ramnit | a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed

Analysis

max time kernel
89s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2022, 10:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
Size

297KB
MD5

2e435b0a45e2b6de09b49b1a6ebe9a70
SHA1

a4b1b9bbebe54f6ca070962c9f96143f1cb72d2f
SHA256

a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed
SHA512

f46c5fa6613afb7e49018ceec781604ad3e013344630fb27f8752cab7f9bbb8372f88f07cf97cf07819e486cad75b629914cc0f6e7f24801449f17b0a7148036
SSDEEP

6144:j+xDVG0BpAComW1hh51lHEKSoWE5jlVUAF:Sa0BmComCHE65jAy

Score

10^/10

ramnit banker evasion spyware stealer trojan upx worm

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe:*:enabled:@shell32.dll,-1"	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 2 IoCs

pid	Process
4016	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56edmgr.exe
1940	WaterMark.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4016-138-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4016-139-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4016-142-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1940-154-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/1940-155-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/4956-156-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4956-157-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4956-159-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1940-158-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/4956-160-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1940-163-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/1940-164-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/1940-165-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/1940-166-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\px94D2.tmp	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px9281.tmp	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56edmgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56edmgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56edmgr.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
204	4348	WerFault.exe	87
320	4956	WerFault.exe	84

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375795403"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "841988842"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{5D2B34FD-6990-11ED-919F-DEE008EA10AF} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30997917"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{5D2FFB19-6990-11ED-919F-DEE008EA10AF} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "841988842"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30997917"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
1940	WaterMark.exe
1940	WaterMark.exe
1940	WaterMark.exe
1940	WaterMark.exe
1940	WaterMark.exe
1940	WaterMark.exe
1940	WaterMark.exe
1940	WaterMark.exe
1940	WaterMark.exe
1940	WaterMark.exe
1940	WaterMark.exe
1940	WaterMark.exe
1940	WaterMark.exe
1940	WaterMark.exe
1940	WaterMark.exe
1940	WaterMark.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3680	iexplore.exe

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
Token: SeDebugPrivilege	1940	WaterMark.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3680	iexplore.exe
4476	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4476	iexplore.exe
4476	iexplore.exe
3680	iexplore.exe
3680	iexplore.exe
3476	IEXPLORE.EXE
3476	IEXPLORE.EXE
3460	IEXPLORE.EXE
3460	IEXPLORE.EXE
3476	IEXPLORE.EXE
3476	IEXPLORE.EXE

Suspicious use of UnmapMainImage 3 IoCs

pid	Process
4016	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56edmgr.exe
1940	WaterMark.exe
4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4956 wrote to memory of 4016	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	85
PID 4956 wrote to memory of 4016	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	85
PID 4956 wrote to memory of 4016	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	85
PID 4956 wrote to memory of 576	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	3
PID 4956 wrote to memory of 576	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	3
PID 4956 wrote to memory of 576	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	3
PID 4956 wrote to memory of 576	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	3
PID 4956 wrote to memory of 576	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	3
PID 4956 wrote to memory of 576	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	3
PID 4956 wrote to memory of 660	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	1
PID 4956 wrote to memory of 660	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	1
PID 4956 wrote to memory of 660	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	1
PID 4956 wrote to memory of 660	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	1
PID 4956 wrote to memory of 660	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	1
PID 4956 wrote to memory of 660	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	1
PID 4956 wrote to memory of 764	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	8
PID 4956 wrote to memory of 764	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	8
PID 4956 wrote to memory of 764	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	8
PID 4956 wrote to memory of 764	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	8
PID 4956 wrote to memory of 764	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	8
PID 4956 wrote to memory of 764	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	8
PID 4956 wrote to memory of 784	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	83
PID 4956 wrote to memory of 784	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	83
PID 4956 wrote to memory of 784	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	83
PID 4956 wrote to memory of 784	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	83
PID 4956 wrote to memory of 784	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	83
PID 4956 wrote to memory of 784	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	83
PID 4956 wrote to memory of 788	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	82
PID 4956 wrote to memory of 788	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	82
PID 4956 wrote to memory of 788	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	82
PID 4956 wrote to memory of 788	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	82
PID 4956 wrote to memory of 788	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	82
PID 4956 wrote to memory of 788	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	82
PID 4956 wrote to memory of 892	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	81
PID 4956 wrote to memory of 892	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	81
PID 4956 wrote to memory of 892	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	81
PID 4956 wrote to memory of 892	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	81
PID 4956 wrote to memory of 892	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	81
PID 4956 wrote to memory of 892	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	81
PID 4956 wrote to memory of 944	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	10
PID 4956 wrote to memory of 944	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	10
PID 4956 wrote to memory of 944	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	10
PID 4956 wrote to memory of 944	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	10
PID 4956 wrote to memory of 944	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	10
PID 4956 wrote to memory of 944	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	10
PID 4956 wrote to memory of 1012	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	9
PID 4956 wrote to memory of 1012	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	9
PID 4956 wrote to memory of 1012	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	9
PID 4956 wrote to memory of 1012	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	9
PID 4956 wrote to memory of 1012	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	9
PID 4956 wrote to memory of 1012	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	9
PID 4956 wrote to memory of 516	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	11
PID 4956 wrote to memory of 516	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	11
PID 4956 wrote to memory of 516	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	11
PID 4956 wrote to memory of 516	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	11
PID 4956 wrote to memory of 516	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	11
PID 4956 wrote to memory of 516	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	11
PID 4956 wrote to memory of 680	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	80
PID 4956 wrote to memory of 680	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	80
PID 4956 wrote to memory of 680	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	80
PID 4956 wrote to memory of 680	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	80
PID 4956 wrote to memory of 680	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	80
PID 4956 wrote to memory of 680	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	80
PID 4956 wrote to memory of 940	4956	a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe	12

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:660

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:576
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:1012
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:764
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3404
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4744
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  PID:4888
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
  2⤵
  PID:2688
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe
  2⤵
  PID:1872
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:4480
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:1480
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
  2⤵
  PID:4752
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3856
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3660
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:3492
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  PID:3340
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1100
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1456

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1832

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2052

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2484

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2552

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:3720

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s W32Time
1⤵
PID:3472

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:4140

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:2540

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2340
- C:\Users\Admin\AppData\Local\Temp\a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe
  "C:\Users\Admin\AppData\Local\Temp\a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56ed.exe"
  2⤵
  - Modifies firewall policy service
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Users\Admin\AppData\Local\Temp\a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56edmgr.exe
    C:\Users\Admin\AppData\Local\Temp\a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56edmgr.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of UnmapMainImage
    PID:4016
  - - C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of UnmapMainImage
      PID:1940
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        
        PID:4348
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 208
        6⤵
        Program crash
        
        PID:204
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:4476
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4476 CREDAT:17410 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3460
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:3680
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3680 CREDAT:17410 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3476
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 548
    3⤵
    - Program crash
    PID:320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2348

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2108

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:1944

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1864

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1852

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
1⤵
PID:1692

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1648

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1572

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1056

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1048

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:892

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4348 -ip 4348
1⤵
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4956 -ip 4956
1⤵
PID:4388

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
147KB

MD5
bb894989d987bd61be0dd855a6118e47

SHA1
0c062712dfab1cb4bdb782708a25ab3aeb8bd34c

SHA256
e06b870486155a218e11f87d3da1e2f8c4ab6f130fad527b0a3de19039bc367e

SHA512
46f4fd26da8ad01bd67a2eef21d23def0b406afe4e384a5cd824a27ea946290e03d3818d847ed48d0b633c18684ad15fd88f267e8200fa1bebd4af33ab06a87c

Download Submit
C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
147KB

MD5
bb894989d987bd61be0dd855a6118e47

SHA1
0c062712dfab1cb4bdb782708a25ab3aeb8bd34c

SHA256
e06b870486155a218e11f87d3da1e2f8c4ab6f130fad527b0a3de19039bc367e

SHA512
46f4fd26da8ad01bd67a2eef21d23def0b406afe4e384a5cd824a27ea946290e03d3818d847ed48d0b633c18684ad15fd88f267e8200fa1bebd4af33ab06a87c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5D2B34FD-6990-11ED-919F-DEE008EA10AF}.dat

Filesize
3KB

MD5
e16244af82d3da8f6d0b5b34f426213b

SHA1
27141a022a6f81dced06bde2b02c96e7a5ad3947

SHA256
bf3f885436b4b96a5c226000acb4c3cd1f0dd1e9409ee6d777fe2f9341724118

SHA512
5fe6470a0e6747c053d833be7d12ad06daee2e0f71a0032847d0198061a186414ca0312da657f7db077c3d575f5416e5b55c9eb2f72f9af6865c3fc8b05f6f90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5D2FFB19-6990-11ED-919F-DEE008EA10AF}.dat

Filesize
5KB

MD5
b62e55a77bc864c57bc88296615ab789

SHA1
305ea4e8834d7446e976111bc79f6833ff6ed83d

SHA256
7f3dd2857c6472b051854f2a3c4c1d8ecd9c7c19f6077edd486f617f68bff052

SHA512
13e43964f7cded0ca604fab4d0387f8ee6fa721aee4a9437bc8db0525e736b089d3a24714ebe6c79daaaec9287bdde8ae2000fac95dbc7264717eba8f1235ee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56edmgr.exe

Filesize
147KB

MD5
bb894989d987bd61be0dd855a6118e47

SHA1
0c062712dfab1cb4bdb782708a25ab3aeb8bd34c

SHA256
e06b870486155a218e11f87d3da1e2f8c4ab6f130fad527b0a3de19039bc367e

SHA512
46f4fd26da8ad01bd67a2eef21d23def0b406afe4e384a5cd824a27ea946290e03d3818d847ed48d0b633c18684ad15fd88f267e8200fa1bebd4af33ab06a87c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a93ec4cc60524de7fe715e21888fe699fb6ed4d4c3d0ee773535243311be56edmgr.exe

Filesize
147KB

MD5
bb894989d987bd61be0dd855a6118e47

SHA1
0c062712dfab1cb4bdb782708a25ab3aeb8bd34c

SHA256
e06b870486155a218e11f87d3da1e2f8c4ab6f130fad527b0a3de19039bc367e

SHA512
46f4fd26da8ad01bd67a2eef21d23def0b406afe4e384a5cd824a27ea946290e03d3818d847ed48d0b633c18684ad15fd88f267e8200fa1bebd4af33ab06a87c

Download Submit
memory/1940-158-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1940-166-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1940-165-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1940-164-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1940-154-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1940-155-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1940-163-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4016-138-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4016-139-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4016-142-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4956-159-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4956-157-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4956-160-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4956-132-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4956-156-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download