmp
memory/2636-106-0x0000000077920000-0x0000000077921000-memory.dmp
memory/2636-104-0x00000000001F0000-0x00000000001F1000-memory.dmp
memory/2636-103-0x0000000020010000-0x000000002001B000-memory.dmp
memory/2636-102-0x0000000020010000-0x000000002001B000-memory.dmp
memory/2636-101-0x00000000001A0000-0x00000000001A1000-memory.dmp
memory/2196-100-0x000000007791F000-0x0000000077920000-memory.dmp
memory/2792-345-0x0000000020010000-0x0000000020022000-memory.dmp
memory/2196-578-0x0000000000400000-0x0000000000421000-memory.dmp
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
| MD5 | 8775eeb4a88a60b25a5c87212dbe4541 |
| SHA1 | 494f4df1959911d9b91bab28a839263501da6137 |
| SHA256 | 61c21d40051e2982957b2256807b20e5f7679989c4b1afd1c148082f55508907 |
| SHA512 | b40161f44a33782e65bae232709a331fe92670e4a76a2140869fb49a122410c01256fe917ac5ea4a33710212da41b1a7ba98d7945a397333830dced41a3bb89b |
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
| MD5 | e583367bc9fc3c76266bd83aefa4cc8d |
| SHA1 | 4c17b9b43ca9c7b8725b21e852988d486d433fa2 |
| SHA256 | 8ecf45ee11b5dd0fc79186636d11ef4487681173f5c958e454232a9d6c6767ac |
| SHA512 | b8554ae17442cd9568bbda263caffeacb4ef1b76154ef9f1566de7c739fe80e4e1980c19691177dbacce835a66962e0ed222e116df1732532a5aed4966cfdd28 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-29 04:41
Reported
2024-10-29 04:43
Platform
win10v2004-20241007-en
Max time kernel
134s
Max time network
149s
Command Line
Signatures
Ramnit
Ramnit family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32mgr.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\WaterMark.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1" | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\rundll32mgr.exe | C:\Windows\SysWOW64\rundll32.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft\px8136.tmp | C:\Windows\SysWOW64\rundll32mgr.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\WaterMark.exe | C:\Windows\SysWOW64\rundll32mgr.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\WaterMark.exe | C:\Windows\SysWOW64\rundll32mgr.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\svchost.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32mgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\WaterMark.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3846234003" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3842171422" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31140284" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "436941864" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31140284" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3846234003" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31140284" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{108D6B35-95B0-11EF-B319-6AACA39217E0} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3842171422" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31140284" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JNLPFile\Shell\Open | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.jar\ = "jarfile" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-java-jnlp-file | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\shell\open | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\MiscStatus | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-FFFF-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-FFFF-ABCDEFFEDCBA} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaPlugin.160\CLSID\ = "{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\shell | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JNLPFile\ = "JNLP File" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBB} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC}\InprocServer32\ = "1\\bin\\npjpi160.dll" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-FFFF-ABCDEFFEDCBA}\MiscStatus | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaPlugin\CLSID\ = "{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}\InprocServer32\ = "1\\bin\\npjpi160.dll" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\ = "Executable Jar File" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-FFFF-ABCDEFFEDCBA}\MiscStatus\1\ = "2449" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-FFFF-ABCDEFFEDCBA}\InprocServer32\ = "1\\bin\\ssv.dll" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-FFFF-ABCDEFFEDCBA}\MiscStatus\ = "0" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\InprocServer32\ = "1\\bin\\ssv.dll" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaPlugin.FamilyVersionSupport\CLSID | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\JNLPFile | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBB}\InprocServer32\ = "1\\bin\\npjpi160.dll" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaPlugin.FamilyVersionSupport | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaPlugin.FamilyVersionSupport\CLSID\ = "{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC}\InprocServer32 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.jar | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\MiscStatus\1\ = "2449" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\MiscStatus\1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.jnlp\Content Type = "application/x-java-jnlp-file" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\InprocServer32 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-FFFF-ABCDEFFEDCBA}\MiscStatus\1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaPlugin\CLSID | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JNLPFile\Shell | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\shell\open\command\ = "\"1\\bin\\javaw.exe\" -jar \"%1\" %*" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-FFFF-ABCDEFFEDCBA}\MiscStatus\ = "0" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-FFFF-ABCDEFFEDCBA}\MiscStatus\1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-FFFF-ABCDEFFEDCBA}\InprocServer32\ = "1\\bin\\ssv.dll" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaPlugin | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\InprocServer32 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-FFFF-ABCDEFFEDCBA}\ = "Java Plug-in" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.jar | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ = "Java Plug-in 1.6.0" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\JNLPFile\Shell\Open | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-FFFF-ABCDEFFEDCBA}\MiscStatus\1\ = "2449" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-FFFF-ABCDEFFEDCBA} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaPlugin.160 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-FFFF-ABCDEFFEDCBA}\InprocServer32 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-FFFF-ABCDEFFEDCBA}\ = "Java Plug-in" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\shell\open\command | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\MiscStatus\1\ = "2449" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\shell\open\command | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\MiscStatus\ = "0" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\MiscStatus\1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-java-jnlp-file | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\WaterMark.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\WaterMark.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\WaterMark.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\WaterMark.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\WaterMark.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\WaterMark.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\WaterMark.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\WaterMark.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\WaterMark.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\WaterMark.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\WaterMark.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\WaterMark.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\WaterMark.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\WaterMark.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\WaterMark.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\WaterMark.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Microsoft\WaterMark.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32mgr.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\WaterMark.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7bcd9f2c6a2709ab2cff279e2942047a_JaffaCakes118.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7bcd9f2c6a2709ab2cff279e2942047a_JaffaCakes118.dll,#1
C:\Windows\SysWOW64\rundll32mgr.exe
C:\Windows\SysWOW64\rundll32mgr.exe
C:\Program Files (x86)\Microsoft\WaterMark.exe
"C:\Program Files (x86)\Microsoft\WaterMark.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3108 -ip 3108
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 204
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2684 CREDAT:17410 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.bing.com | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/2076-0-0x000000006D6D0000-0x000000006D72A000-memory.dmp
C:\Windows\SysWOW64\rundll32mgr.exe
| MD5 | b313c611c4280feba76564194b05c1eb |
| SHA1 | 16d9cbab9fb369ddcd6f6e33cdaf977fe3d34c8c |
| SHA256 | bd7b3cb1c8d032fe5dddbe74ce0cba8df770b7545e550f6bf216ab2cdd4ff87f |
| SHA512 | 691d9d8f27e83df242216087362f45d35e7387ec56169bd9af5b9309838be70c5c042fe6bc9c0152db870696df0a0e4f369950dd9d18c65403c72d8293f74f0b |
memory/4060-4-0x0000000000400000-0x0000000000428000-memory.dmp
memory/4060-7-0x0000000000400000-0x0000000000421000-memory.dmp
memory/4060-13-0x0000000000400000-0x0000000000421000-memory.dmp
memory/4060-14-0x0000000000400000-0x0000000000421000-memory.dmp
memory/4060-15-0x0000000000400000-0x0000000000421000-memory.dmp
memory/4060-12-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/4060-11-0x0000000000400000-0x0000000000421000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\java_install_reg.log
| MD5 | fa86a1c7c1862032c44f372104706097 |
| SHA1 | ca99939ad6c04d42ffb1efd2e9607487f7cf828f |
| SHA256 | dc8225886f9b2ce03e8156ac85dcb24d1b54d0384aa1f268886f2b89369bae02 |
| SHA512 | ce27bb2ca46b83aed663b7d2d222b3cb1530cef9e2947aa9747eb7231dbc73364dcab9e95e97cba6be6564b430e61a75a39b20bf45f97a8774b765b5c8a54901 |
memory/4060-9-0x0000000000400000-0x0000000000421000-memory.dmp
memory/4060-8-0x0000000000400000-0x0000000000421000-memory.dmp
memory/560-36-0x0000000000400000-0x0000000000421000-memory.dmp
memory/560-38-0x0000000077652000-0x0000000077653000-memory.dmp
memory/560-37-0x0000000000060000-0x0000000000061000-memory.dmp
memory/3108-41-0x0000000000F70000-0x0000000000F71000-memory.dmp
memory/3108-40-0x0000000000F90000-0x0000000000F91000-memory.dmp
memory/560-43-0x0000000077652000-0x0000000077653000-memory.dmp
memory/560-44-0x0000000000070000-0x0000000000071000-memory.dmp
memory/560-45-0x0000000000400000-0x0000000000421000-memory.dmp
memory/560-46-0x0000000000400000-0x0000000000421000-memory.dmp
memory/560-47-0x0000000000400000-0x0000000000421000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | 3c368a68cd68a8dbb557088be01b35c7 |
| SHA1 | 44d06c93fecdb6bd5dbd84e565b68d4f95be42a1 |
| SHA256 | 6a1c84b1e2ae6a619c05fbc48f3441b0421ebab39aef41a3ebd22f0eb005143b |
| SHA512 | 3d19c390990bb1d1a41060a36574ec856e2cb3ddbbf226c837ba4aa75c8c32b004e27b3cea29805558fd02a84a0889df95e0b71a64c15f12621173611bab8157 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | ec7cea8a41c1fbc1b23f367bbcb26481 |
| SHA1 | 5544f9fc33035226493a7d57decf82b00a8af852 |
| SHA256 | 03ddb6f2782a1e62411adcef9789cc332c7d19e347b071e45d425d9d223bb75e |
| SHA512 | a632d59460c12ddbcb34329b3e08b2fc8cd8a33c9227adc543721024e0219cbdcbc425bbbb454c10538bf842227ba1d0b7b4dead9da4169a406996e85466d459 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver5C7.tmp
| MD5 | 1a545d0052b581fbb2ab4c52133846bc |
| SHA1 | 62f3266a9b9925cd6d98658b92adec673cbe3dd3 |
| SHA256 | 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1 |
| SHA512 | bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8R55UT9S\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |