ramnit | 277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5f

General

Target

277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5f.exe
Size

248KB
MD5

5674d371be612f08af5faab96f2f0c1a
SHA1

1eb5efb0b829f8dd5265ede1907f41a7985f70c8
SHA256

277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5f
SHA512

1a2c3d2876b3d3b4b4ced37cb5d4d7f18e7083282e5b7ea4ac5c9dff94eebe5dc6029316528f9909466f515884361509564a80d74b3fb9e76e92f813588cc7ef
SSDEEP

3072:uR2xn3k0CdM1vabyzJYWqyZcFaF504UwPGX1NhG2ozrl8SmaUBzMZqa12DtjSM:uR2J0LS6Vymc0IPGEfzrjmPzMZq2s

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 2 IoCs

Processes:

277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5fmgr.exeWaterMark.exe

pid process

2340 277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5fmgr.exe
380 WaterMark.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1712-140-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1712-142-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/2340-147-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/2340-148-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/1712-149-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/1712-150-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/1712-151-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/2340-152-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/1712-154-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/2340-156-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/380-162-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/380-163-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/380-164-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/380-167-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/380-168-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/380-169-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/380-170-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in Program Files directory 5 IoCs

Processes:

277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5fmgr.exe277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5f.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\px62A.tmp	277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5fmgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5fmgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5fmgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px659.tmp	277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5f.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5f.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4736 5092 WerFault.exe svchost.exe

pid	pid_target	process	target process
4736	5092	WerFault.exe	svchost.exe

Modifies Internet Explorer settings 1 TTPs 48 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3420171149"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3645639039"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998409"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3645639039"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998409"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376006970"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30998409"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30998409"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3420171149"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998409"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3420171149"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3420171149"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{F3DE9563-6B7C-11ED-919F-DE9E83FE850F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{F3E81F0F-6B7C-11ED-919F-DE9E83FE850F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30998409"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

WaterMark.exe

pid	process
380	WaterMark.exe
380	WaterMark.exe
380	WaterMark.exe
380	WaterMark.exe
380	WaterMark.exe
380	WaterMark.exe
380	WaterMark.exe
380	WaterMark.exe
380	WaterMark.exe
380	WaterMark.exe
380	WaterMark.exe
380	WaterMark.exe
380	WaterMark.exe
380	WaterMark.exe
380	WaterMark.exe
380	WaterMark.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WaterMark.exe

description pid process

Token: SeDebugPrivilege 380 WaterMark.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeiexplore.exe

pid process

3692 iexplore.exe
3608 iexplore.exe

description	pid	process
Token: SeDebugPrivilege	380	WaterMark.exe

pid	process
3692	iexplore.exe
3608	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
3608	iexplore.exe
3608	iexplore.exe
3692	iexplore.exe
3692	iexplore.exe
4652	IEXPLORE.EXE
4652	IEXPLORE.EXE
4048	IEXPLORE.EXE
4048	IEXPLORE.EXE
4048	IEXPLORE.EXE
4048	IEXPLORE.EXE

Suspicious use of UnmapMainImage 3 IoCs

Processes:

277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5fmgr.exe277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5f.exeWaterMark.exe

pid	process
2340	277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5fmgr.exe
1712	277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5f.exe
380	WaterMark.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5f.exe277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5fmgr.exeWaterMark.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 1712 wrote to memory of 2340	1712	277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5f.exe	277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5fmgr.exe
PID 1712 wrote to memory of 2340	1712	277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5f.exe	277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5fmgr.exe
PID 1712 wrote to memory of 2340	1712	277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5f.exe	277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5fmgr.exe
PID 2340 wrote to memory of 380	2340	277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5fmgr.exe	WaterMark.exe
PID 2340 wrote to memory of 380	2340	277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5fmgr.exe	WaterMark.exe
PID 2340 wrote to memory of 380	2340	277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5fmgr.exe	WaterMark.exe
PID 380 wrote to memory of 5092	380	WaterMark.exe	svchost.exe
PID 380 wrote to memory of 5092	380	WaterMark.exe	svchost.exe
PID 380 wrote to memory of 5092	380	WaterMark.exe	svchost.exe
PID 380 wrote to memory of 5092	380	WaterMark.exe	svchost.exe
PID 380 wrote to memory of 5092	380	WaterMark.exe	svchost.exe
PID 380 wrote to memory of 5092	380	WaterMark.exe	svchost.exe
PID 380 wrote to memory of 5092	380	WaterMark.exe	svchost.exe
PID 380 wrote to memory of 5092	380	WaterMark.exe	svchost.exe
PID 380 wrote to memory of 5092	380	WaterMark.exe	svchost.exe
PID 380 wrote to memory of 3608	380	WaterMark.exe	iexplore.exe
PID 380 wrote to memory of 3608	380	WaterMark.exe	iexplore.exe
PID 380 wrote to memory of 3692	380	WaterMark.exe	iexplore.exe
PID 380 wrote to memory of 3692	380	WaterMark.exe	iexplore.exe
PID 3692 wrote to memory of 4652	3692	iexplore.exe	IEXPLORE.EXE
PID 3692 wrote to memory of 4652	3692	iexplore.exe	IEXPLORE.EXE
PID 3692 wrote to memory of 4652	3692	iexplore.exe	IEXPLORE.EXE
PID 3608 wrote to memory of 4048	3608	iexplore.exe	IEXPLORE.EXE
PID 3608 wrote to memory of 4048	3608	iexplore.exe	IEXPLORE.EXE
PID 3608 wrote to memory of 4048	3608	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5f.exe
"C:\Users\Admin\AppData\Local\Temp\277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5f.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1712

C:\Users\Admin\AppData\Local\Temp\277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5fmgr.exe
C:\Users\Admin\AppData\Local\Temp\277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5fmgr.exe
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2340

C:\Program Files (x86)\Microsoft\WaterMark.exe
"C:\Program Files (x86)\Microsoft\WaterMark.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:380

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
4⤵
PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 208
5⤵
- Program crash
PID:4736

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3608

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3608 CREDAT:17410 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4048

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3692

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3692 CREDAT:17410 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5092 -ip 5092
1⤵
PID:208

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
123KB

MD5
04161f533ee93611681445f8a165ed68

SHA1
d3f4b2bfc8b384d2602989082056751ae21b8105

SHA256
97e8d8fefbd8aef88875b7373e6a5ec0ff0fa02fc1b63af254d8116e6d959f81

SHA512
4e3ad0bd23e728966e7f0d86fda0883bb8196d9eca93c6c9633c3b786c451864fabd9f300fb7355277fb8de334c1fe5cb54b01c2ad88c3e51ad7fa221a57119f

Download Submit
C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
123KB

MD5
04161f533ee93611681445f8a165ed68

SHA1
d3f4b2bfc8b384d2602989082056751ae21b8105

SHA256
97e8d8fefbd8aef88875b7373e6a5ec0ff0fa02fc1b63af254d8116e6d959f81

SHA512
4e3ad0bd23e728966e7f0d86fda0883bb8196d9eca93c6c9633c3b786c451864fabd9f300fb7355277fb8de334c1fe5cb54b01c2ad88c3e51ad7fa221a57119f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F3DE9563-6B7C-11ED-919F-DE9E83FE850F}.dat

Filesize
3KB

MD5
43a8454d0fe2fe4229a65668d2db4ba4

SHA1
7ddf52a4891d32a91a6a015cc8ee9a35308619ad

SHA256
03d2bd11232d3b34dcd7c86de234400aecd512016191deb5fc801c7ea596d7ef

SHA512
73c2e681cf60d0f00515b4b203ef4375f1aaf58d182b72e790cea3fdc6275b7286c1e71e0393d828c9e113631943321f5abdc119b1f98e3a52c013ffc0ddb823

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F3E81F0F-6B7C-11ED-919F-DE9E83FE850F}.dat

Filesize
5KB

MD5
af841021c30c06a717db5191bb1bebf5

SHA1
4bdf3e19a4fdf63e913cd0457b43408206811c1a

SHA256
63829a17cba4c826fb602964a8a3c900e25dcbe6c76f88ef134430f45873255a

SHA512
e0c5f52da17ab5dcf7fb7f93f10e97a124d2cb1e0826e4da6218f6ff5e28e39e785fa236a24d76a070c892639a914a81ad9fba8672a30e6d001c5e5d68995577

Download Submit
C:\Users\Admin\AppData\Local\Temp\277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5fmgr.exe

Filesize
123KB

MD5
04161f533ee93611681445f8a165ed68

SHA1
d3f4b2bfc8b384d2602989082056751ae21b8105

SHA256
97e8d8fefbd8aef88875b7373e6a5ec0ff0fa02fc1b63af254d8116e6d959f81

SHA512
4e3ad0bd23e728966e7f0d86fda0883bb8196d9eca93c6c9633c3b786c451864fabd9f300fb7355277fb8de334c1fe5cb54b01c2ad88c3e51ad7fa221a57119f

Download Submit
C:\Users\Admin\AppData\Local\Temp\277c263e788311014b6242c5fb3058e3ef3eaab3a02b312ac5e5f111d68a0b5fmgr.exe

Filesize
123KB

MD5
04161f533ee93611681445f8a165ed68

SHA1
d3f4b2bfc8b384d2602989082056751ae21b8105

SHA256
97e8d8fefbd8aef88875b7373e6a5ec0ff0fa02fc1b63af254d8116e6d959f81

SHA512
4e3ad0bd23e728966e7f0d86fda0883bb8196d9eca93c6c9633c3b786c451864fabd9f300fb7355277fb8de334c1fe5cb54b01c2ad88c3e51ad7fa221a57119f

Download Submit
memory/380-164-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/380-153-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/380-170-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/380-169-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/380-168-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/380-167-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/380-144-0x0000000000000000-mapping.dmp

Download
memory/380-163-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/380-162-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1712-140-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1712-154-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1712-151-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1712-132-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1712-150-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1712-149-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1712-142-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2340-156-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2340-152-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2340-133-0x0000000000000000-mapping.dmp

Download
memory/2340-148-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2340-147-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5092-161-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads