ramnit | aab94d2c64fe8587713d655c83772ebd4e7ad7b3482921a8e064e0a4d9b782a3

Analysis

max time kernel
96s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
21-02-2025 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_13760dbee7fc663210e7906316994c60.dll
Size

744KB
MD5

13760dbee7fc663210e7906316994c60
SHA1

216f5176bcbd5f3a0bb5130c5e83977da14d40a0
SHA256

aab94d2c64fe8587713d655c83772ebd4e7ad7b3482921a8e064e0a4d9b782a3
SHA512

54960885e8dd3459a65c1b7c296f6d071b62ce6e14175d68eeb10d4bc01d11ae40ec6f1b1ac6a44073f19807cd770f310df5a2c35efedc370023cfa9c0776e5c
SSDEEP

12288:KhpUrEIZJqr1AkBWwNa5R0EYl795/amaX3QXaPKUolmT4WlbX2/6CVsy7u:K/jG01NHXaPsl7YbXahVsgu

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 10 IoCs

pid	Process
748	rundll32mgr.exe
2788	rundll32mgrmgr.exe
3036	rundll32mgrmgrmgr.exe
2220	WaterMark.exe
2204	WaterMark.exe
380	WaterMark.exe
180	WaterMarkmgr.exe
2308	WaterMarkmgrmgr.exe
4424	WaterMark.exe
3168	WaterMark.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe
File created	C:\Windows\SysWOW64\rundll32mgrmgr.exe	rundll32mgr.exe
File created	C:\Windows\SysWOW64\rundll32mgrmgrmgr.exe	rundll32mgrmgr.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/748-19-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/748-21-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/748-18-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/748-13-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/748-11-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/748-10-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/748-9-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/2204-59-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/180-97-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3168-123-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/4424-122-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/2308-119-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/memory/380-118-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/2308-99-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/2204-80-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/380-76-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/2220-75-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3036-58-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/2220-57-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/2788-40-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3036-39-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/memory/2220-137-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/2204-138-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/380-140-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/2220-154-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe	WaterMark.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	WaterMarkmgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	rundll32mgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	rundll32mgrmgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe	WaterMark.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxBCD8.tmp	rundll32mgrmgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe	WaterMark.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	rundll32mgrmgrmgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxBD55.tmp	WaterMarkmgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxBD64.tmp	WaterMarkmgrmgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe	WaterMark.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxBCB8.tmp	rundll32mgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	rundll32mgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxBCE7.tmp	rundll32mgrmgrmgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMarkmgrmgr.exe	WaterMarkmgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	WaterMarkmgrmgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe	WaterMark.exe

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4696	5092	WerFault.exe	85
4408	2588	WerFault.exe
4204	3428	WerFault.exe
3572	4556	WerFault.exe	100

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32mgrmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMarkmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMarkmgrmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32mgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32mgrmgrmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31163507"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{3ADFC257-F066-11EF-B073-DEE92BEEB6C2} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\3DB9590C4C4C26C4CCBDD94ECAD790359708C3267B = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007800f72ad488394694bafdc1f0126573000000000200000000001066000000010000200000001c6e662ea4c9484ddce7d969684e092890bd0fc5904e492925a7038b6f2387b0000000000e800000000200002000000081d0d6c1ac6bafaacf69a628445b609d4764b031c63974aec6f8613968f87793500000009be819c74356e0e22890b235c2131e948510f6df4b41857835dac71f72b08c8b98e46e00ebfe164cc2aeb9748bec2d83f2f6e488b2646ddac9c27f20c73b3ee3e8e6c8678903f4360c6a462bb956d904400000002e0477fc64dfc61a77740b1b3fe8eedd33a306b8074dc5c138a57b0e4e62f34ebc818b43b068662c98dd1bf6690410b6bf34c12c210b73bc065be28e25c57d12	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\2BB20B33B4171CDAAB6469225AE6A582ED33D7B488 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007800f72ad488394694bafdc1f0126573000000000200000000001066000000010000200000002d4149e06472e90a9b437098928f3c7bfc5476385be945956ea3ba28bb86127e000000000e8000000002000020000000b83542d9b3a3bf5ce74cdac274ba2fe712a66a4050d326ecb33c74eea91862d110000000c6d96c09ef5206b2faa077f5d731a1cd4000000029aa69648d95750ce61a7d29ac7ed49eebc2566a0bb52dde8b6f2b603512138a96de16d50d44d1b2a501610873484806fda6106bda71dd80460d1e958901d7c4	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31163507"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "264274709"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "283649901"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "329743433"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoURL = "http://go.microsoft.com/fwlink/?LinkID=403856&language={language}&scale={scalelevel}&contrast={contrast}"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{3ADFE967-F066-11EF-B073-DEE92BEEB6C2} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{3ADD8855-F066-11EF-B073-DEE92BEEB6C2} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\UpgradeTime = 23ff8bd88f81db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\Version = "5"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "http://www.bing.com/favicon.ico"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURL = "http://www.bing.com/favicon.ico"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTSR"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31163507"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "264274709"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "264274709"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31163507"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2220	WaterMark.exe
2220	WaterMark.exe
2220	WaterMark.exe
2220	WaterMark.exe
2204	WaterMark.exe
2204	WaterMark.exe
2204	WaterMark.exe
2204	WaterMark.exe
380	WaterMark.exe
380	WaterMark.exe
380	WaterMark.exe
380	WaterMark.exe
4424	WaterMark.exe
4424	WaterMark.exe
4424	WaterMark.exe
4424	WaterMark.exe
3168	WaterMark.exe
3168	WaterMark.exe
3168	WaterMark.exe
3168	WaterMark.exe
2220	WaterMark.exe
2204	WaterMark.exe
2220	WaterMark.exe
2204	WaterMark.exe
2220	WaterMark.exe
2220	WaterMark.exe
2204	WaterMark.exe
2204	WaterMark.exe
2220	WaterMark.exe
2220	WaterMark.exe
2204	WaterMark.exe
2204	WaterMark.exe
2220	WaterMark.exe
2220	WaterMark.exe
2204	WaterMark.exe
2204	WaterMark.exe
2220	WaterMark.exe
2220	WaterMark.exe
2204	WaterMark.exe
2204	WaterMark.exe
2220	WaterMark.exe
2220	WaterMark.exe
2204	WaterMark.exe
2204	WaterMark.exe
380	WaterMark.exe
380	WaterMark.exe
380	WaterMark.exe
380	WaterMark.exe
380	WaterMark.exe
380	WaterMark.exe
380	WaterMark.exe
380	WaterMark.exe
4424	WaterMark.exe
4424	WaterMark.exe
380	WaterMark.exe
380	WaterMark.exe
4424	WaterMark.exe
380	WaterMark.exe
4424	WaterMark.exe
380	WaterMark.exe
4424	WaterMark.exe
4424	WaterMark.exe
4424	WaterMark.exe
4424	WaterMark.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2220	WaterMark.exe
Token: SeDebugPrivilege	2204	WaterMark.exe
Token: SeDebugPrivilege	380	WaterMark.exe
Token: SeDebugPrivilege	4424	WaterMark.exe
Token: SeDebugPrivilege	3168	WaterMark.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4548	iexplore.exe
3836	iexplore.exe
4600	iexplore.exe
2432	iexplore.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
4548	iexplore.exe
4548	iexplore.exe
2432	iexplore.exe
2432	iexplore.exe
3836	iexplore.exe
3836	iexplore.exe
4600	iexplore.exe
4600	iexplore.exe
1672	IEXPLORE.EXE
1672	IEXPLORE.EXE
4632	IEXPLORE.EXE
4632	IEXPLORE.EXE
4520	IEXPLORE.EXE
4520	IEXPLORE.EXE
1816	IEXPLORE.EXE
1816	IEXPLORE.EXE

Suspicious use of UnmapMainImage 10 IoCs

pid	Process
748	rundll32mgr.exe
2788	rundll32mgrmgr.exe
3036	rundll32mgrmgrmgr.exe
2220	WaterMark.exe
2204	WaterMark.exe
380	WaterMark.exe
180	WaterMarkmgr.exe
2308	WaterMarkmgrmgr.exe
4424	WaterMark.exe
3168	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4872 wrote to memory of 5092	4872	rundll32.exe	85
PID 4872 wrote to memory of 5092	4872	rundll32.exe	85
PID 4872 wrote to memory of 5092	4872	rundll32.exe	85
PID 5092 wrote to memory of 748	5092	rundll32.exe	86
PID 5092 wrote to memory of 748	5092	rundll32.exe	86
PID 5092 wrote to memory of 748	5092	rundll32.exe	86
PID 748 wrote to memory of 2788	748	rundll32mgr.exe	87
PID 748 wrote to memory of 2788	748	rundll32mgr.exe	87
PID 748 wrote to memory of 2788	748	rundll32mgr.exe	87
PID 2788 wrote to memory of 3036	2788	rundll32mgrmgr.exe	89
PID 2788 wrote to memory of 3036	2788	rundll32mgrmgr.exe	89
PID 2788 wrote to memory of 3036	2788	rundll32mgrmgr.exe	89
PID 748 wrote to memory of 2220	748	rundll32mgr.exe	90
PID 748 wrote to memory of 2220	748	rundll32mgr.exe	90
PID 748 wrote to memory of 2220	748	rundll32mgr.exe	90
PID 2788 wrote to memory of 2204	2788	rundll32mgrmgr.exe	91
PID 2788 wrote to memory of 2204	2788	rundll32mgrmgr.exe	91
PID 2788 wrote to memory of 2204	2788	rundll32mgrmgr.exe	91
PID 2220 wrote to memory of 180	2220	WaterMark.exe	92
PID 2220 wrote to memory of 180	2220	WaterMark.exe	92
PID 2220 wrote to memory of 180	2220	WaterMark.exe	92
PID 3036 wrote to memory of 380	3036	rundll32mgrmgrmgr.exe	93
PID 3036 wrote to memory of 380	3036	rundll32mgrmgrmgr.exe	93
PID 3036 wrote to memory of 380	3036	rundll32mgrmgrmgr.exe	93
PID 180 wrote to memory of 2308	180	WaterMarkmgr.exe	94
PID 180 wrote to memory of 2308	180	WaterMarkmgr.exe	94
PID 180 wrote to memory of 2308	180	WaterMarkmgr.exe	94
PID 2220 wrote to memory of 2588	2220	WaterMark.exe	95
PID 2220 wrote to memory of 2588	2220	WaterMark.exe	95
PID 2204 wrote to memory of 3428	2204	WaterMark.exe	96
PID 2220 wrote to memory of 2588	2220	WaterMark.exe	95
PID 2204 wrote to memory of 3428	2204	WaterMark.exe	96
PID 2204 wrote to memory of 3428	2204	WaterMark.exe	96
PID 2220 wrote to memory of 2588	2220	WaterMark.exe	95
PID 2204 wrote to memory of 3428	2204	WaterMark.exe	96
PID 2220 wrote to memory of 2588	2220	WaterMark.exe	95
PID 2204 wrote to memory of 3428	2204	WaterMark.exe	96
PID 2204 wrote to memory of 3428	2204	WaterMark.exe	96
PID 2220 wrote to memory of 2588	2220	WaterMark.exe	95
PID 2220 wrote to memory of 2588	2220	WaterMark.exe	95
PID 2204 wrote to memory of 3428	2204	WaterMark.exe	96
PID 2220 wrote to memory of 2588	2220	WaterMark.exe	95
PID 2204 wrote to memory of 3428	2204	WaterMark.exe	96
PID 2220 wrote to memory of 2588	2220	WaterMark.exe	95
PID 2204 wrote to memory of 3428	2204	WaterMark.exe	96
PID 180 wrote to memory of 4424	180	WaterMarkmgr.exe	97
PID 180 wrote to memory of 4424	180	WaterMarkmgr.exe	97
PID 180 wrote to memory of 4424	180	WaterMarkmgr.exe	97
PID 2308 wrote to memory of 3168	2308	WaterMarkmgrmgr.exe	98
PID 2308 wrote to memory of 3168	2308	WaterMarkmgrmgr.exe	98
PID 2308 wrote to memory of 3168	2308	WaterMarkmgrmgr.exe	98
PID 380 wrote to memory of 4556	380	WaterMark.exe	100
PID 380 wrote to memory of 4556	380	WaterMark.exe	100
PID 380 wrote to memory of 4556	380	WaterMark.exe	100
PID 380 wrote to memory of 4556	380	WaterMark.exe	100
PID 380 wrote to memory of 4556	380	WaterMark.exe	100
PID 380 wrote to memory of 4556	380	WaterMark.exe	100
PID 380 wrote to memory of 4556	380	WaterMark.exe	100
PID 380 wrote to memory of 4556	380	WaterMark.exe	100
PID 380 wrote to memory of 4556	380	WaterMark.exe	100
PID 4424 wrote to memory of 4800	4424	WaterMark.exe	101
PID 4424 wrote to memory of 4800	4424	WaterMark.exe	101
PID 4424 wrote to memory of 4800	4424	WaterMark.exe	101
PID 4424 wrote to memory of 4800	4424	WaterMark.exe	101

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_13760dbee7fc663210e7906316994c60.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4872
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_13760dbee7fc663210e7906316994c60.dll,#1
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5092
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:748
  - - C:\Windows\SysWOW64\rundll32mgrmgr.exe
      C:\Windows\SysWOW64\rundll32mgrmgr.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:2788
    - - C:\Windows\SysWOW64\rundll32mgrmgrmgr.exe
        
        C:\Windows\SysWOW64\rundll32mgrmgrmgr.exe
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:3036
      - C:\Program Files (x86)\Microsoft\WaterMark.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:380
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        7⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 212
        8⤵
        Program crash
        
        PID:3572
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        Modifies Internet Explorer settings
        
        PID:4432
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        Modifies Internet Explorer settings
        
        PID:3512
    - - C:\Program Files (x86)\Microsoft\WaterMark.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:2204
      - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3428 -s 204
        7⤵
        Program crash
        
        PID:4204
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:4548
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4548 CREDAT:17410 /prefetch:2
        7⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1672
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:4600
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4600 CREDAT:17410 /prefetch:2
        7⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:4520
  - - C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:2220
    - - C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:180
      - C:\Program Files (x86)\Microsoft\WaterMarkmgrmgr.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMarkmgrmgr.exe"
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Program Files (x86)\Microsoft\WaterMark.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of UnmapMainImage
        
        PID:3168
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        8⤵
        
        PID:3824
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        Modifies Internet Explorer settings
        
        PID:3628
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        Modifies Internet Explorer settings
        
        PID:1460
      - C:\Program Files (x86)\Microsoft\WaterMark.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        7⤵
        
        PID:4800
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        Modifies Internet Explorer settings
        
        PID:2376
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3212
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        
        PID:2588
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 204
        6⤵
        Program crash
        
        PID:4408
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:3836
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3836 CREDAT:17410 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:4632
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:2432
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2432 CREDAT:17410 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1816
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 628
    3⤵
    - Program crash
    PID:4696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5092 -ip 5092
1⤵
PID:3440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2588 -ip 2588
1⤵
PID:3124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3428 -ip 3428
1⤵
PID:3272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4800 -ip 4800
1⤵
PID:2444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4556 -ip 4556
1⤵
PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3824 -ip 3824
1⤵
PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\31976568FBE31D20174C3FAC50D34698_2224EF112EEB7D5CE6B913D61620C791

Filesize
471B

MD5
df58e4712f99e33fb312cf3976213d6f

SHA1
53a967ff0aececa9024ed2e99149ca168fbb0532

SHA256
afcbcd93457572a8cd227ab1f3605e6ca8cdad5c65848750968fd4186b6d2189

SHA512
cf757e2a4e28c4d65fd24d355f72c10d5dbecf4f57a2cf2d50b75a546832fdcb4c04833e5301960cdfd5491251160cc3b25a8a21d695f06b6a3be5da667e205c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\31976568FBE31D20174C3FAC50D34698_2224EF112EEB7D5CE6B913D61620C791

Filesize
400B

MD5
9f28b269c560505a05024a5fe6828a1d

SHA1
937a7e642be7bd67c3820756b30644a0ee1cf048

SHA256
9613b6817e6b942d01456bd8870f9e392db81f6b9a3654fbe5b13d8254906270

SHA512
ea623c31063e3ad61e45920cf914c4d5bbcbe025bd97df5a9c7b4077c16e18b880a5120a1c96540ed9a4cadad5af1356235a6567e1e046812daafa2a853faa7f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\31976568FBE31D20174C3FAC50D34698_2224EF112EEB7D5CE6B913D61620C791

Filesize
400B

MD5
944d9a7d58dae96c6bdcaddea19ec86e

SHA1
6c143480ad71e8e22fdbd98d6086b83a12ef5307

SHA256
f4f9aecbb79c051f2f4ba39c9aac8ace69f23bf369490a63a20562f7526ebbdf

SHA512
aa0168533e9f5a23ecb22d5a8ede25b9ca427721d5149997769d2556613842baaa4a830ecb4baf92966d24d1a2eb5d237ff66392ec4876fd57277f4896ec2eb7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3ADD8855-F066-11EF-B073-DEE92BEEB6C2}.dat

Filesize
3KB

MD5
9e6b9ea82bcb8bf19de3c9e8666fb162

SHA1
07e6a9e02750833087f450491a91722688663521

SHA256
358ff7018fe14dc0a26204fbd4ef635d9f93c72cb30dcc2ccc1a9d1d8f5a922d

SHA512
2eb69a4914b69e246d8125f5d45e70489313728c4fce6340c25b0cfe47ea0af507c545ab8466717accb7c02acd8f4f4e0f4bcbebaa353ae0e28aa12697094d53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3ADD8855-F066-11EF-B073-DEE92BEEB6C2}.dat

Filesize
5KB

MD5
88a9774f50bb804cfc811a736b61e15e

SHA1
34d94ad2733b8e237e0816cf139e949c57cd0b84

SHA256
caf839603248e6562bc060bf2c632071bfb50414d14517010c6690bc6f771707

SHA512
e00bff06cb85e5e2945fbe26b5f05ad4a8fbb8ddd7447650f234eb763c694d054c640e048ce04b38cfbfce1fbd402f860add3098aa2da95ddc30bc8665339e02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3ADFE967-F066-11EF-B073-DEE92BEEB6C2}.dat

Filesize
3KB

MD5
fd34e550db8adfacf45162f9eda01d1a

SHA1
737c53a393e2f9ae1a9ba1172ffaaff17fdb48c3

SHA256
46d7be4a89c80c73b5fbcf61fc362a03d113650cd252969588da0bcfca35f86b

SHA512
0f6f338f32a905c5f5fade3b097f361943f1242fd44cb99a86d0bfb6723dc78391b39fd0419d8ec78b465e602a1e4718d02055c14963136702a1f24ffe877968

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3ADFE967-F066-11EF-B073-DEE92BEEB6C2}.dat

Filesize
5KB

MD5
39b8f555c58f167c49d9577502ce497b

SHA1
a86448dcc1df7feba2dd1ae5692da3c3986d4476

SHA256
fd8f4f4a79868b81b25a1b12a38673fa7f2ca7b714c2d9ff98166be0bb424676

SHA512
56bfa59d79b953767936d9643a840151a29e42189439e6a3d63a8481abcbd734a2b8e80c2fa105a420bbdf6821d12e04a96d421d7ce949ab8b99f1997c168dc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FZFF3Z83\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
281KB

MD5
7fa5b405d5e2966bfeee120a47420c98

SHA1
46a0239b868a6a72f6a341ab19594f443ffcb837

SHA256
f0b3eac72703b185aa2cf559ec448b04d43e54304e1934311c389cdda846f62e

SHA512
3abca9e44fafd2aa84e52080be6fa3810ebd03579881f01274904cfc00e279a4cb8a3bf0a186f7a0c2adabe5fd49af69a4d712050185a4255bf4795206b55518

Download Submit
C:\Windows\SysWOW64\rundll32mgrmgr.exe

Filesize
186KB

MD5
d51e77c9a9e76d1b3c39ab0ee2f8830b

SHA1
dec554077b79c64c1baf706018c47a8dad701b10

SHA256
a7f06e3b8da54ac20137687ba4c35346c25aab7ccac8055c629675f4ce9c3f1c

SHA512
1788bf9ff876536023c25d50feb756450c9c6a8c34c4c2bd3fa3726efea4498b875bf6439b3215b8af75a3d62fa5ae7c4080d5efe0ef3d3bc24284b58fc6eeec

Download Submit
C:\Windows\SysWOW64\rundll32mgrmgrmgr.exe

Filesize
92KB

MD5
3713483b89ae5e60e9b5209e8a06a92a

SHA1
ff8da037a35d8e9aa3db4102386bfa06037eb7fc

SHA256
2eb22fd6f55e9838b822269ce59e9ad71f2273ac7b994e694a9271ca277309b4

SHA512
bbdbc616d9fa08ef558a7f60847bab4ab4686ccce7ab89895be401204e65285ff25d7162213d9aef5bf344f2ec4026419c46e5168e4d8176483c925026e0df1d

Download Submit
memory/180-97-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/180-117-0x0000000000401000-0x0000000000416000-memory.dmp

Filesize
84KB

Download
memory/180-79-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/180-116-0x0000000000416000-0x0000000000420000-memory.dmp

Filesize
40KB

Download
memory/380-118-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/380-76-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/380-140-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/380-107-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/748-9-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/748-10-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/748-4-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/748-19-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/748-21-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/748-18-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/748-14-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/748-13-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/748-11-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2204-80-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2204-59-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2204-138-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2204-71-0x0000000000830000-0x0000000000831000-memory.dmp

Filesize
4KB

Download
memory/2220-137-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2220-75-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2220-57-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2220-77-0x0000000076FC2000-0x0000000076FC3000-memory.dmp

Filesize
4KB

Download
memory/2220-139-0x0000000076FC2000-0x0000000076FC3000-memory.dmp

Filesize
4KB

Download
memory/2220-154-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2220-64-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/2308-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2308-99-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2588-120-0x00000000010C0000-0x00000000010C1000-memory.dmp

Filesize
4KB

Download
memory/2788-12-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2788-40-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3036-58-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3036-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3168-123-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3428-121-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4424-122-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/5092-0-0x0000000010000000-0x00000000100BB000-memory.dmp

Filesize
748KB

Download
memory/5092-127-0x0000000010000000-0x00000000100BB000-memory.dmp

Filesize
748KB

Download