ramnit | 19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	WaterMark.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	WaterMark.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	WaterMark.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 3 IoCs

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WaterMark.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	IEXPLORE.EXE

Windows security bypass 2 TTPs 18 IoCs

Disabling Security Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	WaterMark.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	WaterMark.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	WaterMark.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	WaterMark.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	WaterMark.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	WaterMark.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	IEXPLORE.EXE

Disables RegEdit via registry modification 3 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1"	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1"	WaterMark.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1"	IEXPLORE.EXE

Disables Task Manager via registry modification
evasion

Executes dropped EXE 5 IoCs

pid	Process
4692	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1emgr.exe
996	WaterMark.exe
4832	WaterMarkmgr.exe
3192	WaterMark.exe
5112	WaterMark.exe

UPX packed file 34 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1608-136-0x0000000003710000-0x000000000473A000-memory.dmp	upx
behavioral2/memory/4692-141-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/memory/1608-143-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1608-144-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1608-137-0x0000000004B40000-0x0000000005BCE000-memory.dmp	upx
behavioral2/memory/1608-147-0x0000000003710000-0x000000000473A000-memory.dmp	upx
behavioral2/memory/1608-153-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4692-157-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4832-164-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/memory/4832-167-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/memory/1608-160-0x0000000004B40000-0x0000000005BCE000-memory.dmp	upx
behavioral2/memory/3192-174-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral2/memory/4832-178-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/memory/4832-183-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3192-181-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral2/memory/996-175-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral2/memory/3192-170-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral2/memory/5112-185-0x0000000003300000-0x000000000432A000-memory.dmp	upx
behavioral2/memory/5112-186-0x0000000004730000-0x00000000057BE000-memory.dmp	upx
behavioral2/memory/996-196-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral2/memory/3192-195-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral2/memory/996-193-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral2/memory/5112-197-0x0000000004730000-0x00000000057BE000-memory.dmp	upx
behavioral2/memory/5112-198-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral2/memory/996-199-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral2/memory/5112-200-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral2/memory/5112-201-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral2/memory/5112-202-0x0000000003300000-0x000000000432A000-memory.dmp	upx
behavioral2/memory/5112-203-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral2/memory/996-208-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3192-209-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/5112-213-0x0000000004730000-0x00000000057BE000-memory.dmp	upx
behavioral2/memory/5112-214-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/5112-215-0x0000000003300000-0x000000000432A000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

Disabling Security Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	WaterMark.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	WaterMark.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	WaterMark.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	WaterMark.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	WaterMark.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	WaterMark.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	WaterMark.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WaterMark.exe

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\pxB2DA.tmp	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1emgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1emgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxB645.tmp	WaterMarkmgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe	WaterMark.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe	IEXPLORE.EXE
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe	IEXPLORE.EXE
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	WaterMarkmgr.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zFM.exe	IEXPLORE.EXE
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zG.exe	IEXPLORE.EXE
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe	IEXPLORE.EXE
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe	IEXPLORE.EXE
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe	IEXPLORE.EXE
File created	C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe	WaterMark.exe
File created	C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe	WaterMark.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7z.exe	IEXPLORE.EXE
File opened for modification	C:\PROGRAM FILES\7-ZIP\Uninstall.exe	IEXPLORE.EXE
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe	IEXPLORE.EXE
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe	IEXPLORE.EXE
File opened for modification	C:\Program Files (x86)\Microsoft\pxB1C1.tmp	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SYSTEM.INI	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3035412540"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "374663471"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30995281"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3036038177"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3069944609"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3035568854"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30995281"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3069944609"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3069944609"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30995281"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3035412540"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3035568854"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30995281"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3036038177"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30995281"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30995281"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30995281"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E0321E07-5F44-11ED-A0EE-7ADCB3813C8F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
996	WaterMark.exe
996	WaterMark.exe
3192	WaterMark.exe
3192	WaterMark.exe
3192	WaterMark.exe
3192	WaterMark.exe
996	WaterMark.exe
996	WaterMark.exe
5112	WaterMark.exe
5112	WaterMark.exe
5112	WaterMark.exe
5112	WaterMark.exe
5112	WaterMark.exe
5112	WaterMark.exe
5112	WaterMark.exe
5112	WaterMark.exe
996	WaterMark.exe
996	WaterMark.exe
996	WaterMark.exe
996	WaterMark.exe
996	WaterMark.exe
996	WaterMark.exe
996	WaterMark.exe
996	WaterMark.exe
3192	WaterMark.exe
3192	WaterMark.exe
3192	WaterMark.exe
3192	WaterMark.exe
3192	WaterMark.exe
3192	WaterMark.exe
3192	WaterMark.exe
3192	WaterMark.exe
3192	WaterMark.exe
3192	WaterMark.exe
3192	WaterMark.exe
3192	WaterMark.exe
996	WaterMark.exe
996	WaterMark.exe
996	WaterMark.exe
996	WaterMark.exe
5112	WaterMark.exe
5112	WaterMark.exe
5112	WaterMark.exe
5112	WaterMark.exe
5112	WaterMark.exe
5112	WaterMark.exe
5112	WaterMark.exe
5112	WaterMark.exe
5112	WaterMark.exe
5112	WaterMark.exe
5112	WaterMark.exe
5112	WaterMark.exe
5112	WaterMark.exe
5112	WaterMark.exe
5112	WaterMark.exe
5112	WaterMark.exe
4596	IEXPLORE.EXE
4596	IEXPLORE.EXE
4596	IEXPLORE.EXE
4596	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1920	iexplore.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Token: SeDebugPrivilege	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2780	iexplore.exe
1920	iexplore.exe
3176	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
3176	iexplore.exe
3176	iexplore.exe
2780	iexplore.exe
2780	iexplore.exe
1920	iexplore.exe
1920	iexplore.exe
4640	IEXPLORE.EXE
4640	IEXPLORE.EXE
4596	IEXPLORE.EXE
4596	IEXPLORE.EXE
3100	IEXPLORE.EXE
3100	IEXPLORE.EXE
4596	IEXPLORE.EXE
4596	IEXPLORE.EXE

Suspicious use of UnmapMainImage 6 IoCs

pid	Process
1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
4692	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1emgr.exe
996	WaterMark.exe
4832	WaterMarkmgr.exe
3192	WaterMark.exe
5112	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 4692	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe	80
PID 1608 wrote to memory of 4692	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe	80
PID 1608 wrote to memory of 4692	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe	80
PID 1608 wrote to memory of 780	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe	13
PID 1608 wrote to memory of 784	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe	12
PID 1608 wrote to memory of 1016	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe	9
PID 1608 wrote to memory of 2392	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe	22
PID 1608 wrote to memory of 2436	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe	59
PID 1608 wrote to memory of 2740	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe	32
PID 1608 wrote to memory of 2736	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe	30
PID 1608 wrote to memory of 1996	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe	29
PID 1608 wrote to memory of 3268	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe	28
PID 1608 wrote to memory of 3356	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe	27
PID 1608 wrote to memory of 3424	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe	26
PID 1608 wrote to memory of 3516	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe	57
PID 1608 wrote to memory of 3808	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe	56
PID 1608 wrote to memory of 4760	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe	38
PID 1608 wrote to memory of 4692	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe	80
PID 1608 wrote to memory of 4692	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe	80
PID 1608 wrote to memory of 996	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe	81
PID 1608 wrote to memory of 996	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe	81
PID 1608 wrote to memory of 996	1608	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe	81
PID 996 wrote to memory of 4832	996	WaterMark.exe	87
PID 996 wrote to memory of 4832	996	WaterMark.exe	87
PID 996 wrote to memory of 4832	996	WaterMark.exe	87
PID 4692 wrote to memory of 3192	4692	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1emgr.exe	85
PID 4692 wrote to memory of 3192	4692	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1emgr.exe	85
PID 4692 wrote to memory of 3192	4692	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1emgr.exe	85
PID 4832 wrote to memory of 5112	4832	WaterMarkmgr.exe	84
PID 4832 wrote to memory of 5112	4832	WaterMarkmgr.exe	84
PID 4832 wrote to memory of 5112	4832	WaterMarkmgr.exe	84
PID 996 wrote to memory of 1652	996	WaterMark.exe	83
PID 996 wrote to memory of 1652	996	WaterMark.exe	83
PID 996 wrote to memory of 1652	996	WaterMark.exe	83
PID 3192 wrote to memory of 1764	3192	WaterMark.exe	82
PID 3192 wrote to memory of 1764	3192	WaterMark.exe	82
PID 3192 wrote to memory of 1764	3192	WaterMark.exe	82
PID 996 wrote to memory of 1652	996	WaterMark.exe	83
PID 996 wrote to memory of 1652	996	WaterMark.exe	83
PID 996 wrote to memory of 1652	996	WaterMark.exe	83
PID 996 wrote to memory of 1652	996	WaterMark.exe	83
PID 996 wrote to memory of 1652	996	WaterMark.exe	83
PID 996 wrote to memory of 1652	996	WaterMark.exe	83
PID 3192 wrote to memory of 1764	3192	WaterMark.exe	82
PID 3192 wrote to memory of 1764	3192	WaterMark.exe	82
PID 3192 wrote to memory of 1764	3192	WaterMark.exe	82
PID 3192 wrote to memory of 1764	3192	WaterMark.exe	82
PID 3192 wrote to memory of 1764	3192	WaterMark.exe	82
PID 3192 wrote to memory of 1764	3192	WaterMark.exe	82
PID 5112 wrote to memory of 780	5112	WaterMark.exe	13
PID 5112 wrote to memory of 784	5112	WaterMark.exe	12
PID 5112 wrote to memory of 1016	5112	WaterMark.exe	9
PID 5112 wrote to memory of 780	5112	WaterMark.exe	13
PID 5112 wrote to memory of 784	5112	WaterMark.exe	12
PID 5112 wrote to memory of 1016	5112	WaterMark.exe	9
PID 5112 wrote to memory of 2392	5112	WaterMark.exe	22
PID 5112 wrote to memory of 2392	5112	WaterMark.exe	22
PID 5112 wrote to memory of 2436	5112	WaterMark.exe	59
PID 5112 wrote to memory of 2436	5112	WaterMark.exe	59
PID 5112 wrote to memory of 2740	5112	WaterMark.exe	32
PID 5112 wrote to memory of 2740	5112	WaterMark.exe	32
PID 5112 wrote to memory of 2736	5112	WaterMark.exe	30
PID 5112 wrote to memory of 2736	5112	WaterMark.exe	30
PID 5112 wrote to memory of 1996	5112	WaterMark.exe	29

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WaterMark.exe

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:1016

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:784

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:780

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2392

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3424

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3356

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:1996

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2736
- C:\Users\Admin\AppData\Local\Temp\19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe
  "C:\Users\Admin\AppData\Local\Temp\19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1e.exe"
  2⤵
  - Modifies firewall policy service
  - UAC bypass
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Windows security modification
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1608
- - C:\Users\Admin\AppData\Local\Temp\19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1emgr.exe
    C:\Users\Admin\AppData\Local\Temp\19e5deba49e461a011decdf81cab1e4934cc792909be23cde93fdd3b151d4c1emgr.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:4692
  - - C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:3192
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:3176
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3176 CREDAT:17410 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:4640
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:1920
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1920 CREDAT:17410 /prefetch:2
        6⤵
        Modifies firewall policy service
        UAC bypass
        Windows security bypass
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        Modifies Internet Explorer settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4596
- - C:\Program Files (x86)\Microsoft\WaterMark.exe
    "C:\Program Files (x86)\Microsoft\WaterMark.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:996
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      PID:1652
  - - C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
      "C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:4832
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:2780
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2780 CREDAT:17410 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3100
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2404

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2740

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4760

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3808

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2436

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
1⤵
PID:1764

C:\Program Files (x86)\Microsoft\WaterMark.exe
"C:\Program Files (x86)\Microsoft\WaterMark.exe"
1⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5112
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:3440
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  - Modifies Internet Explorer settings
  PID:2160
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  - Modifies Internet Explorer settings
  PID:2284
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE"
  2⤵
  PID:2548
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE"
  2⤵
  PID:960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry