Analysis
-
max time kernel
85s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
21-11-2022 10:20
Static task
static1
Behavioral task
behavioral1
Sample
d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe
Resource
win7-20221111-en
windows7-x64
22 signatures
150 seconds
General
-
Target
d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe
-
Size
532KB
-
MD5
21a43480041fc5c8574a74eab3756146
-
SHA1
66800c187b73999a0beadd6051dc80765098b4cf
-
SHA256
d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14
-
SHA512
4770cc85a0f4a13fbee7ae361876180867f6e9444c0a44bca54b699a8c4a64ea5197d7ee1de261216f0a2f5e7c608406686a62a135ba87e30b42c3762e068334
-
SSDEEP
6144:1R2J0LS6VuAI5AnoqUv4TilIP/s2zOtsC:1Rm0OqCyec0tsC
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
http://klkjwre77638dfqwieuoi888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 3 IoCs
pid Process 1000 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14mgr.exe 4624 WaterMark.exe 2144 WaterMark.exe -
resource yara_rule behavioral2/memory/4272-135-0x0000000003710000-0x000000000479E000-memory.dmp upx behavioral2/memory/1000-139-0x0000000000400000-0x0000000000444000-memory.dmp upx behavioral2/memory/4272-142-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1000-144-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4272-145-0x0000000003710000-0x000000000479E000-memory.dmp upx behavioral2/memory/4272-146-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral2/memory/1000-147-0x0000000000400000-0x0000000000444000-memory.dmp upx behavioral2/memory/1000-148-0x0000000000400000-0x0000000000444000-memory.dmp upx behavioral2/memory/1000-154-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4272-159-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4624-164-0x0000000000400000-0x0000000000444000-memory.dmp upx behavioral2/memory/4272-165-0x0000000003710000-0x000000000479E000-memory.dmp upx behavioral2/memory/4624-168-0x0000000000400000-0x0000000000444000-memory.dmp upx behavioral2/memory/2144-172-0x0000000000400000-0x0000000000444000-memory.dmp upx behavioral2/memory/2144-170-0x0000000000400000-0x0000000000444000-memory.dmp upx behavioral2/memory/2144-174-0x0000000000400000-0x0000000000444000-memory.dmp upx behavioral2/memory/4624-175-0x0000000000400000-0x0000000000444000-memory.dmp upx behavioral2/memory/2144-176-0x0000000000400000-0x0000000000444000-memory.dmp upx behavioral2/memory/4624-181-0x0000000000400000-0x0000000000444000-memory.dmp upx behavioral2/memory/4624-182-0x0000000000400000-0x0000000000444000-memory.dmp upx behavioral2/memory/2144-183-0x0000000000400000-0x0000000000444000-memory.dmp upx behavioral2/memory/2144-184-0x0000000000400000-0x0000000000444000-memory.dmp upx behavioral2/memory/4624-185-0x0000000000400000-0x0000000000444000-memory.dmp upx behavioral2/memory/2144-186-0x0000000000400000-0x0000000000444000-memory.dmp upx behavioral2/memory/4624-187-0x0000000000400000-0x0000000000421000-memory.dmp upx -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\WaterMark.exe d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe File opened for modification C:\Program Files (x86)\Microsoft\px742B.tmp d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14mgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14mgr.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14mgr.exe File opened for modification C:\Program Files (x86)\Microsoft\px7469.tmp d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3368 2344 WerFault.exe 87 -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1405635728" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1405635728" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30997915" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1405479141" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30997915" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30997915" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1405479141" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30997915" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375794601" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30997915" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1405479141" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30997915" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1412980620" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30997915" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30997915" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1412980620" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7F3D5F26-698E-11ED-919F-D2F35ABB710A} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1405479141" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1405479141" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
pid Process 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe 4624 WaterMark.exe 4624 WaterMark.exe 4624 WaterMark.exe 4624 WaterMark.exe 2144 WaterMark.exe 2144 WaterMark.exe 2144 WaterMark.exe 2144 WaterMark.exe 4624 WaterMark.exe 4624 WaterMark.exe 4624 WaterMark.exe 4624 WaterMark.exe 4624 WaterMark.exe 4624 WaterMark.exe 4624 WaterMark.exe 4624 WaterMark.exe 4624 WaterMark.exe 4624 WaterMark.exe 4624 WaterMark.exe 4624 WaterMark.exe 2144 WaterMark.exe 2144 WaterMark.exe 2144 WaterMark.exe 2144 WaterMark.exe 2144 WaterMark.exe 2144 WaterMark.exe 2144 WaterMark.exe 2144 WaterMark.exe 2144 WaterMark.exe 2144 WaterMark.exe 2144 WaterMark.exe 2144 WaterMark.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 204 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 53 IoCs
description pid Process Token: SeDebugPrivilege 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Token: SeDebugPrivilege 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Token: SeDebugPrivilege 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Token: SeDebugPrivilege 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Token: SeDebugPrivilege 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Token: SeDebugPrivilege 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Token: SeDebugPrivilege 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Token: SeDebugPrivilege 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Token: SeDebugPrivilege 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Token: SeDebugPrivilege 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Token: SeDebugPrivilege 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Token: SeDebugPrivilege 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Token: SeDebugPrivilege 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Token: SeDebugPrivilege 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Token: SeDebugPrivilege 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Token: SeDebugPrivilege 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Token: SeDebugPrivilege 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Token: SeDebugPrivilege 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Token: SeDebugPrivilege 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Token: SeDebugPrivilege 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Token: SeDebugPrivilege 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Token: SeDebugPrivilege 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Token: SeDebugPrivilege 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Token: SeDebugPrivilege 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Token: SeDebugPrivilege 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Token: SeDebugPrivilege 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Token: SeDebugPrivilege 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Token: SeDebugPrivilege 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Token: SeDebugPrivilege 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Token: SeDebugPrivilege 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Token: SeDebugPrivilege 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Token: SeDebugPrivilege 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Token: SeDebugPrivilege 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Token: SeDebugPrivilege 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Token: SeDebugPrivilege 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Token: SeDebugPrivilege 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Token: SeDebugPrivilege 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Token: SeDebugPrivilege 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Token: SeDebugPrivilege 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Token: SeDebugPrivilege 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Token: SeDebugPrivilege 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Token: SeDebugPrivilege 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Token: SeDebugPrivilege 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Token: SeDebugPrivilege 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Token: SeDebugPrivilege 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Token: SeDebugPrivilege 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Token: SeDebugPrivilege 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Token: SeDebugPrivilege 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Token: SeDebugPrivilege 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Token: SeDebugPrivilege 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Token: SeDebugPrivilege 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe Token: SeDebugPrivilege 4624 WaterMark.exe Token: SeDebugPrivilege 2144 WaterMark.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 1980 iexplore.exe 2996 iexplore.exe 204 iexplore.exe 1596 iexplore.exe -
Suspicious use of SetWindowsHookEx 18 IoCs
pid Process 1596 iexplore.exe 1596 iexplore.exe 1980 iexplore.exe 1980 iexplore.exe 2996 iexplore.exe 2996 iexplore.exe 204 iexplore.exe 204 iexplore.exe 3684 IEXPLORE.EXE 3684 IEXPLORE.EXE 3476 IEXPLORE.EXE 3476 IEXPLORE.EXE 3620 IEXPLORE.EXE 3620 IEXPLORE.EXE 3604 IEXPLORE.EXE 3604 IEXPLORE.EXE 3604 IEXPLORE.EXE 3604 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 4 IoCs
pid Process 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe 1000 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14mgr.exe 4624 WaterMark.exe 2144 WaterMark.exe -
Suspicious use of WriteProcessMemory 56 IoCs
description pid Process procid_target PID 4272 wrote to memory of 1000 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe 84 PID 4272 wrote to memory of 1000 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe 84 PID 4272 wrote to memory of 1000 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe 84 PID 4272 wrote to memory of 768 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe 8 PID 4272 wrote to memory of 772 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe 14 PID 4272 wrote to memory of 60 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe 10 PID 1000 wrote to memory of 4624 1000 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14mgr.exe 85 PID 1000 wrote to memory of 4624 1000 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14mgr.exe 85 PID 1000 wrote to memory of 4624 1000 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14mgr.exe 85 PID 4272 wrote to memory of 2408 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe 57 PID 4272 wrote to memory of 2444 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe 56 PID 4272 wrote to memory of 2736 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe 49 PID 4272 wrote to memory of 2732 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe 47 PID 4272 wrote to memory of 2144 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe 86 PID 4272 wrote to memory of 2144 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe 86 PID 4272 wrote to memory of 2144 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe 86 PID 4272 wrote to memory of 3096 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe 46 PID 4272 wrote to memory of 3296 4272 d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe 45 PID 4624 wrote to memory of 2344 4624 WaterMark.exe 87 PID 4624 wrote to memory of 2344 4624 WaterMark.exe 87 PID 4624 wrote to memory of 2344 4624 WaterMark.exe 87 PID 4624 wrote to memory of 2344 4624 WaterMark.exe 87 PID 4624 wrote to memory of 2344 4624 WaterMark.exe 87 PID 4624 wrote to memory of 2344 4624 WaterMark.exe 87 PID 4624 wrote to memory of 2344 4624 WaterMark.exe 87 PID 4624 wrote to memory of 2344 4624 WaterMark.exe 87 PID 4624 wrote to memory of 2344 4624 WaterMark.exe 87 PID 2144 wrote to memory of 1752 2144 WaterMark.exe 88 PID 2144 wrote to memory of 1752 2144 WaterMark.exe 88 PID 2144 wrote to memory of 1752 2144 WaterMark.exe 88 PID 2144 wrote to memory of 1752 2144 WaterMark.exe 88 PID 2144 wrote to memory of 1752 2144 WaterMark.exe 88 PID 2144 wrote to memory of 1752 2144 WaterMark.exe 88 PID 2144 wrote to memory of 1752 2144 WaterMark.exe 88 PID 2144 wrote to memory of 1752 2144 WaterMark.exe 88 PID 2144 wrote to memory of 1752 2144 WaterMark.exe 88 PID 4624 wrote to memory of 2996 4624 WaterMark.exe 91 PID 4624 wrote to memory of 2996 4624 WaterMark.exe 91 PID 4624 wrote to memory of 1596 4624 WaterMark.exe 92 PID 4624 wrote to memory of 1596 4624 WaterMark.exe 92 PID 2144 wrote to memory of 1980 2144 WaterMark.exe 93 PID 2144 wrote to memory of 1980 2144 WaterMark.exe 93 PID 2144 wrote to memory of 204 2144 WaterMark.exe 94 PID 2144 wrote to memory of 204 2144 WaterMark.exe 94 PID 204 wrote to memory of 3604 204 iexplore.exe 95 PID 204 wrote to memory of 3604 204 iexplore.exe 95 PID 204 wrote to memory of 3604 204 iexplore.exe 95 PID 1596 wrote to memory of 3684 1596 iexplore.exe 96 PID 1596 wrote to memory of 3684 1596 iexplore.exe 96 PID 1596 wrote to memory of 3684 1596 iexplore.exe 96 PID 1980 wrote to memory of 3620 1980 iexplore.exe 98 PID 1980 wrote to memory of 3620 1980 iexplore.exe 98 PID 1980 wrote to memory of 3620 1980 iexplore.exe 98 PID 2996 wrote to memory of 3476 2996 iexplore.exe 97 PID 2996 wrote to memory of 3476 2996 iexplore.exe 97 PID 2996 wrote to memory of 3476 2996 iexplore.exe 97 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:768
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:60
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:772
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3296
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3096
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:2732
-
C:\Users\Admin\AppData\Local\Temp\d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe"C:\Users\Admin\AppData\Local\Temp\d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4272 -
C:\Users\Admin\AppData\Local\Temp\d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14mgr.exeC:\Users\Admin\AppData\Local\Temp\d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14mgr.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵PID:2344
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 2046⤵
- Program crash
PID:3368
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2996 CREDAT:17410 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3476
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1596 CREDAT:17410 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3684
-
-
-
-
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵PID:1752
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1980 CREDAT:17410 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3620
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:204 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:204 CREDAT:17410 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3604
-
-
-
-
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2736
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2444
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2408
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2344 -ip 23441⤵PID:3312
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
223KB
MD5bc247f945ec06f53771d4d241427784b
SHA1f069a0e1851b3c268a542c7f6188eaca81f917f1
SHA256483663a1f26eade91f7667c09312c63a91ad45c7be76bb41c3db4ca6eba3df79
SHA51247a2c0c200796ca45cc918ac2bda0bed7e1b6166723511f46ab6acef2a0a8c42588d709698f5fb845f6262bf0bde1fae5b93754123df56778c616d591d209c9d
-
Filesize
223KB
MD5bc247f945ec06f53771d4d241427784b
SHA1f069a0e1851b3c268a542c7f6188eaca81f917f1
SHA256483663a1f26eade91f7667c09312c63a91ad45c7be76bb41c3db4ca6eba3df79
SHA51247a2c0c200796ca45cc918ac2bda0bed7e1b6166723511f46ab6acef2a0a8c42588d709698f5fb845f6262bf0bde1fae5b93754123df56778c616d591d209c9d
-
Filesize
223KB
MD5bc247f945ec06f53771d4d241427784b
SHA1f069a0e1851b3c268a542c7f6188eaca81f917f1
SHA256483663a1f26eade91f7667c09312c63a91ad45c7be76bb41c3db4ca6eba3df79
SHA51247a2c0c200796ca45cc918ac2bda0bed7e1b6166723511f46ab6acef2a0a8c42588d709698f5fb845f6262bf0bde1fae5b93754123df56778c616d591d209c9d
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7F3D5F26-698E-11ED-919F-D2F35ABB710A}.dat
Filesize5KB
MD583e5b8d9dd3687cecc7ef14ceed388b2
SHA1c85e32925703dfc5f29c2efe043b9126f4198c83
SHA2568b37fc35282e38cad1e172f057d552ba1b434433d0d093b86c96e17d2d1e3822
SHA512cfb7ec8ebc7f9f7dce399f0cfbb614ea0da5c30e25fb595c4a77c02713dfac80fdbc69019ec7de40bf0ebf44aeafbfdaa34fa0e37b8cb6b93e9cd374b1826f73
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7F4488E3-698E-11ED-919F-D2F35ABB710A}.dat
Filesize3KB
MD533d5541bbc8f2639a7bcf4e374793480
SHA14bb7b1c6d32cef1d31bb5f73c0e456794193a05c
SHA2565fed444d69a150ef4161f89f0296081674d914dd5c070a2d7fe499280022bf36
SHA5127fab8e7f778fe0de9019c7677d76539bfece71b9e09f1f161ac82688fa8e07e119128990dc9fc107f827cd5193062ac47dfc288d2c02a502c3560b3192b71e7f
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7F4BB144-698E-11ED-919F-D2F35ABB710A}.dat
Filesize5KB
MD57420d520d7322f761897466fd831ea7b
SHA1e9232e756b6836122c75a6ec4d0010ba57d9b798
SHA2569a440fba9418cbb955f12381a528a9aacaea144dbef3ffe4e4f7cdb4c52b45b2
SHA51281f98076fe080f1f940b7e0c3ae8bf5d4bf8250870199f2a211ebc2a84a07c1828c4fb58af9c904dbb74814e12d7cdec07de422bd61a336578cfe4ab1a4b6550
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7F507290-698E-11ED-919F-D2F35ABB710A}.dat
Filesize5KB
MD54c609491ebbbe4565a04a931434a1957
SHA1184cb8c20871c612b528464d8c8cde0e683f2d14
SHA2561ee6efe377662f12368f0698e9c64f79ba3ff44d51358bea886a756eae2657a4
SHA512849c4fda867bc96ec3f4919b1d5c6a36b98e01de017a85a6c511168ddce57b5495336334c55e34fcf20e076e70e6bea2298efc6212ce7b7361fb5270d61dbdec
-
C:\Users\Admin\AppData\Local\Temp\d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14mgr.exe
Filesize223KB
MD5bc247f945ec06f53771d4d241427784b
SHA1f069a0e1851b3c268a542c7f6188eaca81f917f1
SHA256483663a1f26eade91f7667c09312c63a91ad45c7be76bb41c3db4ca6eba3df79
SHA51247a2c0c200796ca45cc918ac2bda0bed7e1b6166723511f46ab6acef2a0a8c42588d709698f5fb845f6262bf0bde1fae5b93754123df56778c616d591d209c9d
-
C:\Users\Admin\AppData\Local\Temp\d37c4b132daa60de5b57568e29489a472b455a2830fce960355d7fa1ed449b14mgr.exe
Filesize223KB
MD5bc247f945ec06f53771d4d241427784b
SHA1f069a0e1851b3c268a542c7f6188eaca81f917f1
SHA256483663a1f26eade91f7667c09312c63a91ad45c7be76bb41c3db4ca6eba3df79
SHA51247a2c0c200796ca45cc918ac2bda0bed7e1b6166723511f46ab6acef2a0a8c42588d709698f5fb845f6262bf0bde1fae5b93754123df56778c616d591d209c9d