88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2

Analysis

max time kernel
86s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2022, 17:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
Size

233KB
MD5

60424e0018b13bf7d4662f7af3f6e877
SHA1

5c77a88b71e006f6d6c30db56863293e0138d1d9
SHA256

88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2
SHA512

bdb261b7ea5790889e0f3c15e443b4cd544f1681c8a2039339788caae07cd20be658fef0c93972e208570b5a4f826c9d8b603dd6e6eaa3825f82b4acf54f3149
SSDEEP

3072:vT2xNfzEmPUac0yCRS9EK0TLm8sGN188Yk7VybxwOSc6w+QjKMEHyGgYBV9:LkPpe0m8sGN1tVye9cE7PHpgO

Score

10^/10

evasion upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe:*:enabled:@shell32.dll,-1"	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe

Executes dropped EXE 2 IoCs

pid	Process
2580	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2mgr.exe
3632	WaterMark.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2580-137-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/2580-138-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/2580-141-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3632-150-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/3632-153-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/4112-155-0x0000000000400000-0x0000000000447000-memory.dmp	upx
behavioral2/memory/3632-157-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/4112-158-0x0000000000400000-0x0000000000447000-memory.dmp	upx
behavioral2/memory/4112-159-0x0000000000400000-0x0000000000447000-memory.dmp	upx
behavioral2/memory/4112-160-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3632-163-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/3632-164-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/3632-165-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/3632-166-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/3632-167-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\pxA398.tmp	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2mgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2mgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2mgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxA676.tmp	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3704	5108	WerFault.exe	88
3748	4112	WerFault.exe	29

Modifies Internet Explorer settings 1 TTPs 49 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "903759941"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30987711"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "908603846"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30987711"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371411966"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30987711"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "903759941"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "903759941"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30987711"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{61535AD6-41B2-11ED-A0EE-D2F2753F5017} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "903759941"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30987711"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30987711"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "908603846"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{6149D0F8-41B2-11ED-A0EE-D2F2753F5017} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
3632	WaterMark.exe
3632	WaterMark.exe
3632	WaterMark.exe
3632	WaterMark.exe
3632	WaterMark.exe
3632	WaterMark.exe
3632	WaterMark.exe
3632	WaterMark.exe
3632	WaterMark.exe
3632	WaterMark.exe
3632	WaterMark.exe
3632	WaterMark.exe
3632	WaterMark.exe
3632	WaterMark.exe
3632	WaterMark.exe
3632	WaterMark.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2908	iexplore.exe

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
Token: SeDebugPrivilege	3632	WaterMark.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2908	iexplore.exe
1960	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1960	iexplore.exe
2908	iexplore.exe
1960	iexplore.exe
2908	iexplore.exe
2308	IEXPLORE.EXE
2308	IEXPLORE.EXE
3108	IEXPLORE.EXE
3108	IEXPLORE.EXE
2308	IEXPLORE.EXE
2308	IEXPLORE.EXE

Suspicious use of UnmapMainImage 3 IoCs

pid	Process
2580	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2mgr.exe
3632	WaterMark.exe
4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4112 wrote to memory of 2580	4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe	86
PID 4112 wrote to memory of 2580	4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe	86
PID 4112 wrote to memory of 2580	4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe	86
PID 4112 wrote to memory of 580	4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe	81
PID 4112 wrote to memory of 580	4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe	81
PID 4112 wrote to memory of 580	4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe	81
PID 4112 wrote to memory of 580	4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe	81
PID 4112 wrote to memory of 580	4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe	81
PID 4112 wrote to memory of 580	4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe	81
PID 4112 wrote to memory of 672	4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe	1
PID 4112 wrote to memory of 672	4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe	1
PID 4112 wrote to memory of 672	4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe	1
PID 4112 wrote to memory of 672	4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe	1
PID 4112 wrote to memory of 672	4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe	1
PID 4112 wrote to memory of 672	4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe	1
PID 4112 wrote to memory of 772	4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe	2
PID 4112 wrote to memory of 772	4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe	2
PID 4112 wrote to memory of 772	4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe	2
PID 4112 wrote to memory of 772	4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe	2
PID 4112 wrote to memory of 772	4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe	2
PID 4112 wrote to memory of 772	4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe	2
PID 4112 wrote to memory of 780	4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe	79
PID 4112 wrote to memory of 780	4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe	79
PID 4112 wrote to memory of 780	4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe	79
PID 4112 wrote to memory of 780	4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe	79
PID 4112 wrote to memory of 780	4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe	79
PID 4112 wrote to memory of 780	4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe	79
PID 4112 wrote to memory of 788	4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe	78
PID 4112 wrote to memory of 788	4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe	78
PID 4112 wrote to memory of 788	4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe	78
PID 4112 wrote to memory of 788	4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe	78
PID 4112 wrote to memory of 788	4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe	78
PID 4112 wrote to memory of 788	4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe	78
PID 4112 wrote to memory of 900	4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe	77
PID 4112 wrote to memory of 900	4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe	77
PID 4112 wrote to memory of 900	4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe	77
PID 4112 wrote to memory of 900	4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe	77
PID 4112 wrote to memory of 900	4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe	77
PID 4112 wrote to memory of 900	4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe	77
PID 4112 wrote to memory of 948	4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe	76
PID 4112 wrote to memory of 948	4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe	76
PID 4112 wrote to memory of 948	4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe	76
PID 4112 wrote to memory of 948	4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe	76
PID 4112 wrote to memory of 948	4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe	76
PID 4112 wrote to memory of 948	4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe	76
PID 4112 wrote to memory of 1020	4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe	3
PID 4112 wrote to memory of 1020	4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe	3
PID 4112 wrote to memory of 1020	4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe	3
PID 4112 wrote to memory of 1020	4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe	3
PID 4112 wrote to memory of 1020	4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe	3
PID 4112 wrote to memory of 1020	4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe	3
PID 2580 wrote to memory of 3632	2580	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2mgr.exe	87
PID 2580 wrote to memory of 3632	2580	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2mgr.exe	87
PID 2580 wrote to memory of 3632	2580	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2mgr.exe	87
PID 4112 wrote to memory of 440	4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe	75
PID 4112 wrote to memory of 440	4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe	75
PID 4112 wrote to memory of 440	4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe	75
PID 4112 wrote to memory of 440	4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe	75
PID 4112 wrote to memory of 440	4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe	75
PID 4112 wrote to memory of 440	4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe	75
PID 4112 wrote to memory of 692	4112	88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe	74
PID 3632 wrote to memory of 5108	3632	WaterMark.exe	88
PID 3632 wrote to memory of 5108	3632	WaterMark.exe	88
PID 3632 wrote to memory of 5108	3632	WaterMark.exe	88

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:672

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:772

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:1020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1156
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2496

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2340

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s W32Time
1⤵
PID:2284

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1524

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:4832

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:4880
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 5108 -ip 5108
  2⤵
  PID:3828
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4112 -ip 4112
  2⤵
  PID:4776

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2588

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:4848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:428

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:3476

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
1⤵
PID:740

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4084

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:4492

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:408

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:956

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4692

C:\Users\Admin\AppData\Local\Temp\88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe
"C:\Users\Admin\AppData\Local\Temp\88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2.exe"
1⤵
- Modifies firewall policy service
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4112
- C:\Users\Admin\AppData\Local\Temp\88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2mgr.exe
  C:\Users\Admin\AppData\Local\Temp\88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2mgr.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Program Files (x86)\Microsoft\WaterMark.exe
    "C:\Program Files (x86)\Microsoft\WaterMark.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:3632
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      PID:5108
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 204
        5⤵
        Program crash
        
        PID:3704
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:2908
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2908 CREDAT:17410 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2308
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:1960
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1960 CREDAT:17410 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3108
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 736
  2⤵
  - Program crash
  PID:3748

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4348

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3616

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3496

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3332

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:760

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2776

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2764

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2676

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2356

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2168

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2124

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:372

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:1732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:2024

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1992

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
1⤵
PID:1760

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1740

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1668

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1492

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1464

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1380

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1208

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1048

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:860

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:788

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:780

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
115KB

MD5
ffcf01fff0a9a0f712f29cd7d8f5e58e

SHA1
a8aeae028e7c17a39f5edc2f7ac4b5e78c8b2202

SHA256
5be99e12a32411b31e5e4e8329e9649a2d6adcb890d938f2c32e1d1778aad8fb

SHA512
1b01f124e9a1732213b4c7157f7096840a60fcf5c7e2c529e66c9a03f02ba52d10ac91d49883a605e0b04117ae21cd00d0978a35a5f3e6f728bc4864436497a2

Download Submit
C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
115KB

MD5
ffcf01fff0a9a0f712f29cd7d8f5e58e

SHA1
a8aeae028e7c17a39f5edc2f7ac4b5e78c8b2202

SHA256
5be99e12a32411b31e5e4e8329e9649a2d6adcb890d938f2c32e1d1778aad8fb

SHA512
1b01f124e9a1732213b4c7157f7096840a60fcf5c7e2c529e66c9a03f02ba52d10ac91d49883a605e0b04117ae21cd00d0978a35a5f3e6f728bc4864436497a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
f525b778e6901e8c416e2920e4e3dc0b

SHA1
917ce8ae6d64bdd4dd438488176253022c57a083

SHA256
c9eee793aa4aa79f35d393f9f1d863483aaf4004dea6ac19bda868e92a71f8bd

SHA512
f6f47a4935c09769b8df316e1b459c7b153ed26ac409d4bf2ce62a1635dba4eaf7ce77de5ce83100d6f3ce7aadffed7591fb7cee7ac10a0c081a2d3c613f1ad8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
f525b778e6901e8c416e2920e4e3dc0b

SHA1
917ce8ae6d64bdd4dd438488176253022c57a083

SHA256
c9eee793aa4aa79f35d393f9f1d863483aaf4004dea6ac19bda868e92a71f8bd

SHA512
f6f47a4935c09769b8df316e1b459c7b153ed26ac409d4bf2ce62a1635dba4eaf7ce77de5ce83100d6f3ce7aadffed7591fb7cee7ac10a0c081a2d3c613f1ad8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
4d6c19b3ea429e4b58efbb1ef4aeb9e1

SHA1
322e69a6e85ccb4875d94b19a138dc4d75564fe9

SHA256
aadbfd526764b1723a5935c8e30e9f6565a1683c8cd18e2c6223b47ef08ab1e1

SHA512
fb93ece688598043859309275803527cca895a7e80a20a2dd27d668814bc86fe48362782e06f6504485220aa9f00d42c584e21b8e82ce856b9ccc6bfed17967e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
c37c8b9b19bdb53266efa0442c4cda38

SHA1
1f5ef19b0f6e8b1efbe48809855f32b131ca8754

SHA256
3a3d79ee902df19652505b0016bb776f649f17304ba917d0acb879ea9b36a914

SHA512
89e7992a367080fd7e098b6e2cf38970484b0646aedc1aa50f98284e08c7befd823612117693703887eb72746cccb9cfc9aace1418819741cca254fd9adfb075

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6149D0F8-41B2-11ED-A0EE-D2F2753F5017}.dat

Filesize
5KB

MD5
6265d8974ff56fa395331a94e7c1f8af

SHA1
3c0b83180b67a70866d12de20a7fb8381dfd1905

SHA256
dc2670a6733fedbd8b363e1f570ce233e250857d5f10ce4e9f044bb452607f6b

SHA512
257f1fc3a31bea2c95280e9b2afacb7bf66b504831cbd600cf4e7903ddafd0051fcb0a86daccf43c0b49f0c034fb7b744edc4554350fb1b0c572b51be63aac41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{61535AD6-41B2-11ED-A0EE-D2F2753F5017}.dat

Filesize
5KB

MD5
4300cd6577b02bf48cfc47b5695be157

SHA1
64a911eaecbbfa25a010f81a0a86d8dd0ffa5ccd

SHA256
55ca5640bea9b3627b577c4da0fcc990506b16c6661f435fa9f4c1d0926a0446

SHA512
ef4d8307c12fb0121c6de742ba13eb19ac063fb0b92fa1ae13d6a279c899ca1df1794d5978b9ba74bdfdf8e9686bfd4a43e8cba5edf24819ec43d46784b2a4aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2mgr.exe

Filesize
115KB

MD5
ffcf01fff0a9a0f712f29cd7d8f5e58e

SHA1
a8aeae028e7c17a39f5edc2f7ac4b5e78c8b2202

SHA256
5be99e12a32411b31e5e4e8329e9649a2d6adcb890d938f2c32e1d1778aad8fb

SHA512
1b01f124e9a1732213b4c7157f7096840a60fcf5c7e2c529e66c9a03f02ba52d10ac91d49883a605e0b04117ae21cd00d0978a35a5f3e6f728bc4864436497a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\88db8ec54ed7319b47f436446ebe66ef1f4f958a87e6403431422825d65222e2mgr.exe

Filesize
115KB

MD5
ffcf01fff0a9a0f712f29cd7d8f5e58e

SHA1
a8aeae028e7c17a39f5edc2f7ac4b5e78c8b2202

SHA256
5be99e12a32411b31e5e4e8329e9649a2d6adcb890d938f2c32e1d1778aad8fb

SHA512
1b01f124e9a1732213b4c7157f7096840a60fcf5c7e2c529e66c9a03f02ba52d10ac91d49883a605e0b04117ae21cd00d0978a35a5f3e6f728bc4864436497a2

Download Submit
memory/2580-138-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2580-137-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2580-141-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3632-157-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3632-167-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3632-150-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3632-166-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3632-153-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3632-163-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3632-164-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3632-165-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4112-155-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4112-158-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4112-160-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4112-149-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4112-159-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download