Analysis
-
max time kernel
1800s -
max time network
1786s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
05-07-2022 20:13
Static task
static1
Behavioral task
behavioral1
Sample
37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aac.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aac.exe
Resource
win10v2004-20220414-en
General
-
Target
37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aac.exe
-
Size
1.3MB
-
MD5
4c6aa8c110669a6662c06c7d6b38ba35
-
SHA1
4dd07af4c8402364e079ee09c1b067a88ffbb799
-
SHA256
37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aac
-
SHA512
a5c33bc0c55cd1429898f42b12ed4b10e21652129c445ac021533f0bcd653dc90c1686d7a71b2a70edd971f7826d5ea0e74fd7f5affb287518c17a4a8bae458e
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
suricata: ET MALWARE DNS Reply Sinkhole Microsoft NO-IP Domain
suricata: ET MALWARE DNS Reply Sinkhole Microsoft NO-IP Domain
-
suricata: ET MALWARE Win32/Ramnit Checkin
suricata: ET MALWARE Win32/Ramnit Checkin
-
Executes dropped EXE 2 IoCs
Processes:
37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aacmgr.exeWaterMark.exepid process 1796 37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aacmgr.exe 1540 WaterMark.exe -
Processes:
resource yara_rule behavioral1/memory/1796-61-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1796-62-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1796-67-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1540-86-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/1540-156-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Loads dropped DLL 4 IoCs
Processes:
37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aac.exe37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aacmgr.exepid process 1852 37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aac.exe 1852 37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aac.exe 1796 37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aacmgr.exe 1796 37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aacmgr.exe -
Drops file in System32 directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
Drops file in Program Files directory 64 IoCs
Processes:
svchost.exe37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aacmgr.exedescription ioc process File opened for modification C:\Program Files\DVD Maker\OmdBase.dll svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\msvcr100.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\micaut.dll svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\WindowsAccessBridge-64.dll svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\libGLESv2.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VC\msdia90.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\eula.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jfr.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2iexp.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm svchost.exe File opened for modification C:\Program Files\DVD Maker\OmdProject.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\F12.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\perfcore.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\deploy.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jsoundds.dll svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome.dll svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe svchost.exe File opened for modification C:\Program Files\Internet Explorer\F12Resources.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\sqmapi.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\j2pcsc.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Filters\odffilt.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\DirectDB.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\w2k_lsa_auth.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\tipresx.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\glass.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe svchost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\sqloledb.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jaas_nt.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOLoaderUI.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\pdm.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VC\msdia100.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\fxplugins.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\net.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\sawindbg.dll svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\pxFB22.tmp 37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aacmgr.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm svchost.exe File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\MSTTSFrontendENU.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\oledb32r.dll svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\F12Tools.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jfxmedia.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
WaterMark.exesvchost.exepid process 1540 WaterMark.exe 1540 WaterMark.exe 1540 WaterMark.exe 1540 WaterMark.exe 1540 WaterMark.exe 1540 WaterMark.exe 1540 WaterMark.exe 1540 WaterMark.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
WaterMark.exesvchost.exe37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aac.exedescription pid process Token: SeDebugPrivilege 1540 WaterMark.exe Token: SeDebugPrivilege 828 svchost.exe Token: SeDebugPrivilege 1852 37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aac.exe Token: SeDebugPrivilege 1540 WaterMark.exe -
Suspicious use of UnmapMainImage 2 IoCs
Processes:
37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aacmgr.exeWaterMark.exepid process 1796 37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aacmgr.exe 1540 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aac.exe37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aacmgr.exeWaterMark.exesvchost.exedescription pid process target process PID 1852 wrote to memory of 1796 1852 37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aac.exe 37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aacmgr.exe PID 1852 wrote to memory of 1796 1852 37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aac.exe 37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aacmgr.exe PID 1852 wrote to memory of 1796 1852 37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aac.exe 37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aacmgr.exe PID 1852 wrote to memory of 1796 1852 37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aac.exe 37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aacmgr.exe PID 1796 wrote to memory of 1540 1796 37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aacmgr.exe WaterMark.exe PID 1796 wrote to memory of 1540 1796 37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aacmgr.exe WaterMark.exe PID 1796 wrote to memory of 1540 1796 37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aacmgr.exe WaterMark.exe PID 1796 wrote to memory of 1540 1796 37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aacmgr.exe WaterMark.exe PID 1540 wrote to memory of 1116 1540 WaterMark.exe svchost.exe PID 1540 wrote to memory of 1116 1540 WaterMark.exe svchost.exe PID 1540 wrote to memory of 1116 1540 WaterMark.exe svchost.exe PID 1540 wrote to memory of 1116 1540 WaterMark.exe svchost.exe PID 1540 wrote to memory of 1116 1540 WaterMark.exe svchost.exe PID 1540 wrote to memory of 1116 1540 WaterMark.exe svchost.exe PID 1540 wrote to memory of 1116 1540 WaterMark.exe svchost.exe PID 1540 wrote to memory of 1116 1540 WaterMark.exe svchost.exe PID 1540 wrote to memory of 1116 1540 WaterMark.exe svchost.exe PID 1540 wrote to memory of 1116 1540 WaterMark.exe svchost.exe PID 1540 wrote to memory of 828 1540 WaterMark.exe svchost.exe PID 1540 wrote to memory of 828 1540 WaterMark.exe svchost.exe PID 1540 wrote to memory of 828 1540 WaterMark.exe svchost.exe PID 1540 wrote to memory of 828 1540 WaterMark.exe svchost.exe PID 1540 wrote to memory of 828 1540 WaterMark.exe svchost.exe PID 1540 wrote to memory of 828 1540 WaterMark.exe svchost.exe PID 1540 wrote to memory of 828 1540 WaterMark.exe svchost.exe PID 1540 wrote to memory of 828 1540 WaterMark.exe svchost.exe PID 1540 wrote to memory of 828 1540 WaterMark.exe svchost.exe PID 1540 wrote to memory of 828 1540 WaterMark.exe svchost.exe PID 828 wrote to memory of 260 828 svchost.exe smss.exe PID 828 wrote to memory of 260 828 svchost.exe smss.exe PID 828 wrote to memory of 260 828 svchost.exe smss.exe PID 828 wrote to memory of 260 828 svchost.exe smss.exe PID 828 wrote to memory of 260 828 svchost.exe smss.exe PID 828 wrote to memory of 332 828 svchost.exe csrss.exe PID 828 wrote to memory of 332 828 svchost.exe csrss.exe PID 828 wrote to memory of 332 828 svchost.exe csrss.exe PID 828 wrote to memory of 332 828 svchost.exe csrss.exe PID 828 wrote to memory of 332 828 svchost.exe csrss.exe PID 828 wrote to memory of 368 828 svchost.exe wininit.exe PID 828 wrote to memory of 368 828 svchost.exe wininit.exe PID 828 wrote to memory of 368 828 svchost.exe wininit.exe PID 828 wrote to memory of 368 828 svchost.exe wininit.exe PID 828 wrote to memory of 368 828 svchost.exe wininit.exe PID 828 wrote to memory of 384 828 svchost.exe csrss.exe PID 828 wrote to memory of 384 828 svchost.exe csrss.exe PID 828 wrote to memory of 384 828 svchost.exe csrss.exe PID 828 wrote to memory of 384 828 svchost.exe csrss.exe PID 828 wrote to memory of 384 828 svchost.exe csrss.exe PID 828 wrote to memory of 420 828 svchost.exe winlogon.exe PID 828 wrote to memory of 420 828 svchost.exe winlogon.exe PID 828 wrote to memory of 420 828 svchost.exe winlogon.exe PID 828 wrote to memory of 420 828 svchost.exe winlogon.exe PID 828 wrote to memory of 420 828 svchost.exe winlogon.exe PID 828 wrote to memory of 464 828 svchost.exe services.exe PID 828 wrote to memory of 464 828 svchost.exe services.exe PID 828 wrote to memory of 464 828 svchost.exe services.exe PID 828 wrote to memory of 464 828 svchost.exe services.exe PID 828 wrote to memory of 464 828 svchost.exe services.exe PID 828 wrote to memory of 480 828 svchost.exe lsass.exe PID 828 wrote to memory of 480 828 svchost.exe lsass.exe PID 828 wrote to memory of 480 828 svchost.exe lsass.exe PID 828 wrote to memory of 480 828 svchost.exe lsass.exe PID 828 wrote to memory of 480 828 svchost.exe lsass.exe PID 828 wrote to memory of 488 828 svchost.exe lsm.exe
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\system32\wininit.exewininit.exe1⤵
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aac.exe"C:\Users\Admin\AppData\Local\Temp\37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aac.exe"2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aacmgr.exeC:\Users\Admin\AppData\Local\Temp\37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aacmgr.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe1⤵
-
\\?\C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\WaterMark.exeFilesize
184KB
MD5d059e448bae51f521010cbce8f23643a
SHA174925d1dc5b0da8ffa87c694a1fef4e8a9697ec0
SHA256c3dc9ae1a07d82a0f41a54d54eea09dfd4a0e12baeaedb278ce207c59ae05655
SHA5127e8fa21ec13d787b1655a1ef794dd812f2f607508af6ba006344a450dc4515d70bd4a338619bc49861583acfbf693c456cc23179950aac02dd41aaf1eeb7b64e
-
C:\Program Files (x86)\Microsoft\WaterMark.exeFilesize
184KB
MD5d059e448bae51f521010cbce8f23643a
SHA174925d1dc5b0da8ffa87c694a1fef4e8a9697ec0
SHA256c3dc9ae1a07d82a0f41a54d54eea09dfd4a0e12baeaedb278ce207c59ae05655
SHA5127e8fa21ec13d787b1655a1ef794dd812f2f607508af6ba006344a450dc4515d70bd4a338619bc49861583acfbf693c456cc23179950aac02dd41aaf1eeb7b64e
-
C:\Users\Admin\AppData\Local\Temp\37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aacmgr.exeFilesize
184KB
MD5d059e448bae51f521010cbce8f23643a
SHA174925d1dc5b0da8ffa87c694a1fef4e8a9697ec0
SHA256c3dc9ae1a07d82a0f41a54d54eea09dfd4a0e12baeaedb278ce207c59ae05655
SHA5127e8fa21ec13d787b1655a1ef794dd812f2f607508af6ba006344a450dc4515d70bd4a338619bc49861583acfbf693c456cc23179950aac02dd41aaf1eeb7b64e
-
C:\Users\Admin\AppData\Local\Temp\37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aacmgr.exeFilesize
184KB
MD5d059e448bae51f521010cbce8f23643a
SHA174925d1dc5b0da8ffa87c694a1fef4e8a9697ec0
SHA256c3dc9ae1a07d82a0f41a54d54eea09dfd4a0e12baeaedb278ce207c59ae05655
SHA5127e8fa21ec13d787b1655a1ef794dd812f2f607508af6ba006344a450dc4515d70bd4a338619bc49861583acfbf693c456cc23179950aac02dd41aaf1eeb7b64e
-
\Program Files (x86)\Microsoft\WaterMark.exeFilesize
184KB
MD5d059e448bae51f521010cbce8f23643a
SHA174925d1dc5b0da8ffa87c694a1fef4e8a9697ec0
SHA256c3dc9ae1a07d82a0f41a54d54eea09dfd4a0e12baeaedb278ce207c59ae05655
SHA5127e8fa21ec13d787b1655a1ef794dd812f2f607508af6ba006344a450dc4515d70bd4a338619bc49861583acfbf693c456cc23179950aac02dd41aaf1eeb7b64e
-
\Program Files (x86)\Microsoft\WaterMark.exeFilesize
184KB
MD5d059e448bae51f521010cbce8f23643a
SHA174925d1dc5b0da8ffa87c694a1fef4e8a9697ec0
SHA256c3dc9ae1a07d82a0f41a54d54eea09dfd4a0e12baeaedb278ce207c59ae05655
SHA5127e8fa21ec13d787b1655a1ef794dd812f2f607508af6ba006344a450dc4515d70bd4a338619bc49861583acfbf693c456cc23179950aac02dd41aaf1eeb7b64e
-
\Users\Admin\AppData\Local\Temp\37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aacmgr.exeFilesize
184KB
MD5d059e448bae51f521010cbce8f23643a
SHA174925d1dc5b0da8ffa87c694a1fef4e8a9697ec0
SHA256c3dc9ae1a07d82a0f41a54d54eea09dfd4a0e12baeaedb278ce207c59ae05655
SHA5127e8fa21ec13d787b1655a1ef794dd812f2f607508af6ba006344a450dc4515d70bd4a338619bc49861583acfbf693c456cc23179950aac02dd41aaf1eeb7b64e
-
\Users\Admin\AppData\Local\Temp\37402cd4871d5beb1ed19079029426bc1330ec6b6e81cc5d6dce66bc0f6b0aacmgr.exeFilesize
184KB
MD5d059e448bae51f521010cbce8f23643a
SHA174925d1dc5b0da8ffa87c694a1fef4e8a9697ec0
SHA256c3dc9ae1a07d82a0f41a54d54eea09dfd4a0e12baeaedb278ce207c59ae05655
SHA5127e8fa21ec13d787b1655a1ef794dd812f2f607508af6ba006344a450dc4515d70bd4a338619bc49861583acfbf693c456cc23179950aac02dd41aaf1eeb7b64e
-
memory/828-92-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB
-
memory/828-91-0x0000000000000000-mapping.dmp
-
memory/828-89-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB
-
memory/1116-75-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/1116-79-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/1116-205-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/1116-87-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/1116-77-0x0000000000000000-mapping.dmp
-
memory/1540-86-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1540-156-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1540-66-0x0000000000000000-mapping.dmp
-
memory/1796-67-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1796-62-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1796-61-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1796-57-0x0000000000000000-mapping.dmp
-
memory/1852-83-0x00000000106B0000-0x00000000107FE000-memory.dmpFilesize
1.3MB
-
memory/1852-84-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1852-85-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1852-54-0x00000000753B1000-0x00000000753B3000-memory.dmpFilesize
8KB
-
memory/1852-734-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB