Analysis
-
max time kernel
12s -
max time network
117s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2024, 16:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
374464b82b7f2dc1b9a4f98b58c1edd35fd568e31f5dfd3add92badec217c497.dll
Resource
win7-20240708-en
windows7-x64
6 signatures
120 seconds
General
-
Target
374464b82b7f2dc1b9a4f98b58c1edd35fd568e31f5dfd3add92badec217c497.dll
-
Size
1.2MB
-
MD5
9a27f1f207c3696490f4dd6c85fe9bb4
-
SHA1
e77b0cc31e13a380671cb559d1d3ed46f26e504d
-
SHA256
374464b82b7f2dc1b9a4f98b58c1edd35fd568e31f5dfd3add92badec217c497
-
SHA512
8d74935432aba2b3805e78be9b8352cf3aa642b242f2b4bd4b3c674467afd10b115cb7066495696a71206571774c78b4b5d133aa5c294fa0e86ccb2c5809e3b9
-
SSDEEP
24576:U8F+Pzr/Hfp4MIYwZckMQmeVgheBvriXRt:U88zrp4MwL7v2
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
http://klkjwre77638dfqwieuoi888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" WaterMark.exe -
Ramnit family
-
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WaterMark.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" WaterMark.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" rundll32mgr.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" WaterMark.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 6 IoCs
pid Process 216 rundll32mgr.exe 3416 rundll32mgrmgr.exe 3088 WaterMark.exe 2812 WaterMark.exe 3996 WaterMarkmgr.exe 5092 WaterMark.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" rundll32mgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" WaterMark.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" WaterMark.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WaterMark.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe File created C:\Windows\SysWOW64\rundll32mgrmgr.exe rundll32mgr.exe -
resource yara_rule behavioral2/memory/216-13-0x00000000033D0000-0x00000000043FA000-memory.dmp upx behavioral2/memory/216-19-0x00000000033D0000-0x00000000043FA000-memory.dmp upx behavioral2/memory/216-23-0x0000000006850000-0x00000000078DE000-memory.dmp upx behavioral2/memory/216-47-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/216-28-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/216-27-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/216-22-0x00000000033D0000-0x00000000043FA000-memory.dmp upx behavioral2/memory/216-26-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/216-9-0x00000000033D0000-0x00000000043FA000-memory.dmp upx behavioral2/memory/216-44-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/216-80-0x0000000006850000-0x00000000078DE000-memory.dmp upx behavioral2/memory/3416-70-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/216-43-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3996-112-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/216-40-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3088-167-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2812-174-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/5092-196-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in Program Files directory 11 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe WaterMark.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgr.exe File opened for modification C:\Program Files (x86)\Microsoft\pxA921.tmp rundll32mgrmgr.exe File created C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe WaterMark.exe File opened for modification C:\Program Files (x86)\Microsoft\pxAEAF.tmp WaterMarkmgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe WaterMarkmgr.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe WaterMark.exe File opened for modification C:\Program Files (x86)\Microsoft\pxA911.tmp rundll32mgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgrmgr.exe File created C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe WaterMark.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI rundll32mgr.exe -
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32mgrmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMarkmgr.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{4723A301-C6CC-11EF-BDBF-7ECF469E42CC} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{47260624-C6CC-11EF-BDBF-7ECF469E42CC} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{47216818-C6CC-11EF-BDBF-7ECF469E42CC} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{47214108-C6CC-11EF-BDBF-7ECF469E42CC} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe -
Suspicious behavior: EnumeratesProcesses 52 IoCs
pid Process 216 rundll32mgr.exe 216 rundll32mgr.exe 3088 WaterMark.exe 3088 WaterMark.exe 2812 WaterMark.exe 2812 WaterMark.exe 2812 WaterMark.exe 2812 WaterMark.exe 3088 WaterMark.exe 3088 WaterMark.exe 5092 WaterMark.exe 5092 WaterMark.exe 5092 WaterMark.exe 5092 WaterMark.exe 5092 WaterMark.exe 5092 WaterMark.exe 3088 WaterMark.exe 2812 WaterMark.exe 2812 WaterMark.exe 3088 WaterMark.exe 2812 WaterMark.exe 2812 WaterMark.exe 3088 WaterMark.exe 3088 WaterMark.exe 2812 WaterMark.exe 2812 WaterMark.exe 3088 WaterMark.exe 3088 WaterMark.exe 2812 WaterMark.exe 2812 WaterMark.exe 3088 WaterMark.exe 3088 WaterMark.exe 2812 WaterMark.exe 2812 WaterMark.exe 2812 WaterMark.exe 2812 WaterMark.exe 3088 WaterMark.exe 3088 WaterMark.exe 3088 WaterMark.exe 3088 WaterMark.exe 5092 WaterMark.exe 5092 WaterMark.exe 5092 WaterMark.exe 5092 WaterMark.exe 5092 WaterMark.exe 5092 WaterMark.exe 5092 WaterMark.exe 5092 WaterMark.exe 5092 WaterMark.exe 5092 WaterMark.exe 5092 WaterMark.exe 5092 WaterMark.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe Token: SeDebugPrivilege 216 rundll32mgr.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 4452 iexplore.exe 4400 iexplore.exe 4536 iexplore.exe 5100 iexplore.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 4400 iexplore.exe 4400 iexplore.exe 4536 iexplore.exe 4536 iexplore.exe 5100 iexplore.exe 5100 iexplore.exe 4452 iexplore.exe 4452 iexplore.exe 4820 IEXPLORE.EXE 4820 IEXPLORE.EXE 4392 IEXPLORE.EXE 4392 IEXPLORE.EXE 3444 IEXPLORE.EXE 3444 IEXPLORE.EXE 1276 IEXPLORE.EXE 1276 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 6 IoCs
pid Process 216 rundll32mgr.exe 3416 rundll32mgrmgr.exe 3088 WaterMark.exe 2812 WaterMark.exe 3996 WaterMarkmgr.exe 5092 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3644 wrote to memory of 740 3644 rundll32.exe 85 PID 3644 wrote to memory of 740 3644 rundll32.exe 85 PID 3644 wrote to memory of 740 3644 rundll32.exe 85 PID 740 wrote to memory of 216 740 rundll32.exe 86 PID 740 wrote to memory of 216 740 rundll32.exe 86 PID 740 wrote to memory of 216 740 rundll32.exe 86 PID 216 wrote to memory of 3416 216 rundll32mgr.exe 87 PID 216 wrote to memory of 3416 216 rundll32mgr.exe 87 PID 216 wrote to memory of 3416 216 rundll32mgr.exe 87 PID 216 wrote to memory of 804 216 rundll32mgr.exe 9 PID 216 wrote to memory of 800 216 rundll32mgr.exe 10 PID 216 wrote to memory of 64 216 rundll32mgr.exe 13 PID 216 wrote to memory of 2824 216 rundll32mgr.exe 49 PID 216 wrote to memory of 2872 216 rundll32mgr.exe 50 PID 216 wrote to memory of 3008 216 rundll32mgr.exe 51 PID 216 wrote to memory of 3340 216 rundll32mgr.exe 55 PID 216 wrote to memory of 3556 216 rundll32mgr.exe 57 PID 216 wrote to memory of 3748 216 rundll32mgr.exe 58 PID 216 wrote to memory of 3840 216 rundll32mgr.exe 59 PID 216 wrote to memory of 3912 216 rundll32mgr.exe 60 PID 216 wrote to memory of 4036 216 rundll32mgr.exe 61 PID 216 wrote to memory of 3380 216 rundll32mgr.exe 62 PID 216 wrote to memory of 4136 216 rundll32mgr.exe 75 PID 216 wrote to memory of 4576 216 rundll32mgr.exe 76 PID 216 wrote to memory of 1876 216 rundll32mgr.exe 77 PID 216 wrote to memory of 4436 216 rundll32mgr.exe 78 PID 216 wrote to memory of 2652 216 rundll32mgr.exe 83 PID 216 wrote to memory of 3416 216 rundll32mgr.exe 87 PID 216 wrote to memory of 3416 216 rundll32mgr.exe 87 PID 216 wrote to memory of 2812 216 rundll32mgr.exe 88 PID 216 wrote to memory of 2812 216 rundll32mgr.exe 88 PID 216 wrote to memory of 2812 216 rundll32mgr.exe 88 PID 3416 wrote to memory of 3088 3416 rundll32mgrmgr.exe 89 PID 3416 wrote to memory of 3088 3416 rundll32mgrmgr.exe 89 PID 3416 wrote to memory of 3088 3416 rundll32mgrmgr.exe 89 PID 3088 wrote to memory of 3996 3088 WaterMark.exe 90 PID 3088 wrote to memory of 3996 3088 WaterMark.exe 90 PID 3088 wrote to memory of 3996 3088 WaterMark.exe 90 PID 3088 wrote to memory of 4216 3088 WaterMark.exe 91 PID 3088 wrote to memory of 4216 3088 WaterMark.exe 91 PID 3088 wrote to memory of 4216 3088 WaterMark.exe 91 PID 3088 wrote to memory of 4216 3088 WaterMark.exe 91 PID 3088 wrote to memory of 4216 3088 WaterMark.exe 91 PID 3088 wrote to memory of 4216 3088 WaterMark.exe 91 PID 3088 wrote to memory of 4216 3088 WaterMark.exe 91 PID 3088 wrote to memory of 4216 3088 WaterMark.exe 91 PID 3088 wrote to memory of 4216 3088 WaterMark.exe 91 PID 2812 wrote to memory of 2832 2812 WaterMark.exe 92 PID 2812 wrote to memory of 2832 2812 WaterMark.exe 92 PID 2812 wrote to memory of 2832 2812 WaterMark.exe 92 PID 2812 wrote to memory of 2832 2812 WaterMark.exe 92 PID 2812 wrote to memory of 2832 2812 WaterMark.exe 92 PID 2812 wrote to memory of 2832 2812 WaterMark.exe 92 PID 2812 wrote to memory of 2832 2812 WaterMark.exe 92 PID 2812 wrote to memory of 2832 2812 WaterMark.exe 92 PID 2812 wrote to memory of 2832 2812 WaterMark.exe 92 PID 3996 wrote to memory of 5092 3996 WaterMarkmgr.exe 93 PID 3996 wrote to memory of 5092 3996 WaterMarkmgr.exe 93 PID 3996 wrote to memory of 5092 3996 WaterMarkmgr.exe 93 PID 5092 wrote to memory of 804 5092 WaterMark.exe 9 PID 5092 wrote to memory of 800 5092 WaterMark.exe 10 PID 5092 wrote to memory of 64 5092 WaterMark.exe 13 PID 5092 wrote to memory of 2824 5092 WaterMark.exe 49 PID 5092 wrote to memory of 2872 5092 WaterMark.exe 50 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rundll32mgr.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:804
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:64
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2824
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2872
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3008
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3340
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\374464b82b7f2dc1b9a4f98b58c1edd35fd568e31f5dfd3add92badec217c497.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\374464b82b7f2dc1b9a4f98b58c1edd35fd568e31f5dfd3add92badec217c497.dll,#13⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:216 -
C:\Windows\SysWOW64\rundll32mgrmgr.exeC:\Windows\SysWOW64\rundll32mgrmgr.exe5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"7⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"8⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5092 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe9⤵PID:4692
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵
- Modifies Internet Explorer settings
PID:732
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵
- Modifies Internet Explorer settings
PID:2924
-
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe7⤵PID:4216
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4452 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4452 CREDAT:17410 /prefetch:28⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4820
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5100 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5100 CREDAT:17410 /prefetch:28⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1276
-
-
-
-
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵PID:2832
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4536 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4536 CREDAT:17410 /prefetch:27⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3444
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4400 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4400 CREDAT:17410 /prefetch:27⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4392
-
-
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3556
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3748
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3840
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3912
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4036
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3380
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4136
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4576
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1876
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4436
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2652
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD5e5e877bcc2542ab8629d8f34bafcd7f4
SHA18f618efa1584268e9eafd2b01c2a2ac006113c01
SHA2565e63bcec102963b96b1f7d08ec512431a0ba748f90134dc51a05046296541e9e
SHA51279153f941ae2cc4a5649ac729f03dd3f98df24d5084e36d14467b2a859e6d63fc4167feac24e7b519a9e179fb243447fe6d09519169b11e3151d5cc467e4c9d4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD5e9b3bf5fc5899cf166783d671ed00eb8
SHA1e5133b4c6e34b9c9e965a2332b1dcae61f5a1115
SHA2561b8a04e9b4fe0ab7011bd0c1b59ee76e2ab947d4168a67dc402b2006ba944717
SHA5124654f4366721eae7003a8153be696a222a92f7921543f9beb0c559c5e105f9038cad143704200c9268175aab37d4bf64df290eb8daf1ece594a36fc009bff767
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD542dda1b37110022bfb9881752e64a1f5
SHA19f86ac75a30bc7e77caed376d32760272be459c4
SHA256ffff797ec5916c349900104ccbf09e3a4fa200080bd131dd6ee3c59cd4eb91ba
SHA5120eccc803191ad14747a08d58a4135a7598fad1ea3b17c5d932574f0662edfaf7c5c28e0dedbd33512bfca8646e5c8c53a5ca2fd7bf08693748db8fc3a0058e08
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD59b906677aedc975c8905faad8fd8c3be
SHA1756d498c1618f04cfd16025e8af4d7e418fd4af2
SHA25652b18a0b7abd3d9126a2ee1792d4f818642fe831d432fb48ac2b6acc87b4535c
SHA5129bf924b38b189c9f958e217de863d1c507bb824ca7d738b35099459378483809ac2872a590812f90a68ddd78827b659d5453e58b4f6b516f1d6571d0df1d7bae
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{47214108-C6CC-11EF-BDBF-7ECF469E42CC}.dat
Filesize5KB
MD5638a5059f6e83613f9f9bbed29a52441
SHA127dc039534d72e49b7560d7eb4b2721018950647
SHA2563534bd4ba155ee6d1a88ebfc925dfc2477634d9e9947da69e0cf80e6b7d7ba73
SHA51282db4893d2ea42ed9ea3084db7b817b5300622bfdff69ce5d8ff6b6adf96e07d79c44958c10f24f2329e571e3471a6a1162da6abfca880ea4a1de032d1d2e79f
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{47216818-C6CC-11EF-BDBF-7ECF469E42CC}.dat
Filesize3KB
MD577b0d990e370af5f729440aad5813bec
SHA1198df8841184200d1357797c570dfe9cd895d886
SHA2562dc32a34417ba21c440717b78c8bcd7bbe234879ccd51f49cafd09312bb53d16
SHA512862fe7225c75bead2d6c3e903fea371607d2e2415294bd6d552c20ddb5489e98cfd1d1fd1afaa4dd23b38bca555ede95f52c9ae334cfeedeb0859370bbd33f3e
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{47216818-C6CC-11EF-BDBF-7ECF469E42CC}.dat
Filesize5KB
MD56141f5a5a710a018dd0e9ca287dd241d
SHA193c5e847570bae87bfd282541c499daa9261a37e
SHA256d317d418e40c5ada6ed12bf338a379088025f26415fcd8c11e0d2c5845e3caad
SHA51275374ef90c86eb2f81769c7582dcfe8d0f808443ec8412ea1dae509789288e6344203dd7bd0d6c296298f14a33828cb186e8b5c6cdd4f99716457ed488f43e33
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4723A301-C6CC-11EF-BDBF-7ECF469E42CC}.dat
Filesize5KB
MD5cd7075d6c37d1925011f28da721eafd0
SHA18073d9575ff29be927eb7992aada1fddc63e32a3
SHA2560d5de4c9f55998733061fda0a1f564d509d1c3b29ff2ba0139001942995167a5
SHA512d2ed15093b0133000db0775412a45ae812e30fd1a4e045f749cfdfa826b7d537a137424f2be14cbaa34e005fb03f5edb980aa7b9f9730e791ca1de713919f287
-
Filesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
258B
MD5f04410906234fd29118eed16b0401a19
SHA1f8a083c076d134ea9b3b575577134f7ea54e2028
SHA256e26013012a71819f34731c0b48dbfe72356ae2f2426cc3729d19ed125131d422
SHA51279f9620de9fb45567ce1267f4fcdaaa5a83c02e63715d7880d84bd06ced702fc125a64dd0b8f6cd6187c36a9a2e164f4082d965aef289693c94db530d5310e9b
-
Filesize
810KB
MD5edce3981e4e65a056cdd5ee6a8560264
SHA1904eec1da309c9ade0c4f8f567f64d9593f3c1b2
SHA2562c6947b14268a8f69028f1597e81f80bcd1b5ce3a5fa99a343666bca064aa03d
SHA5123a7390909998679989383e42d0db172c28a1986ccc7e9de91f4a0aa0f805921e5c42a07d5f2e27c7ab0042c3cd42d445edc884d00465b73fe056e01ddb73b6fa
-
Filesize
404KB
MD53a51be334f3cedd7185130cd60047496
SHA15572a04718cffb848ae660713415b8ab95b3ec5c
SHA2563e6d0b2887dad2ea3845139a31dfc8b8a2923c3f58ae8ba241d1498e1cc7747b
SHA512ed2dda92f22f1d972508ede37cf6b8cf719e1d53271c2af988fe700e53f4ca0feb7e39712135e1c128f63ebf08ee6a555f35b555243c233afc943a22c9fe5783