Analysis
-
max time kernel
136s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 15:51
Static task
static1
Behavioral task
behavioral1
Sample
e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe
Resource
win7-20220812-en
General
-
Target
e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe
-
Size
252KB
-
MD5
43bd08991f7824b978d998ab7a9b0600
-
SHA1
5e1ae02400e5854c87781a3547e143d31d85312c
-
SHA256
e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529
-
SHA512
cd353c7f7104b6dc58a75c4c0a52b049fcc61ccdf6eba923d6f3539584c8ea7f2905bda01cc344f0d9dc579932ae317cef9e0699f1c0614c74dd6a2e54c68d80
-
SSDEEP
3072:mR2xn3k0CdM1vabyzJYWqaH87onClrA42s8Y/DH8CBDKQ4soITntOOzs1lEaX:mR2J0LS6VdAClrA42ZYrN2Q4ctOOojEM
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Processes:
e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe -
Processes:
e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 3 IoCs
Processes:
e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529mgr.exeWaterMark.exeWaterMark.exepid process 2004 e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529mgr.exe 4844 WaterMark.exe 4908 WaterMark.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Processes:
resource yara_rule behavioral2/memory/928-139-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/928-136-0x0000000003490000-0x00000000044C1000-memory.dmp upx behavioral2/memory/2004-143-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/928-144-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/928-151-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4844-145-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/928-154-0x0000000003490000-0x00000000044C1000-memory.dmp upx behavioral2/memory/4908-158-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4844-163-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4908-164-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4844-165-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Processes:
e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe -
Processes:
e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe -
Drops file in Program Files directory 5 IoCs
Processes:
e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529mgr.exee32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\pxCCDA.tmp e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529mgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529mgr.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529mgr.exe File opened for modification C:\Program Files (x86)\Microsoft\pxCE70.tmp e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe -
Drops file in Windows directory 1 IoCs
Processes:
e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exedescription ioc process File opened for modification C:\Windows\SYSTEM.INI e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4224 4860 WerFault.exe svchost.exe -
Processes:
iexplore.exeiexplore.exeIEXPLORE.EXEiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{DA62295B-6B5A-11ED-AECB-5E3721E937B7} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2950397484" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2950554196" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3122117556" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998375" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998375" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{DA62777B-6B5A-11ED-AECB-5E3721E937B7} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2950554196" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2950554196" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30998375" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998375" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{DA62506B-6B5A-11ED-AECB-5E3721E937B7} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30998375" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2950554196" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998375" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2950554196" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2950554196" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998375" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30998375" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998375" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375389241" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{DA629E8B-6B5A-11ED-AECB-5E3721E937B7} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998375" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3122117556" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
Processes:
WaterMark.exee32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exeWaterMark.exepid process 4844 WaterMark.exe 4844 WaterMark.exe 4844 WaterMark.exe 4844 WaterMark.exe 928 e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe 928 e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe 4908 WaterMark.exe 4908 WaterMark.exe 4908 WaterMark.exe 4908 WaterMark.exe 4844 WaterMark.exe 4844 WaterMark.exe 4908 WaterMark.exe 4908 WaterMark.exe 4844 WaterMark.exe 4844 WaterMark.exe 4844 WaterMark.exe 4844 WaterMark.exe 4908 WaterMark.exe 4908 WaterMark.exe 4844 WaterMark.exe 4844 WaterMark.exe 4908 WaterMark.exe 4908 WaterMark.exe 4844 WaterMark.exe 4844 WaterMark.exe 4844 WaterMark.exe 4844 WaterMark.exe 4908 WaterMark.exe 4908 WaterMark.exe 4908 WaterMark.exe 4908 WaterMark.exe 4908 WaterMark.exe 4908 WaterMark.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iexplore.exepid process 2904 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
Processes:
WaterMark.exee32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exeWaterMark.exedescription pid process Token: SeDebugPrivilege 4844 WaterMark.exe Token: SeDebugPrivilege 928 e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe Token: SeDebugPrivilege 928 e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe Token: SeDebugPrivilege 928 e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe Token: SeDebugPrivilege 928 e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe Token: SeDebugPrivilege 928 e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe Token: SeDebugPrivilege 928 e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe Token: SeDebugPrivilege 928 e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe Token: SeDebugPrivilege 928 e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe Token: SeDebugPrivilege 928 e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe Token: SeDebugPrivilege 928 e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe Token: SeDebugPrivilege 928 e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe Token: SeDebugPrivilege 928 e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe Token: SeDebugPrivilege 928 e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe Token: SeDebugPrivilege 928 e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe Token: SeDebugPrivilege 928 e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe Token: SeDebugPrivilege 928 e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe Token: SeDebugPrivilege 928 e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe Token: SeDebugPrivilege 928 e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe Token: SeDebugPrivilege 928 e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe Token: SeDebugPrivilege 928 e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe Token: SeDebugPrivilege 928 e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe Token: SeDebugPrivilege 928 e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe Token: SeDebugPrivilege 928 e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe Token: SeDebugPrivilege 928 e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe Token: SeDebugPrivilege 928 e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe Token: SeDebugPrivilege 928 e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe Token: SeDebugPrivilege 928 e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe Token: SeDebugPrivilege 928 e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe Token: SeDebugPrivilege 928 e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe Token: SeDebugPrivilege 928 e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe Token: SeDebugPrivilege 928 e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe Token: SeDebugPrivilege 928 e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe Token: SeDebugPrivilege 928 e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe Token: SeDebugPrivilege 928 e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe Token: SeDebugPrivilege 4908 WaterMark.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
iexplore.exeiexplore.exeiexplore.exeiexplore.exepid process 2708 iexplore.exe 4776 iexplore.exe 2904 iexplore.exe 1468 iexplore.exe -
Suspicious use of SetWindowsHookEx 18 IoCs
Processes:
iexplore.exeiexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEpid process 2904 iexplore.exe 1468 iexplore.exe 2904 iexplore.exe 1468 iexplore.exe 4776 iexplore.exe 4776 iexplore.exe 2708 iexplore.exe 2708 iexplore.exe 2392 IEXPLORE.EXE 2212 IEXPLORE.EXE 2044 IEXPLORE.EXE 2392 IEXPLORE.EXE 3776 IEXPLORE.EXE 2212 IEXPLORE.EXE 2044 IEXPLORE.EXE 3776 IEXPLORE.EXE 2044 IEXPLORE.EXE 2044 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exepid process 928 e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe -
Suspicious use of WriteProcessMemory 53 IoCs
Processes:
e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exee32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529mgr.exeWaterMark.exeWaterMark.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exedescription pid process target process PID 928 wrote to memory of 2004 928 e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529mgr.exe PID 928 wrote to memory of 2004 928 e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529mgr.exe PID 928 wrote to memory of 2004 928 e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529mgr.exe PID 2004 wrote to memory of 4844 2004 e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529mgr.exe WaterMark.exe PID 2004 wrote to memory of 4844 2004 e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529mgr.exe WaterMark.exe PID 2004 wrote to memory of 4844 2004 e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529mgr.exe WaterMark.exe PID 928 wrote to memory of 4908 928 e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe WaterMark.exe PID 928 wrote to memory of 4908 928 e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe WaterMark.exe PID 928 wrote to memory of 4908 928 e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe WaterMark.exe PID 928 wrote to memory of 792 928 e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe fontdrvhost.exe PID 928 wrote to memory of 800 928 e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe fontdrvhost.exe PID 928 wrote to memory of 376 928 e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe dwm.exe PID 928 wrote to memory of 4888 928 e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe netsh.exe PID 928 wrote to memory of 4888 928 e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe netsh.exe PID 928 wrote to memory of 4888 928 e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe netsh.exe PID 4844 wrote to memory of 4860 4844 WaterMark.exe svchost.exe PID 4844 wrote to memory of 4860 4844 WaterMark.exe svchost.exe PID 4844 wrote to memory of 4860 4844 WaterMark.exe svchost.exe PID 4844 wrote to memory of 4860 4844 WaterMark.exe svchost.exe PID 4844 wrote to memory of 4860 4844 WaterMark.exe svchost.exe PID 4844 wrote to memory of 4860 4844 WaterMark.exe svchost.exe PID 4844 wrote to memory of 4860 4844 WaterMark.exe svchost.exe PID 4844 wrote to memory of 4860 4844 WaterMark.exe svchost.exe PID 4844 wrote to memory of 4860 4844 WaterMark.exe svchost.exe PID 4908 wrote to memory of 4856 4908 WaterMark.exe svchost.exe PID 4908 wrote to memory of 4856 4908 WaterMark.exe svchost.exe PID 4908 wrote to memory of 4856 4908 WaterMark.exe svchost.exe PID 4908 wrote to memory of 4856 4908 WaterMark.exe svchost.exe PID 4908 wrote to memory of 4856 4908 WaterMark.exe svchost.exe PID 4908 wrote to memory of 4856 4908 WaterMark.exe svchost.exe PID 4908 wrote to memory of 4856 4908 WaterMark.exe svchost.exe PID 4908 wrote to memory of 4856 4908 WaterMark.exe svchost.exe PID 4908 wrote to memory of 4856 4908 WaterMark.exe svchost.exe PID 4844 wrote to memory of 2904 4844 WaterMark.exe iexplore.exe PID 4844 wrote to memory of 2904 4844 WaterMark.exe iexplore.exe PID 4908 wrote to memory of 2708 4908 WaterMark.exe iexplore.exe PID 4908 wrote to memory of 2708 4908 WaterMark.exe iexplore.exe PID 4844 wrote to memory of 4776 4844 WaterMark.exe iexplore.exe PID 4844 wrote to memory of 4776 4844 WaterMark.exe iexplore.exe PID 4908 wrote to memory of 1468 4908 WaterMark.exe iexplore.exe PID 4908 wrote to memory of 1468 4908 WaterMark.exe iexplore.exe PID 2904 wrote to memory of 2044 2904 iexplore.exe IEXPLORE.EXE PID 2904 wrote to memory of 2044 2904 iexplore.exe IEXPLORE.EXE PID 2904 wrote to memory of 2044 2904 iexplore.exe IEXPLORE.EXE PID 1468 wrote to memory of 3776 1468 iexplore.exe IEXPLORE.EXE PID 1468 wrote to memory of 3776 1468 iexplore.exe IEXPLORE.EXE PID 1468 wrote to memory of 3776 1468 iexplore.exe IEXPLORE.EXE PID 4776 wrote to memory of 2392 4776 iexplore.exe IEXPLORE.EXE PID 4776 wrote to memory of 2392 4776 iexplore.exe IEXPLORE.EXE PID 4776 wrote to memory of 2392 4776 iexplore.exe IEXPLORE.EXE PID 2708 wrote to memory of 2212 2708 iexplore.exe IEXPLORE.EXE PID 2708 wrote to memory of 2212 2708 iexplore.exe IEXPLORE.EXE PID 2708 wrote to memory of 2212 2708 iexplore.exe IEXPLORE.EXE -
System policy modification 1 TTPs 1 IoCs
Processes:
e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe
Processes
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:376
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Users\Admin\AppData\Local\Temp\e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe"C:\Users\Admin\AppData\Local\Temp\e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe"1⤵
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:928 -
C:\Users\Admin\AppData\Local\Temp\e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529mgr.exeC:\Users\Admin\AppData\Local\Temp\e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529mgr.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵PID:4860
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 2045⤵
- Program crash
PID:4224 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2904 CREDAT:17410 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2044 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4776 CREDAT:17410 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2392 -
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable2⤵
- Modifies Windows Firewall
PID:4888 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:4856
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2708 CREDAT:17410 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2212 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1468 CREDAT:17410 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3776
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4860 -ip 48601⤵PID:5116
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\WaterMark.exeFilesize
65KB
MD5849ef19ec0155d79d4fa5bfb5657b106
SHA1eb7e7ff208ecb40d35755d8f36e31e2482166299
SHA2568b853e963eab5aa857b640be1d07d605a8bf6dd8bdf8884505b05034bbd87e04
SHA51230384d9943f7eca4efbdcac52d3dd9c14446a2d75dc04ce4047feabe037c5177138f6bdcb055939dcc47608dfb50a54c9676f795d850c9a9de353f90252053a2
-
C:\Program Files (x86)\Microsoft\WaterMark.exeFilesize
65KB
MD5849ef19ec0155d79d4fa5bfb5657b106
SHA1eb7e7ff208ecb40d35755d8f36e31e2482166299
SHA2568b853e963eab5aa857b640be1d07d605a8bf6dd8bdf8884505b05034bbd87e04
SHA51230384d9943f7eca4efbdcac52d3dd9c14446a2d75dc04ce4047feabe037c5177138f6bdcb055939dcc47608dfb50a54c9676f795d850c9a9de353f90252053a2
-
C:\Program Files (x86)\Microsoft\WaterMark.exeFilesize
65KB
MD5849ef19ec0155d79d4fa5bfb5657b106
SHA1eb7e7ff208ecb40d35755d8f36e31e2482166299
SHA2568b853e963eab5aa857b640be1d07d605a8bf6dd8bdf8884505b05034bbd87e04
SHA51230384d9943f7eca4efbdcac52d3dd9c14446a2d75dc04ce4047feabe037c5177138f6bdcb055939dcc47608dfb50a54c9676f795d850c9a9de353f90252053a2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
471B
MD5e32d02ce684c01ef3af05fae9066160e
SHA129c7a6e8ed553ac2765634265d1db041d6d422ec
SHA256b00322d178a6cfc206458c26b26d6c80596073bb3283dcc3fc4e33a4b5f29d71
SHA512e4e3175fb131095e4681ecb76d14dc74d059c0beafb6340965516c6d3d0538deb314b36a3f09df03b491edac84d5c0580e764fed1d8bca9abd4e65cb56167148
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
471B
MD5e32d02ce684c01ef3af05fae9066160e
SHA129c7a6e8ed553ac2765634265d1db041d6d422ec
SHA256b00322d178a6cfc206458c26b26d6c80596073bb3283dcc3fc4e33a4b5f29d71
SHA512e4e3175fb131095e4681ecb76d14dc74d059c0beafb6340965516c6d3d0538deb314b36a3f09df03b491edac84d5c0580e764fed1d8bca9abd4e65cb56167148
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
471B
MD5e32d02ce684c01ef3af05fae9066160e
SHA129c7a6e8ed553ac2765634265d1db041d6d422ec
SHA256b00322d178a6cfc206458c26b26d6c80596073bb3283dcc3fc4e33a4b5f29d71
SHA512e4e3175fb131095e4681ecb76d14dc74d059c0beafb6340965516c6d3d0538deb314b36a3f09df03b491edac84d5c0580e764fed1d8bca9abd4e65cb56167148
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
471B
MD5e32d02ce684c01ef3af05fae9066160e
SHA129c7a6e8ed553ac2765634265d1db041d6d422ec
SHA256b00322d178a6cfc206458c26b26d6c80596073bb3283dcc3fc4e33a4b5f29d71
SHA512e4e3175fb131095e4681ecb76d14dc74d059c0beafb6340965516c6d3d0538deb314b36a3f09df03b491edac84d5c0580e764fed1d8bca9abd4e65cb56167148
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
404B
MD5b2254121f846144f0a00288c8560a83a
SHA17eac9424677f5378d84b0a707f6c3bf53d3c766d
SHA256b9a11e6dd7da288a96e8a56746388e6ac493c09074430a7cb209c88788bdd1dd
SHA5123182b63ce0274c0c9e4454992b0fa43d10729cc1502a641eb4f6c26e0d55e0371381c97a5f87e8a9fefb41474eb1d55b9f141251295e8046af9b7a3a62f740ad
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
404B
MD57dffb4ebeb53449935972c33cecf0f6b
SHA1239a3152b953075468dccf6168c53b028994bf35
SHA2568cce031dc71db42bb3f50af3e9e12573d6750ee5f9850f53ab23ac14417cc7f1
SHA51272b4caf690f57aeac1b99c31a63dfa49cffadb2c40be5c82fe60b3489e532f9c7821d03317bfc0e95742a8b5dc644d99af7d47ff0b17cfabfc3577d650cead93
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
404B
MD57dffb4ebeb53449935972c33cecf0f6b
SHA1239a3152b953075468dccf6168c53b028994bf35
SHA2568cce031dc71db42bb3f50af3e9e12573d6750ee5f9850f53ab23ac14417cc7f1
SHA51272b4caf690f57aeac1b99c31a63dfa49cffadb2c40be5c82fe60b3489e532f9c7821d03317bfc0e95742a8b5dc644d99af7d47ff0b17cfabfc3577d650cead93
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
404B
MD57dffb4ebeb53449935972c33cecf0f6b
SHA1239a3152b953075468dccf6168c53b028994bf35
SHA2568cce031dc71db42bb3f50af3e9e12573d6750ee5f9850f53ab23ac14417cc7f1
SHA51272b4caf690f57aeac1b99c31a63dfa49cffadb2c40be5c82fe60b3489e532f9c7821d03317bfc0e95742a8b5dc644d99af7d47ff0b17cfabfc3577d650cead93
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
404B
MD5b32abbecf38a95204d6956691ce99b3a
SHA13fc5470e097d65ca30055a4c09db15c6fc88f356
SHA256236bd1971e7937c15b99cef6b0c35b99acddbcad0b2d2bd5bbe600cd6b24a784
SHA512d11b1a764eb3ea554977c9379b930cb3eb2c42acecae906181426cfe6f555e9bd56874a040b0ec05d34373a078777c6a139da7fe02cd500e0bb19ddd74bdce94
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
404B
MD5b32abbecf38a95204d6956691ce99b3a
SHA13fc5470e097d65ca30055a4c09db15c6fc88f356
SHA256236bd1971e7937c15b99cef6b0c35b99acddbcad0b2d2bd5bbe600cd6b24a784
SHA512d11b1a764eb3ea554977c9379b930cb3eb2c42acecae906181426cfe6f555e9bd56874a040b0ec05d34373a078777c6a139da7fe02cd500e0bb19ddd74bdce94
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
404B
MD5b32abbecf38a95204d6956691ce99b3a
SHA13fc5470e097d65ca30055a4c09db15c6fc88f356
SHA256236bd1971e7937c15b99cef6b0c35b99acddbcad0b2d2bd5bbe600cd6b24a784
SHA512d11b1a764eb3ea554977c9379b930cb3eb2c42acecae906181426cfe6f555e9bd56874a040b0ec05d34373a078777c6a139da7fe02cd500e0bb19ddd74bdce94
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DA62295B-6B5A-11ED-AECB-5E3721E937B7}.datFilesize
5KB
MD5cb821645e1c424d275e312b75377aab5
SHA117637f042e0de46640c4c7f9ed56d5975ee0165b
SHA25616ddd167a286f6f6b88a137dfeca57aea16012c9c847d5b21073a61999e4cac1
SHA512602027d56ccbbb4efdf17fe87ff5df108dc41be0864a36c4705ed5e607bf2a7a5f109659383d85c5e2f9780fc8a5e5f611ce4ca5a0bc3c36e2e86afb17cdbb53
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DA62506B-6B5A-11ED-AECB-5E3721E937B7}.datFilesize
3KB
MD5f9b65d41457aa40d2a8d7a2fc1918a59
SHA1f5b0a25028054637b524ed3b9eafd3081d9d97ec
SHA256151d57a3da114fb09f690a4f97d0ef307fae815bd243976e53b9d00124c5a49e
SHA512068312735bbf163b4bf7e86602a04995c5636bf1454073428bee28f791f9ee976a120c481ce826aaec31c707b3d0c42ab17e0052184253b13ca7651c2e9ae20e
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DA62777B-6B5A-11ED-AECB-5E3721E937B7}.datFilesize
5KB
MD518757b892c3b6c02ca74872843d30a21
SHA13edfcdd0fdeaff576bd19c62cd3084c33ae84e5a
SHA25652f0b89db2bbe5617aa0487dea61149be0acccf20103b8fb90d140f1f9306708
SHA512753508b774bfdaea28468dab2b15ae8f139e8a5bd673404614f59bafeed906a82578fac0ee07f50de42d4f43e3d294d96955d7146b2b32ed1df1e5e0e64eca83
-
C:\Users\Admin\AppData\Local\Temp\e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529mgr.exeFilesize
65KB
MD5849ef19ec0155d79d4fa5bfb5657b106
SHA1eb7e7ff208ecb40d35755d8f36e31e2482166299
SHA2568b853e963eab5aa857b640be1d07d605a8bf6dd8bdf8884505b05034bbd87e04
SHA51230384d9943f7eca4efbdcac52d3dd9c14446a2d75dc04ce4047feabe037c5177138f6bdcb055939dcc47608dfb50a54c9676f795d850c9a9de353f90252053a2
-
C:\Users\Admin\AppData\Local\Temp\e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529mgr.exeFilesize
65KB
MD5849ef19ec0155d79d4fa5bfb5657b106
SHA1eb7e7ff208ecb40d35755d8f36e31e2482166299
SHA2568b853e963eab5aa857b640be1d07d605a8bf6dd8bdf8884505b05034bbd87e04
SHA51230384d9943f7eca4efbdcac52d3dd9c14446a2d75dc04ce4047feabe037c5177138f6bdcb055939dcc47608dfb50a54c9676f795d850c9a9de353f90252053a2
-
memory/928-136-0x0000000003490000-0x00000000044C1000-memory.dmpFilesize
16.2MB
-
memory/928-139-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/928-154-0x0000000003490000-0x00000000044C1000-memory.dmpFilesize
16.2MB
-
memory/928-162-0x0000000003490000-0x00000000044C1000-memory.dmpFilesize
16.2MB
-
memory/928-132-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/928-144-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/928-151-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2004-146-0x00000000004A0000-0x00000000004C1000-memory.dmpFilesize
132KB
-
memory/2004-133-0x0000000000000000-mapping.dmp
-
memory/2004-143-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/4844-163-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/4844-165-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/4844-140-0x0000000000000000-mapping.dmp
-
memory/4844-157-0x0000000000460000-0x0000000000481000-memory.dmpFilesize
132KB
-
memory/4844-145-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/4856-155-0x0000000000000000-mapping.dmp
-
memory/4860-152-0x0000000000000000-mapping.dmp
-
memory/4888-148-0x0000000000000000-mapping.dmp
-
memory/4908-147-0x0000000000000000-mapping.dmp
-
memory/4908-156-0x0000000000550000-0x0000000000571000-memory.dmpFilesize
132KB
-
memory/4908-158-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/4908-164-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB