Malware Analysis Report

2025-03-15 04:32

Sample ID 241025-2a487svhrb
Target ed7e6f6c763ab070339c763e31cffea656fa8d629df7a2c822971a4081b00480N
SHA256 ed7e6f6c763ab070339c763e31cffea656fa8d629df7a2c822971a4081b00480
Tags
ramnit banker discovery persistence spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ed7e6f6c763ab070339c763e31cffea656fa8d629df7a2c822971a4081b00480

Threat Level: Known bad

The file ed7e6f6c763ab070339c763e31cffea656fa8d629df7a2c822971a4081b00480N was found to be: Known bad.

Malicious Activity Summary

ramnit banker discovery persistence spyware stealer trojan upx worm

Ramnit

Ramnit family

Modifies WinLogon for persistence

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of UnmapMainImage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-25 22:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-25 22:23

Reported

2024-10-25 22:25

Platform

win7-20240903-en

Max time kernel

120s

Max time network

124s

Command Line

\SystemRoot\System32\smss.exe

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" C:\Windows\SysWOW64\svchost.exe N/A

Ramnit

trojan spyware stealer worm banker ramnit

Ramnit family

ramnit

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\rundll32mgrmgr.exe C:\Windows\SysWOW64\rundll32mgr.exe N/A
File created C:\Windows\SysWOW64\dmlconf.dat C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\dmlconf.dat C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Windows\SysWOW64\rundll32mgr.exe C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jre7\bin\servertool.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\UIAutomationClient.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Web.Entity.Design.Resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libtrivial_channel_mixer_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libvmem_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_splitter\libwall_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libaribcam_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Internet Explorer\D3DCompiler_47.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\WindowsBase.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Services.Client.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_shout_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libstereo_widen_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Xml.Linq.Resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Entity.Design.Resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libsdp_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libvorbis_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\prism-d3d.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\dtplugin\deployJava1.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\net.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.IdentityModel.Resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\WindowsBase.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libattachment_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\jsdt.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office14\1033\BHOINTL.DLL C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\vcruntime140.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Xml.Linq.Resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libvnc_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\fontmanager.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\Microsoft.Build.Utilities.v3.5.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Microsoft Games\More Games\MoreGames.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\control\libntservice_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\javaws.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Web.Entity.Design.Resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Abstractions.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\control\libwin_msg_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_mp4_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\msvcr100.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\t2k.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\about.html C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.Speech.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libcdg_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libasf_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\tiptsf.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\msvcp140.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\PresentationCore.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Services.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.AddIn.Contract.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Microsoft.Build.Engine.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libshm_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-locale-l1-1-0.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Services.Design.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\IpsMigrationPlugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jawt.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\title.htm C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\dtplugin\npdeployJava1.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\ChkrRes.dll C:\Windows\SysWOW64\svchost.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32mgrmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32mgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1868 wrote to memory of 1688 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1868 wrote to memory of 1688 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1868 wrote to memory of 1688 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1868 wrote to memory of 1688 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1868 wrote to memory of 1688 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1868 wrote to memory of 1688 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1868 wrote to memory of 1688 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1688 wrote to memory of 2412 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 1688 wrote to memory of 2412 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 1688 wrote to memory of 2412 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 1688 wrote to memory of 2412 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 2412 wrote to memory of 1624 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Windows\SysWOW64\rundll32mgrmgr.exe
PID 2412 wrote to memory of 1624 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Windows\SysWOW64\rundll32mgrmgr.exe
PID 2412 wrote to memory of 1624 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Windows\SysWOW64\rundll32mgrmgr.exe
PID 2412 wrote to memory of 1624 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Windows\SysWOW64\rundll32mgrmgr.exe
PID 2412 wrote to memory of 2872 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2412 wrote to memory of 2872 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2412 wrote to memory of 2872 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2412 wrote to memory of 2872 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 1624 wrote to memory of 2632 N/A C:\Windows\SysWOW64\rundll32mgrmgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 1624 wrote to memory of 2632 N/A C:\Windows\SysWOW64\rundll32mgrmgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 1624 wrote to memory of 2632 N/A C:\Windows\SysWOW64\rundll32mgrmgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 1624 wrote to memory of 2632 N/A C:\Windows\SysWOW64\rundll32mgrmgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2872 wrote to memory of 2108 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
PID 2872 wrote to memory of 2108 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
PID 2872 wrote to memory of 2108 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
PID 2872 wrote to memory of 2108 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
PID 2872 wrote to memory of 2952 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2872 wrote to memory of 2952 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2872 wrote to memory of 2952 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2872 wrote to memory of 2952 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2872 wrote to memory of 2952 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2872 wrote to memory of 2952 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2872 wrote to memory of 2952 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2872 wrote to memory of 2952 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2872 wrote to memory of 2952 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2872 wrote to memory of 2952 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2632 wrote to memory of 2956 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2632 wrote to memory of 2956 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2632 wrote to memory of 2956 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2632 wrote to memory of 2956 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2632 wrote to memory of 2956 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2632 wrote to memory of 2956 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2632 wrote to memory of 2956 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2632 wrote to memory of 2956 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2632 wrote to memory of 2956 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2632 wrote to memory of 2956 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2108 wrote to memory of 2532 N/A C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2108 wrote to memory of 2532 N/A C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2108 wrote to memory of 2532 N/A C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2108 wrote to memory of 2532 N/A C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2872 wrote to memory of 1208 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2872 wrote to memory of 1208 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2872 wrote to memory of 1208 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2872 wrote to memory of 1208 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2872 wrote to memory of 1208 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2872 wrote to memory of 1208 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2872 wrote to memory of 1208 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2872 wrote to memory of 1208 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2872 wrote to memory of 1208 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2872 wrote to memory of 1208 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2632 wrote to memory of 1992 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2632 wrote to memory of 1992 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2632 wrote to memory of 1992 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Windows\System32\smss.exe

\SystemRoot\System32\smss.exe

C:\Windows\system32\csrss.exe

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

C:\Windows\system32\csrss.exe

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

C:\Windows\system32\wininit.exe

wininit.exe

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\services.exe

C:\Windows\system32\services.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ed7e6f6c763ab070339c763e31cffea656fa8d629df7a2c822971a4081b00480N.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ed7e6f6c763ab070339c763e31cffea656fa8d629df7a2c822971a4081b00480N.dll,#1

C:\Windows\SysWOW64\rundll32mgr.exe

C:\Windows\SysWOW64\rundll32mgr.exe

C:\Windows\SysWOW64\rundll32mgrmgr.exe

C:\Windows\SysWOW64\rundll32mgrmgr.exe

C:\Program Files (x86)\Microsoft\WaterMark.exe

"C:\Program Files (x86)\Microsoft\WaterMark.exe"

C:\Program Files (x86)\Microsoft\WaterMark.exe

"C:\Program Files (x86)\Microsoft\WaterMark.exe"

C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe

"C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"

C:\Program Files (x86)\Microsoft\WaterMark.exe

"C:\Program Files (x86)\Microsoft\WaterMark.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\wbem\WMIADAP.EXE

wmiadap.exe /F /T /R

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -Embedding

Network

Country Destination Domain Proto
NL 91.220.62.30:443 tcp
US 8.8.8.8:53 google.com udp
GB 172.217.16.238:80 google.com tcp
NL 91.220.62.30:443 tcp
US 8.8.8.8:53 rterybrstutnrsbberve.com udp
IE 34.253.216.9:443 rterybrstutnrsbberve.com tcp
IE 34.253.216.9:443 rterybrstutnrsbberve.com tcp
US 8.8.8.8:53 erwbtkidthetcwerc.com udp
IE 34.253.216.9:443 erwbtkidthetcwerc.com tcp
IE 34.253.216.9:443 erwbtkidthetcwerc.com tcp
US 8.8.8.8:53 rvbwtbeitwjeitv.com udp
US 204.95.99.221:443 rvbwtbeitwjeitv.com tcp
US 204.95.99.221:443 rvbwtbeitwjeitv.com tcp
GB 172.217.16.238:80 google.com tcp

Files

\Windows\SysWOW64\rundll32mgr.exe

MD5 2bddb76033806bf539c8e2181918bf00
SHA1 312ff39c3232c825c5f47d978d98b7509e669ea8
SHA256 db6a17ba5c9da47eff43390722e7ded570ccaf7ff51d162cbce703404b8d93e1
SHA512 b6ec1972f8cb70ab94152b4661313330b7348cbc1ca0d0575de9ec0aa44073d792b36d60e6ceba9d9db2325debccc349f612713db8fc1aaa7968efde0b928087

memory/1688-7-0x0000000010000000-0x000000001004F000-memory.dmp

memory/1688-9-0x0000000000700000-0x0000000000777000-memory.dmp

memory/2412-11-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1688-12-0x0000000000700000-0x0000000000777000-memory.dmp

memory/1688-8-0x0000000010000000-0x000000001004F000-memory.dmp

memory/2412-19-0x0000000000130000-0x000000000018B000-memory.dmp

memory/2412-18-0x0000000000130000-0x000000000018B000-memory.dmp

\Windows\SysWOW64\rundll32mgrmgr.exe

MD5 f42a27072c2104833bbbb7035b47779f
SHA1 63189476fedae3449c3d9d276112ea36d34c12f3
SHA256 a901db1aaaeb5305865553ffce909dfb07c9f5673ad2fd7904293ef04efdd61f
SHA512 ab9733331a23b871a1e5eb0dc25d9996fce791d0364bcfcfba0e81cda137aee5715586625c4c52a450d3ec76320202ea35a1ae3cbed57177c4daa1e2e5b28b45

memory/1624-23-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2412-28-0x0000000000150000-0x0000000000151000-memory.dmp

memory/2412-33-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1624-37-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2412-27-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2412-26-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2412-25-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2412-24-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1624-57-0x00000000002A0000-0x0000000000317000-memory.dmp

memory/2108-85-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2632-88-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2632-102-0x0000000020010000-0x0000000020022000-memory.dmp

memory/2532-133-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2532-136-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2956-117-0x0000000020010000-0x0000000020022000-memory.dmp

memory/2956-113-0x0000000020010000-0x0000000020022000-memory.dmp

memory/2952-94-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2952-92-0x0000000020010000-0x0000000020022000-memory.dmp

memory/2872-89-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/2872-72-0x0000000000390000-0x00000000003EB000-memory.dmp

memory/2872-68-0x0000000000390000-0x00000000003EB000-memory.dmp

memory/2632-66-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1624-55-0x00000000002A0000-0x0000000000317000-memory.dmp

memory/1624-54-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2412-51-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2872-714-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

MD5 080b4bbc129ebc4e9934d4846e524b1c
SHA1 35043c7e79240ad4a77d4f71e6e2d8c38677272b
SHA256 0fc499b245bd20a6f1c35e7d0702b536adea51ea1cf15a514af370da71b4b73d
SHA512 a5a73e35e9c4b7c5a9499758e591cb99f9416b1229dc75ebe4ef1e034ceacd6414eb03d57fdcffa28799f745f5d927b888465217226db861de5153e45fdf5a9a

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

MD5 458edd0105642a57b1482775005c8659
SHA1 b2a9cefa0a923122d69ae2ac792295a85bb69e24
SHA256 d6ee8b964ea82740d0fe4890d927ad4aa2bab47df6d06a70efa5893aa4125a9e
SHA512 ed63bdb912b6ff6dca98204ddf14392c3da00521e385f5580af9cb770179f879a29b3594a96fa9c4b6819855ae203e193fc1c0a761ac9301c906603add1cf727

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-25 22:23

Reported

2024-10-25 22:25

Platform

win10v2004-20241007-en

Max time kernel

102s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ed7e6f6c763ab070339c763e31cffea656fa8d629df7a2c822971a4081b00480N.dll,#1

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Ramnit family

ramnit

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\rundll32mgr.exe C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\SysWOW64\rundll32mgrmgr.exe C:\Windows\SysWOW64\rundll32mgr.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\px8A4E.tmp C:\Windows\SysWOW64\rundll32mgr.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\px8ADB.tmp C:\Windows\SysWOW64\rundll32mgrmgr.exe N/A
File created C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\rundll32mgrmgr.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\px8AEA.tmp C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe N/A
File created C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\rundll32mgr.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\rundll32mgr.exe N/A
File created C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
File created C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe N/A
File created C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
File created C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32mgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32mgrmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2756860217" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{CFAF965B-931F-11EF-A4B7-FA9F886F8D04} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31139628" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{CFAAD060-931F-11EF-A4B7-FA9F886F8D04} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2752328984" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2756860217" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31139628" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "436660006" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31139628" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31139628" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2752328984" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1352 wrote to memory of 4232 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1352 wrote to memory of 4232 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1352 wrote to memory of 4232 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4232 wrote to memory of 3156 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 4232 wrote to memory of 3156 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 4232 wrote to memory of 3156 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 3156 wrote to memory of 2676 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Windows\SysWOW64\rundll32mgrmgr.exe
PID 3156 wrote to memory of 2676 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Windows\SysWOW64\rundll32mgrmgr.exe
PID 3156 wrote to memory of 2676 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Windows\SysWOW64\rundll32mgrmgr.exe
PID 3156 wrote to memory of 2704 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 3156 wrote to memory of 2704 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 3156 wrote to memory of 2704 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2704 wrote to memory of 2932 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
PID 2704 wrote to memory of 2932 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
PID 2704 wrote to memory of 2932 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
PID 2676 wrote to memory of 2136 N/A C:\Windows\SysWOW64\rundll32mgrmgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2676 wrote to memory of 2136 N/A C:\Windows\SysWOW64\rundll32mgrmgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2676 wrote to memory of 2136 N/A C:\Windows\SysWOW64\rundll32mgrmgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2932 wrote to memory of 228 N/A C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2932 wrote to memory of 228 N/A C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2932 wrote to memory of 228 N/A C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2704 wrote to memory of 1588 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2704 wrote to memory of 1588 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2704 wrote to memory of 1588 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2704 wrote to memory of 1588 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2704 wrote to memory of 1588 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2704 wrote to memory of 1588 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2704 wrote to memory of 1588 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2704 wrote to memory of 1588 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2704 wrote to memory of 1588 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2136 wrote to memory of 4152 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2136 wrote to memory of 4152 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2136 wrote to memory of 4152 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2136 wrote to memory of 4152 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2136 wrote to memory of 4152 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2136 wrote to memory of 4152 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2136 wrote to memory of 4152 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2136 wrote to memory of 4152 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2136 wrote to memory of 4152 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 228 wrote to memory of 1700 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 228 wrote to memory of 1700 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 228 wrote to memory of 1700 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 228 wrote to memory of 1700 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 228 wrote to memory of 1700 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 228 wrote to memory of 1700 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 228 wrote to memory of 1700 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 228 wrote to memory of 1700 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 228 wrote to memory of 1700 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2704 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2704 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2704 wrote to memory of 2196 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2704 wrote to memory of 2196 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2136 wrote to memory of 1344 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2136 wrote to memory of 1344 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2136 wrote to memory of 1440 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2136 wrote to memory of 1440 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 228 wrote to memory of 708 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 228 wrote to memory of 708 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 228 wrote to memory of 4092 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 228 wrote to memory of 4092 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2196 wrote to memory of 4848 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1964 wrote to memory of 1800 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2196 wrote to memory of 4848 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2196 wrote to memory of 4848 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ed7e6f6c763ab070339c763e31cffea656fa8d629df7a2c822971a4081b00480N.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ed7e6f6c763ab070339c763e31cffea656fa8d629df7a2c822971a4081b00480N.dll,#1

C:\Windows\SysWOW64\rundll32mgr.exe

C:\Windows\SysWOW64\rundll32mgr.exe

C:\Windows\SysWOW64\rundll32mgrmgr.exe

C:\Windows\SysWOW64\rundll32mgrmgr.exe

C:\Program Files (x86)\Microsoft\WaterMark.exe

"C:\Program Files (x86)\Microsoft\WaterMark.exe"

C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe

"C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"

C:\Program Files (x86)\Microsoft\WaterMark.exe

"C:\Program Files (x86)\Microsoft\WaterMark.exe"

C:\Program Files (x86)\Microsoft\WaterMark.exe

"C:\Program Files (x86)\Microsoft\WaterMark.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1700 -ip 1700

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4152 -ip 4152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1588 -ip 1588

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 204

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1964 CREDAT:17410 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2196 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 226.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/4232-0-0x0000000010000000-0x000000001004F000-memory.dmp

C:\Windows\SysWOW64\rundll32mgr.exe

MD5 2bddb76033806bf539c8e2181918bf00
SHA1 312ff39c3232c825c5f47d978d98b7509e669ea8
SHA256 db6a17ba5c9da47eff43390722e7ded570ccaf7ff51d162cbce703404b8d93e1
SHA512 b6ec1972f8cb70ab94152b4661313330b7348cbc1ca0d0575de9ec0aa44073d792b36d60e6ceba9d9db2325debccc349f612713db8fc1aaa7968efde0b928087

memory/3156-6-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2676-9-0x0000000000400000-0x000000000045B000-memory.dmp

C:\Windows\SysWOW64\rundll32mgrmgr.exe

MD5 f42a27072c2104833bbbb7035b47779f
SHA1 63189476fedae3449c3d9d276112ea36d34c12f3
SHA256 a901db1aaaeb5305865553ffce909dfb07c9f5673ad2fd7904293ef04efdd61f
SHA512 ab9733331a23b871a1e5eb0dc25d9996fce791d0364bcfcfba0e81cda137aee5715586625c4c52a450d3ec76320202ea35a1ae3cbed57177c4daa1e2e5b28b45

memory/3156-12-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3156-11-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2704-59-0x00000000777B2000-0x00000000777B3000-memory.dmp

memory/2136-68-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1588-78-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

memory/1588-77-0x0000000000F00000-0x0000000000F01000-memory.dmp

memory/2136-71-0x0000000000470000-0x0000000000471000-memory.dmp

memory/2932-58-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2676-57-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2704-56-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2704-55-0x0000000000060000-0x0000000000061000-memory.dmp

memory/2932-44-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2932-39-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2704-36-0x0000000000400000-0x0000000000477000-memory.dmp

memory/3156-20-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3156-18-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3156-17-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3156-15-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/3156-14-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3156-10-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2704-83-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2704-84-0x0000000000070000-0x0000000000071000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CFAF965B-931F-11EF-A4B7-FA9F886F8D04}.dat

MD5 2c19865ee35ece8bba45e7e59ed8ea9e
SHA1 e2bafffdf1c9ac860bd821682160798ea7d3766c
SHA256 b42752879d0af70870f6ce827651b159d4b0fe14e262058f030208a14e396642
SHA512 1e577c9250e38fd08cdb4efca243536f4edb56b9a18d19f25175d229a06ed47662de07cf8bc3f73b8d50a28d57297b943fd76e504ead088d1fb06f5df5e41465

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CFAAD060-931F-11EF-A4B7-FA9F886F8D04}.dat

MD5 095ec9b1563296e768ad0721b2230c76
SHA1 4994889c02ed2fe8bbdc67196a368bfaf7cb6d60
SHA256 267c83f84b4269bd2b2372e96d677d2672035a5417773cba80fa2809d28eb5b0
SHA512 013ce9565c6323710396afda09a7c106cc583c7583f1f020b34d6d2e8907fb2fd25957a159e4742b7216ee1c913a0d13f93c48df26a18a8583125af5a55e4db5

memory/2704-90-0x00000000777B2000-0x00000000777B3000-memory.dmp

memory/2704-89-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2704-91-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\versionlist.xml

MD5 1a545d0052b581fbb2ab4c52133846bc
SHA1 62f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512 bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\P2UT3MS5\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee