ramnit | cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993c

General

Target

cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993c.exe
Size

241KB
MD5

432e72f8c7c3a6c3fe08bc37c7d05eb1
SHA1

37fe5b4a590d5634b9c426688c014226eccbce4f
SHA256

cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993c
SHA512

21e4f8ad5946c4d4817a8d81db919bba7721c547fb06435f0dda8223a26e854666bfedcfd978e80e9ec8c0c4d92bc600822e94e81d03ef6c2a2451062d3608c1
SSDEEP

3072:ynxwgxgfR/DVG7wBpEu/olCccw+Um4i1APz/S1vKic2GL2jAnEAfuGSlyrYI:y+xDVG0Bpvccus187aKXfdSuR

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 2 IoCs

Processes:

cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993cmgr.exeWaterMark.exe

pid process

4740 cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993cmgr.exe
2456 WaterMark.exe

pid	process
4740	cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993cmgr.exe
2456	WaterMark.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4740-141-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4560-143-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4560-145-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4740-148-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/2456-156-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/2456-157-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/2456-158-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/2456-159-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/2456-162-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/2456-163-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/2456-164-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/2456-165-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in Program Files directory 5 IoCs

Processes:

cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993cmgr.execf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993c.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\pxD6D.tmp	cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993cmgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993cmgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993cmgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxDFA.tmp	cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993c.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993c.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4312 2256 WerFault.exe svchost.exe

pid	pid_target	process	target process
4312	2256	WerFault.exe	svchost.exe

Modifies Internet Explorer settings 1 TTPs 48 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEiexplore.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30998408"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998408"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30998408"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "418623822"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998408"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376006217"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{3140A724-6B7B-11ED-89AC-DAE60F07E07D} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{31408014-6B7B-11ED-89AC-DAE60F07E07D} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30998408"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998408"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "418623822"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "280029348"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "135341899"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "280029348"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "135341899"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

WaterMark.exe

pid	process
2456	WaterMark.exe
2456	WaterMark.exe
2456	WaterMark.exe
2456	WaterMark.exe
2456	WaterMark.exe
2456	WaterMark.exe
2456	WaterMark.exe
2456	WaterMark.exe
2456	WaterMark.exe
2456	WaterMark.exe
2456	WaterMark.exe
2456	WaterMark.exe
2456	WaterMark.exe
2456	WaterMark.exe
2456	WaterMark.exe
2456	WaterMark.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

628 iexplore.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WaterMark.exe

description pid process

Token: SeDebugPrivilege 2456 WaterMark.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeiexplore.exe

pid process

1104 iexplore.exe
628 iexplore.exe

pid	process
628	iexplore.exe

description	pid	process
Token: SeDebugPrivilege	2456	WaterMark.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
1104	iexplore.exe
1104	iexplore.exe
628	iexplore.exe
628	iexplore.exe
3264	IEXPLORE.EXE
3264	IEXPLORE.EXE
32	IEXPLORE.EXE
32	IEXPLORE.EXE
3264	IEXPLORE.EXE
3264	IEXPLORE.EXE

Suspicious use of UnmapMainImage 3 IoCs

Processes:

cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993c.execf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993cmgr.exeWaterMark.exe

pid	process
4560	cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993c.exe
4740	cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993cmgr.exe
2456	WaterMark.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993c.execf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993cmgr.exeWaterMark.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 4560 wrote to memory of 4740	4560	cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993c.exe	cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993cmgr.exe
PID 4560 wrote to memory of 4740	4560	cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993c.exe	cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993cmgr.exe
PID 4560 wrote to memory of 4740	4560	cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993c.exe	cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993cmgr.exe
PID 4740 wrote to memory of 2456	4740	cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993cmgr.exe	WaterMark.exe
PID 4740 wrote to memory of 2456	4740	cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993cmgr.exe	WaterMark.exe
PID 4740 wrote to memory of 2456	4740	cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993cmgr.exe	WaterMark.exe
PID 2456 wrote to memory of 2256	2456	WaterMark.exe	svchost.exe
PID 2456 wrote to memory of 2256	2456	WaterMark.exe	svchost.exe
PID 2456 wrote to memory of 2256	2456	WaterMark.exe	svchost.exe
PID 2456 wrote to memory of 2256	2456	WaterMark.exe	svchost.exe
PID 2456 wrote to memory of 2256	2456	WaterMark.exe	svchost.exe
PID 2456 wrote to memory of 2256	2456	WaterMark.exe	svchost.exe
PID 2456 wrote to memory of 2256	2456	WaterMark.exe	svchost.exe
PID 2456 wrote to memory of 2256	2456	WaterMark.exe	svchost.exe
PID 2456 wrote to memory of 2256	2456	WaterMark.exe	svchost.exe
PID 2456 wrote to memory of 1104	2456	WaterMark.exe	iexplore.exe
PID 2456 wrote to memory of 1104	2456	WaterMark.exe	iexplore.exe
PID 2456 wrote to memory of 628	2456	WaterMark.exe	iexplore.exe
PID 2456 wrote to memory of 628	2456	WaterMark.exe	iexplore.exe
PID 628 wrote to memory of 3264	628	iexplore.exe	IEXPLORE.EXE
PID 628 wrote to memory of 3264	628	iexplore.exe	IEXPLORE.EXE
PID 628 wrote to memory of 3264	628	iexplore.exe	IEXPLORE.EXE
PID 1104 wrote to memory of 32	1104	iexplore.exe	IEXPLORE.EXE
PID 1104 wrote to memory of 32	1104	iexplore.exe	IEXPLORE.EXE
PID 1104 wrote to memory of 32	1104	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993c.exe
"C:\Users\Admin\AppData\Local\Temp\cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993c.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4560

C:\Users\Admin\AppData\Local\Temp\cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993cmgr.exe
C:\Users\Admin\AppData\Local\Temp\cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993cmgr.exe
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4740

C:\Program Files (x86)\Microsoft\WaterMark.exe
"C:\Program Files (x86)\Microsoft\WaterMark.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2456

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
4⤵
PID:2256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 204
5⤵
- Program crash
PID:4312

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1104

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1104 CREDAT:17410 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:32

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:628

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:628 CREDAT:17410 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2256 -ip 2256
1⤵
PID:3340

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\WaterMark.exe
Filesize
119KB

MD5
38a96de610bef6a122677e93885fd380

SHA1
5db38bffdedc43790359bab324121dd60472ee77

SHA256
c41c2011fe11b2bddf392d57fa1f7513f234243fd79cd34f01030e86a15827f9

SHA512
9520643685d3c5a90b39f51668cfb5f2eedca1c02f2d3acabc9834946fd107d97b526f882d739b617c0881a1552d0065d27ddd9c1cf244dcaf061c9f6ddb1830

Download Submit
C:\Program Files (x86)\Microsoft\WaterMark.exe
Filesize
119KB

MD5
38a96de610bef6a122677e93885fd380

SHA1
5db38bffdedc43790359bab324121dd60472ee77

SHA256
c41c2011fe11b2bddf392d57fa1f7513f234243fd79cd34f01030e86a15827f9

SHA512
9520643685d3c5a90b39f51668cfb5f2eedca1c02f2d3acabc9834946fd107d97b526f882d739b617c0881a1552d0065d27ddd9c1cf244dcaf061c9f6ddb1830

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{31408014-6B7B-11ED-89AC-DAE60F07E07D}.dat
Filesize
3KB

MD5
fdbdbaec23fce61c04e753d05f799ae0

SHA1
070e5f12b7cbdfe1941a11627765408ebe16ce58

SHA256
5d2b5e4924c7d7c299dde3e94800843e838b4cccdeb747eb8cc0f2f40cf1a44f

SHA512
3a00d630baa6de18588fcd5d1c892f40bc5c5544117ea97500b55cb4956b1301e64b46f0c5f7c0cb2214c5f53aa328df093e892109dae36bd31400572a6d23a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3140A724-6B7B-11ED-89AC-DAE60F07E07D}.dat
Filesize
5KB

MD5
fd97ccd2edac158da8fd1136c170de0d

SHA1
b32917a80d66eb0dac90e7cc78faf2fc86c5e935

SHA256
b95616386ec39f93f2a03a3ca677bf92bef1b82116b5aedbba1b4942b66b4e9f

SHA512
081cffee606c17c5687127bf965bf572fe800547b4e2580698675b0dd61ad6df9e80fe631c6640c1d95f31c2f8c07b48c67641338532a430db6e497461feba6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993cmgr.exe
Filesize
119KB

MD5
38a96de610bef6a122677e93885fd380

SHA1
5db38bffdedc43790359bab324121dd60472ee77

SHA256
c41c2011fe11b2bddf392d57fa1f7513f234243fd79cd34f01030e86a15827f9

SHA512
9520643685d3c5a90b39f51668cfb5f2eedca1c02f2d3acabc9834946fd107d97b526f882d739b617c0881a1552d0065d27ddd9c1cf244dcaf061c9f6ddb1830

Download Submit
C:\Users\Admin\AppData\Local\Temp\cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993cmgr.exe
Filesize
119KB

MD5
38a96de610bef6a122677e93885fd380

SHA1
5db38bffdedc43790359bab324121dd60472ee77

SHA256
c41c2011fe11b2bddf392d57fa1f7513f234243fd79cd34f01030e86a15827f9

SHA512
9520643685d3c5a90b39f51668cfb5f2eedca1c02f2d3acabc9834946fd107d97b526f882d739b617c0881a1552d0065d27ddd9c1cf244dcaf061c9f6ddb1830

Download Submit
memory/2256-155-0x0000000000000000-mapping.dmp

Download
memory/2456-146-0x0000000000000000-mapping.dmp

Download
memory/2456-163-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2456-162-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2456-156-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2456-157-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2456-158-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2456-159-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2456-164-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2456-165-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4560-145-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4560-143-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4560-132-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4740-141-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4740-148-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4740-135-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4740-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads