ramnit | c7e035548267cd6502e23d30f834af95e03bd1ee2af8df1c27d0409995256ab6

Analysis

max time kernel
93s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2025 20:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_60a08bd5e8aba152f80bd94b017a1af0.exe
Size

357KB
MD5

60a08bd5e8aba152f80bd94b017a1af0
SHA1

0d63970524bcb68a2b13cd063d67e7115aa13882
SHA256

c7e035548267cd6502e23d30f834af95e03bd1ee2af8df1c27d0409995256ab6
SHA512

8c7f94cc2b7fb925dc4a55a36d0b30a91a157cabe2bd4ab3ac819e77900679a4a2880617d3dc5fe5ef8e3179a9c08fae6bbe48cc94d799c0c3f15eb42c8d7c10
SSDEEP

6144:SqHGoq/TMz7GQVONhSdnCsyJ6yzmmCXTl9xGUkKjDR:S4dNHGeOeAsuzzYXTEUkK3R

Score

10^/10

ramnit banker discovery evasion spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WaterMark.exe

Executes dropped EXE 5 IoCs

pid	Process
2788	JaffaCakes118_60a08bd5e8aba152f80bd94b017a1af0mgr.exe
764	WaterMark.exe
4196	WaterMark.exe
3996	WaterMarkmgr.exe
4988	WaterMark.exe

Loads dropped DLL 6 IoCs

pid	Process
3604	JaffaCakes118_60a08bd5e8aba152f80bd94b017a1af0.exe
2788	JaffaCakes118_60a08bd5e8aba152f80bd94b017a1af0mgr.exe
764	WaterMark.exe
4196	WaterMark.exe
3996	WaterMarkmgr.exe
4988	WaterMark.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WaterMark.exe

Enumerates connected drives 3 TTPs 6 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	WaterMark.exe
File opened (read-only)	\??\G:	WaterMark.exe
File opened (read-only)	\??\H:	WaterMark.exe
File opened (read-only)	\??\I:	WaterMark.exe
File opened (read-only)	\??\J:	WaterMark.exe
File opened (read-only)	\??\K:	WaterMark.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\mp170088.dl_	WaterMark.exe
File created	C:\Windows\SysWOW64\mp170088.dll	JaffaCakes118_60a08bd5e8aba152f80bd94b017a1af0.exe
File opened for modification	C:\Windows\SysWOW64\mp170088.dl_	JaffaCakes118_60a08bd5e8aba152f80bd94b017a1af0mgr.exe
File opened for modification	C:\Windows\SysWOW64\mp170088.dl_	WaterMarkmgr.exe
File created	C:\Windows\SysWOW64\mp170088.dll	WaterMark.exe
File opened for modification	C:\Windows\SysWOW64\mp170088.dl_	WaterMark.exe
File created	C:\Windows\SysWOW64\mp170088.dll	WaterMark.exe
File created	C:\Windows\SysWOW64\mp170088.dll	WaterMarkmgr.exe
File created	C:\Windows\SysWOW64\mp170088.dll	WaterMark.exe
File created	C:\Windows\SysWOW64\mp170088.dl_	JaffaCakes118_60a08bd5e8aba152f80bd94b017a1af0.exe
File created	C:\Windows\SysWOW64\mp170088.dll	JaffaCakes118_60a08bd5e8aba152f80bd94b017a1af0mgr.exe
File opened for modification	C:\Windows\SysWOW64\mp170088.dl_	WaterMark.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3604-26-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/764-120-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4988-117-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/764-98-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4196-96-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3996-95-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/764-78-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3996-70-0x0000000000400000-0x0000000000437000-memory.dmp	upx
behavioral2/memory/2788-45-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3604-27-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3604-30-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3604-23-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3604-21-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3604-20-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3604-19-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4196-121-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4988-125-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4196-135-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe	WaterMark.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxB2D5.tmp	WaterMarkmgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	WaterMarkmgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe	WaterMark.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	JaffaCakes118_60a08bd5e8aba152f80bd94b017a1af0.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	JaffaCakes118_60a08bd5e8aba152f80bd94b017a1af0.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	JaffaCakes118_60a08bd5e8aba152f80bd94b017a1af0mgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe	WaterMark.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7z.exe	WaterMark.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zFM.exe	WaterMark.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxB277.tmp	JaffaCakes118_60a08bd5e8aba152f80bd94b017a1af0.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxB297.tmp	JaffaCakes118_60a08bd5e8aba152f80bd94b017a1af0mgr.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SYSTEM.INI	JaffaCakes118_60a08bd5e8aba152f80bd94b017a1af0.exe

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_60a08bd5e8aba152f80bd94b017a1af0mgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMarkmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_60a08bd5e8aba152f80bd94b017a1af0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "417635095"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31153296"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "417947605"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "417635095"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31153296"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31153296"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "417791263"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31153296"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "420760220"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{4460D5C3-C883-11EF-ADF2-4E8E92B54298} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31153296"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "420760220"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{44633856-C883-11EF-ADF2-4E8E92B54298} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "417635095"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31153296"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "420760220"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "417791263"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31153296"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "417635095"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
4196	WaterMark.exe
4196	WaterMark.exe
4196	WaterMark.exe
4196	WaterMark.exe
764	WaterMark.exe
764	WaterMark.exe
764	WaterMark.exe
764	WaterMark.exe
4988	WaterMark.exe
4988	WaterMark.exe
4988	WaterMark.exe
4988	WaterMark.exe
4196	WaterMark.exe
4196	WaterMark.exe
4196	WaterMark.exe
4196	WaterMark.exe
4196	WaterMark.exe
4196	WaterMark.exe
4196	WaterMark.exe
4196	WaterMark.exe
4196	WaterMark.exe
4196	WaterMark.exe
4196	WaterMark.exe
4196	WaterMark.exe
764	WaterMark.exe
764	WaterMark.exe
764	WaterMark.exe
764	WaterMark.exe
764	WaterMark.exe
764	WaterMark.exe
764	WaterMark.exe
764	WaterMark.exe
764	WaterMark.exe
764	WaterMark.exe
764	WaterMark.exe
764	WaterMark.exe
4988	WaterMark.exe
4988	WaterMark.exe
4988	WaterMark.exe
4988	WaterMark.exe
4988	WaterMark.exe
4988	WaterMark.exe
4988	WaterMark.exe
4988	WaterMark.exe
4988	WaterMark.exe
4988	WaterMark.exe
4988	WaterMark.exe
4988	WaterMark.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4196	WaterMark.exe
Token: SeDebugPrivilege	764	WaterMark.exe
Token: SeDebugPrivilege	4988	WaterMark.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
900	iexplore.exe
3596	iexplore.exe
3764	iexplore.exe
5064	iexplore.exe
4240	iexplore.exe
1540	iexplore.exe

Suspicious use of SetWindowsHookEx 28 IoCs

pid	Process
3604	JaffaCakes118_60a08bd5e8aba152f80bd94b017a1af0.exe
4988	WaterMark.exe
1540	iexplore.exe
1540	iexplore.exe
3764	iexplore.exe
3764	iexplore.exe
900	iexplore.exe
900	iexplore.exe
4240	iexplore.exe
4240	iexplore.exe
3596	iexplore.exe
3596	iexplore.exe
5064	iexplore.exe
5064	iexplore.exe
2096	IEXPLORE.EXE
2096	IEXPLORE.EXE
4636	IEXPLORE.EXE
4636	IEXPLORE.EXE
4036	IEXPLORE.EXE
4036	IEXPLORE.EXE
1504	IEXPLORE.EXE
1504	IEXPLORE.EXE
5048	IEXPLORE.EXE
5048	IEXPLORE.EXE
3308	IEXPLORE.EXE
3308	IEXPLORE.EXE
1504	IEXPLORE.EXE
1504	IEXPLORE.EXE

Suspicious use of UnmapMainImage 6 IoCs

pid	Process
3604	JaffaCakes118_60a08bd5e8aba152f80bd94b017a1af0.exe
2788	JaffaCakes118_60a08bd5e8aba152f80bd94b017a1af0mgr.exe
764	WaterMark.exe
3996	WaterMarkmgr.exe
4196	WaterMark.exe
4988	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3604 wrote to memory of 2788	3604	JaffaCakes118_60a08bd5e8aba152f80bd94b017a1af0.exe	84
PID 3604 wrote to memory of 2788	3604	JaffaCakes118_60a08bd5e8aba152f80bd94b017a1af0.exe	84
PID 3604 wrote to memory of 2788	3604	JaffaCakes118_60a08bd5e8aba152f80bd94b017a1af0.exe	84
PID 3604 wrote to memory of 764	3604	JaffaCakes118_60a08bd5e8aba152f80bd94b017a1af0.exe	85
PID 3604 wrote to memory of 764	3604	JaffaCakes118_60a08bd5e8aba152f80bd94b017a1af0.exe	85
PID 3604 wrote to memory of 764	3604	JaffaCakes118_60a08bd5e8aba152f80bd94b017a1af0.exe	85
PID 2788 wrote to memory of 4196	2788	JaffaCakes118_60a08bd5e8aba152f80bd94b017a1af0mgr.exe	86
PID 2788 wrote to memory of 4196	2788	JaffaCakes118_60a08bd5e8aba152f80bd94b017a1af0mgr.exe	86
PID 2788 wrote to memory of 4196	2788	JaffaCakes118_60a08bd5e8aba152f80bd94b017a1af0mgr.exe	86
PID 764 wrote to memory of 3996	764	WaterMark.exe	87
PID 764 wrote to memory of 3996	764	WaterMark.exe	87
PID 764 wrote to memory of 3996	764	WaterMark.exe	87
PID 3996 wrote to memory of 4988	3996	WaterMarkmgr.exe	88
PID 3996 wrote to memory of 4988	3996	WaterMarkmgr.exe	88
PID 3996 wrote to memory of 4988	3996	WaterMarkmgr.exe	88
PID 4196 wrote to memory of 2436	4196	WaterMark.exe	89
PID 4196 wrote to memory of 2436	4196	WaterMark.exe	89
PID 4196 wrote to memory of 2436	4196	WaterMark.exe	89
PID 4196 wrote to memory of 2436	4196	WaterMark.exe	89
PID 4196 wrote to memory of 2436	4196	WaterMark.exe	89
PID 4196 wrote to memory of 2436	4196	WaterMark.exe	89
PID 4196 wrote to memory of 2436	4196	WaterMark.exe	89
PID 4196 wrote to memory of 2436	4196	WaterMark.exe	89
PID 4196 wrote to memory of 2436	4196	WaterMark.exe	89
PID 764 wrote to memory of 3304	764	WaterMark.exe	90
PID 764 wrote to memory of 3304	764	WaterMark.exe	90
PID 764 wrote to memory of 3304	764	WaterMark.exe	90
PID 764 wrote to memory of 3304	764	WaterMark.exe	90
PID 764 wrote to memory of 3304	764	WaterMark.exe	90
PID 764 wrote to memory of 3304	764	WaterMark.exe	90
PID 764 wrote to memory of 3304	764	WaterMark.exe	90
PID 764 wrote to memory of 3304	764	WaterMark.exe	90
PID 764 wrote to memory of 3304	764	WaterMark.exe	90
PID 4988 wrote to memory of 4424	4988	WaterMark.exe	91
PID 4988 wrote to memory of 4424	4988	WaterMark.exe	91
PID 4988 wrote to memory of 4424	4988	WaterMark.exe	91
PID 4988 wrote to memory of 4424	4988	WaterMark.exe	91
PID 4988 wrote to memory of 4424	4988	WaterMark.exe	91
PID 4988 wrote to memory of 4424	4988	WaterMark.exe	91
PID 4988 wrote to memory of 4424	4988	WaterMark.exe	91
PID 4988 wrote to memory of 4424	4988	WaterMark.exe	91
PID 4988 wrote to memory of 4424	4988	WaterMark.exe	91
PID 4196 wrote to memory of 3596	4196	WaterMark.exe	92
PID 4196 wrote to memory of 3596	4196	WaterMark.exe	92
PID 4196 wrote to memory of 5064	4196	WaterMark.exe	93
PID 4196 wrote to memory of 5064	4196	WaterMark.exe	93
PID 764 wrote to memory of 3764	764	WaterMark.exe	94
PID 764 wrote to memory of 3764	764	WaterMark.exe	94
PID 764 wrote to memory of 4240	764	WaterMark.exe	95
PID 764 wrote to memory of 4240	764	WaterMark.exe	95
PID 4988 wrote to memory of 1540	4988	WaterMark.exe	96
PID 4988 wrote to memory of 1540	4988	WaterMark.exe	96
PID 4988 wrote to memory of 900	4988	WaterMark.exe	97
PID 4988 wrote to memory of 900	4988	WaterMark.exe	97
PID 5064 wrote to memory of 1504	5064	iexplore.exe	98
PID 5064 wrote to memory of 1504	5064	iexplore.exe	98
PID 5064 wrote to memory of 1504	5064	iexplore.exe	98
PID 1540 wrote to memory of 3308	1540	iexplore.exe	100
PID 1540 wrote to memory of 3308	1540	iexplore.exe	100
PID 1540 wrote to memory of 3308	1540	iexplore.exe	100
PID 3764 wrote to memory of 4036	3764	iexplore.exe	101
PID 3764 wrote to memory of 4036	3764	iexplore.exe	101
PID 3764 wrote to memory of 4036	3764	iexplore.exe	101
PID 900 wrote to memory of 2096	900	iexplore.exe	99

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WaterMark.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60a08bd5e8aba152f80bd94b017a1af0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60a08bd5e8aba152f80bd94b017a1af0.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3604
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60a08bd5e8aba152f80bd94b017a1af0mgr.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60a08bd5e8aba152f80bd94b017a1af0mgr.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Program Files (x86)\Microsoft\WaterMark.exe
    "C:\Program Files (x86)\Microsoft\WaterMark.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:4196
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      PID:2436
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:3596
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3596 CREDAT:17410 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:4636
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:5064
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5064 CREDAT:17410 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1504
- C:\Program Files (x86)\Microsoft\WaterMark.exe
  "C:\Program Files (x86)\Microsoft\WaterMark.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:764
- - C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
    "C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:3996
  - - C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Loads dropped DLL
      Checks whether UAC is enabled
      Enumerates connected drives
      Drops file in System32 directory
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:4988
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        
        PID:4424
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1540
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1540 CREDAT:17410 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3308
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:900
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:900 CREDAT:17410 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2096
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:3304
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3764
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3764 CREDAT:17410 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:4036
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:4240
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4240 CREDAT:17410 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:5048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
357KB

MD5
60a08bd5e8aba152f80bd94b017a1af0

SHA1
0d63970524bcb68a2b13cd063d67e7115aa13882

SHA256
c7e035548267cd6502e23d30f834af95e03bd1ee2af8df1c27d0409995256ab6

SHA512
8c7f94cc2b7fb925dc4a55a36d0b30a91a157cabe2bd4ab3ac819e77900679a4a2880617d3dc5fe5ef8e3179a9c08fae6bbe48cc94d799c0c3f15eb42c8d7c10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
30f59b20e935520badc298242cb4cff1

SHA1
00622b2054eb148a8459c2ccd0b22606c2d5c7f6

SHA256
4a981d199e551f2b8c8fa22f0e3fbc264e876e5ed243d83331b2a6083a753e3c

SHA512
f22ca09eb3266cee3f363e4f3f955745382679d136d61e7c27f81081cd77efa5f82f82220526928f73049e692b7c060f64032dfae0f967c579c6e6acfd2e8d21

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
67c3cc934376d176272a2f5a1903d09e

SHA1
c460ee417c9c375ee686adeb7e50da796c78cfe1

SHA256
aa1eef63ef70325b702bb6610befdc7432b1bea58dee6636459c85829ce60add

SHA512
4297084717b4976479981feced17131b1447ee220a3520f90ff14ef14bbc16c5373bc8d0d3f7d0fa14a82603df7c2c2dc318129c17393af91ae9651b9f2e47f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
ffecc9f4646c47c2905eaac51192be0b

SHA1
691a8c49cb0839c60b2651f566d5ce6c2c187255

SHA256
366351b80bd7673bfe8a1266134c858572155dae21f2b66771f7d45b308d3e7c

SHA512
d57cc96bb4440244adb686812dfc93e3721524e1d958053ccadc5b0310aca23feeb482af4c682224de44fc171027cd7d067eeafab1379a5971db6553a99dc151

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
ae86c96bb582d15263f58cc260eceb7c

SHA1
1ba9cb07a007d253e005f6194271ba97a44a9ee8

SHA256
fa37d6b0ce2b887ad39cb585e32924da8657f819c1cb5addbe072b439e6a40a0

SHA512
555a4d8bffe4b51b44f34dd1330be0e9ec74dc210f2aad00be863f133cdfcf328a84d6793e1b10281fabfd19b94757da09df142a80f719644d47fd631d784043

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DomainSuggestions\en-US.1

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{445E73B8-C883-11EF-ADF2-4E8E92B54298}.dat

Filesize
5KB

MD5
317975955b11b9b09f2b150a4360f061

SHA1
d8cc6b909f249eba1dd2f2052beebf10f41ba9eb

SHA256
a51a789199e9cea3e2665507a3ed30cdc0c40eb9f2627652b7d773a9ce5ed802

SHA512
6f51a44c7baf089871945b7eca77f5f7819071cd6a773848021df7f4c7867b899e826ccc2ce1d2b9e2327704a20de55cb81994666e3ae27e9901166f452705cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4460D5C3-C883-11EF-ADF2-4E8E92B54298}.dat

Filesize
4KB

MD5
e48dac48305da4b6528b1481f5292fd7

SHA1
bc16c808aded6ef845ee49d27654869c4975590c

SHA256
be2294c3c8ade6993ad4185d671fd67a4020bfbd29078a08a8b03c9e1c47ea70

SHA512
cd3b0673bc4ef317caa868db343042a784dddf3705f6f7916c502f427a21593b110db4e67c53a0ebfd2d7ea49ff466b2255f55164563106f053dd1f9c47630aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4460D5C3-C883-11EF-ADF2-4E8E92B54298}.dat

Filesize
5KB

MD5
f6140d05ea074d6a5cd1463ff3f948b9

SHA1
a1b3b1580a29812f3ff59ec24b196594f77936a2

SHA256
13e2074567ac4d180dccbb3f961c419fbcf5e11742f9ff8318b98c44592a9720

SHA512
1b71a562152bc6db86ddd05ba5da2708045b876674b1bc78edecf2a4dfaed60c037e7d7e1b5c0bab8424aed48e6992dfb97afbcd493301c5d7035483fcec62bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{44659AB2-C883-11EF-ADF2-4E8E92B54298}.dat

Filesize
5KB

MD5
95123a0efd007fb45c8d914721461b38

SHA1
c4f5feac67f1fc07c86427fbfdd93f855549895e

SHA256
0ab18267422cf7de95cd276bf435666cc7adfb84617b186631e2ed05f9b696d9

SHA512
11439ad24a85e1862aa32cf2dea6cc8c81eb6dd7d963cd62456c09e9df26d44deff0f2df14c0ec516f01974bc16af128c65f020b82338ef5bdbfa7805b5f3dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4467FD79-C883-11EF-ADF2-4E8E92B54298}.dat

Filesize
3KB

MD5
d807ae565f628de8d7d5ebfde7a8d527

SHA1
9047572cd0a726a69495006ebc45bd6e975fe52b

SHA256
85601e382c5d0d31468e2945f7fc0b4374b0c105102031aeeead2b90c9b1bd00

SHA512
f4960b59e0d0cbc814078d8e3dbdbcffe9651541a5c4c083fac9762b59c4d7d3177f5c59248c9e2dab2e09243d00acd3ea5d6ec11af535b12dbaefbd312a7376

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{44682489-C883-11EF-ADF2-4E8E92B54298}.dat

Filesize
5KB

MD5
831215a1835d1a6400f8441ead5c2689

SHA1
9f7a1e51427881100e1602fbf0ce9f73e30e94ac

SHA256
9be7b7645590e6a8126a14e91d76a54b362843e3415409df3c9de042b16bee26

SHA512
26a2c768ff2f5e91106e0b7b608535b0c7409d63088a062cb97f9a9fb32fbfee68fb3d1614daf9ae9ab0c1ba6a0921f94ec409356c6a0488741028f47613db3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver35FF.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60a08bd5e8aba152f80bd94b017a1af0mgr.exe

Filesize
177KB

MD5
abfefbb11f25ef6fdb9514c8720b7e46

SHA1
8e85a2c22dfcf3ae742148fff0b70c68144f4f08

SHA256
5fc31eba84b6df213ba163f82dd1518f5d41839201d48bf2240b43a3bb0bfd9c

SHA512
488a1c11042f92800f56db27e69a0fdeb6f1499686cb6ae8243850db18eb930f133b4b7d6165a6cb20039720ff500af2f99a0246ae0c4bdf0cb827be917f5703

Download Submit
C:\Windows\SysWOW64\mp170088.dl_

Filesize
43KB

MD5
ff613a3fa224a44796df6fd13ed29def

SHA1
f382df981a6eeb401c861a0ae3ba25d19677ef92

SHA256
d96c63af22fc263dd4b6bfe6b30e13020e6c46dc9bd1a546440f130551267b75

SHA512
67960c043ce2648a4e809f76492ce2db72e6a732c12238693494b7e98097f15394d71d5310794460af3e57b06986fc73af10d76bdbb0a3740320f2f3bc42b5ab

Download Submit
C:\Windows\SysWOW64\mp170088.dll

Filesize
80KB

MD5
9b02808f4e0b8a5e71a37949b6db062b

SHA1
715e45ad25db0fd7d2c1d856906637fd6467715c

SHA256
0c8f585418bce392ecbd330bae9a3535a4d92a2c9283e031024612935641cc30

SHA512
91844eb4490713c328704a0e4351fbce976a72136622b21f56fd9ae6f821eb5aa445c61ad07d885e67b126a2e66c3bb73d8e90bc305ffb48c94dcac650c6f415

Download Submit
memory/764-120-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/764-94-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/764-98-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/764-46-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/764-73-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/764-78-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2436-111-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/2436-112-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2788-31-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2788-5-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2788-84-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/2788-24-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/2788-45-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3604-21-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3604-25-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/3604-9-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/3604-19-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3604-54-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/3604-27-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3604-30-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3604-26-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3604-23-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3604-0-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3604-20-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3996-71-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/3996-70-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3996-95-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4196-121-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4196-69-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/4196-122-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/4196-123-0x0000000077CB2000-0x0000000077CB3000-memory.dmp

Filesize
4KB

Download
memory/4196-74-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4196-96-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4196-119-0x0000000000404000-0x0000000000406000-memory.dmp

Filesize
8KB

Download
memory/4196-72-0x0000000000404000-0x0000000000406000-memory.dmp

Filesize
8KB

Download
memory/4196-135-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4196-134-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/4196-97-0x0000000077CB2000-0x0000000077CB3000-memory.dmp

Filesize
4KB

Download
memory/4196-90-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/4988-138-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/4988-125-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4988-110-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/4988-117-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4988-115-0x0000000001010000-0x0000000001011000-memory.dmp

Filesize
4KB

Download