Malware Analysis Report

2024-12-07 02:47

Sample ID 241111-mnes5syaln
Target 5318d1d121856d35ee5670f13c5aea7919edd08356cff866fd7d573a6aa611f9N
SHA256 5318d1d121856d35ee5670f13c5aea7919edd08356cff866fd7d573a6aa611f9
Tags
ramnit sality backdoor banker discovery evasion persistence spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5318d1d121856d35ee5670f13c5aea7919edd08356cff866fd7d573a6aa611f9

Threat Level: Known bad

The file 5318d1d121856d35ee5670f13c5aea7919edd08356cff866fd7d573a6aa611f9N was found to be: Known bad.

Malicious Activity Summary

ramnit sality backdoor banker discovery evasion persistence spyware stealer trojan upx worm

Ramnit

Sality

UAC bypass

Windows security bypass

Modifies WinLogon for persistence

Sality family

Modifies firewall policy service

Ramnit family

Loads dropped DLL

Executes dropped EXE

Windows security modification

Enumerates connected drives

Checks whether UAC is enabled

Drops file in System32 directory

UPX packed file

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Checks processor information in registry

System policy modification

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 10:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 10:36

Reported

2024-11-11 10:38

Platform

win7-20241010-en

Max time kernel

10s

Max time network

94s

Command Line

\SystemRoot\System32\smss.exe

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" C:\Windows\SysWOW64\svchost.exe N/A

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Windows\SysWOW64\rundll32mgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\rundll32mgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Windows\SysWOW64\rundll32mgr.exe N/A

Ramnit

trojan spyware stealer worm banker ramnit

Ramnit family

ramnit

Sality

backdoor sality

Sality family

sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\rundll32mgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\rundll32mgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\rundll32mgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\rundll32mgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Windows\SysWOW64\rundll32mgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\rundll32mgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\rundll32mgr.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\rundll32mgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\rundll32mgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\rundll32mgr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Windows\SysWOW64\rundll32mgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\rundll32mgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\rundll32mgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Windows\SysWOW64\rundll32mgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\rundll32mgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
File opened (read-only) \??\G: C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
File opened (read-only) \??\H: C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\dmlconf.dat C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\dmlconf.dat C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Windows\SysWOW64\rundll32mgr.exe C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Filters\msgfilt.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\pxE003.tmp C:\Windows\SysWOW64\rundll32mgr.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\rundll32mgr.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\7-zip32.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Filters\odffilt.dll C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\rundll32mgr.exe N/A
File opened for modification C:\Program Files\7-Zip\7-zip.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Windows\SysWOW64\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Windows\SysWOW64\rundll32mgr.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32mgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1732 wrote to memory of 1952 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1732 wrote to memory of 1952 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1732 wrote to memory of 1952 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1732 wrote to memory of 1952 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1732 wrote to memory of 1952 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1732 wrote to memory of 1952 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1732 wrote to memory of 1952 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1952 wrote to memory of 2272 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 1952 wrote to memory of 2272 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 1952 wrote to memory of 2272 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 1952 wrote to memory of 2272 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 2272 wrote to memory of 1240 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Windows\system32\taskhost.exe
PID 2272 wrote to memory of 1324 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Windows\system32\Dwm.exe
PID 2272 wrote to memory of 1388 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Windows\Explorer.EXE
PID 2272 wrote to memory of 1676 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Windows\system32\DllHost.exe
PID 2272 wrote to memory of 2468 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2272 wrote to memory of 2468 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2272 wrote to memory of 2468 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2272 wrote to memory of 2468 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2468 wrote to memory of 320 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2468 wrote to memory of 320 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2468 wrote to memory of 320 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2468 wrote to memory of 320 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2468 wrote to memory of 320 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2468 wrote to memory of 320 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2468 wrote to memory of 320 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2468 wrote to memory of 320 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2468 wrote to memory of 320 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2468 wrote to memory of 320 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2468 wrote to memory of 1240 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\system32\taskhost.exe
PID 2468 wrote to memory of 1324 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\system32\Dwm.exe
PID 2468 wrote to memory of 1388 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\Explorer.EXE
PID 2468 wrote to memory of 1676 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\system32\DllHost.exe
PID 2468 wrote to memory of 320 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2468 wrote to memory of 320 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2468 wrote to memory of 3004 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2468 wrote to memory of 3004 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2468 wrote to memory of 3004 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2468 wrote to memory of 3004 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2468 wrote to memory of 3004 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2468 wrote to memory of 3004 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2468 wrote to memory of 3004 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2468 wrote to memory of 3004 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2468 wrote to memory of 3004 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2468 wrote to memory of 3004 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 3004 wrote to memory of 256 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\smss.exe
PID 3004 wrote to memory of 256 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\smss.exe
PID 3004 wrote to memory of 256 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\smss.exe
PID 3004 wrote to memory of 256 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\smss.exe
PID 3004 wrote to memory of 256 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\smss.exe
PID 3004 wrote to memory of 332 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 3004 wrote to memory of 332 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 3004 wrote to memory of 332 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 3004 wrote to memory of 332 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 3004 wrote to memory of 332 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 3004 wrote to memory of 372 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\wininit.exe
PID 3004 wrote to memory of 372 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\wininit.exe
PID 3004 wrote to memory of 372 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\wininit.exe
PID 3004 wrote to memory of 372 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\wininit.exe
PID 3004 wrote to memory of 372 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\wininit.exe
PID 3004 wrote to memory of 380 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 3004 wrote to memory of 380 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 3004 wrote to memory of 380 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 3004 wrote to memory of 380 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\rundll32mgr.exe N/A

Processes

C:\Windows\System32\smss.exe

\SystemRoot\System32\smss.exe

C:\Windows\system32\csrss.exe

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

C:\Windows\system32\wininit.exe

wininit.exe

C:\Windows\system32\csrss.exe

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\services.exe

C:\Windows\system32\services.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\5318d1d121856d35ee5670f13c5aea7919edd08356cff866fd7d573a6aa611f9N.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\5318d1d121856d35ee5670f13c5aea7919edd08356cff866fd7d573a6aa611f9N.dll,#1

C:\Windows\SysWOW64\rundll32mgr.exe

C:\Windows\SysWOW64\rundll32mgr.exe

C:\Program Files (x86)\Microsoft\WaterMark.exe

"C:\Program Files (x86)\Microsoft\WaterMark.exe"

C:\Windows\system32\wbem\WMIADAP.EXE

wmiadap.exe /F /T /R

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

Network

Country Destination Domain Proto
NL 91.220.62.30:443 tcp
US 8.8.8.8:53 google.com udp
GB 142.250.200.14:80 google.com tcp
NL 91.220.62.30:443 tcp
US 8.8.8.8:53 rterybrstutnrsbberve.com udp
IE 34.253.216.9:443 rterybrstutnrsbberve.com tcp
IE 34.253.216.9:443 rterybrstutnrsbberve.com tcp
US 8.8.8.8:53 erwbtkidthetcwerc.com udp
IE 34.253.216.9:443 erwbtkidthetcwerc.com tcp
IE 34.253.216.9:443 erwbtkidthetcwerc.com tcp
US 8.8.8.8:53 rvbwtbeitwjeitv.com udp
US 204.95.99.221:443 rvbwtbeitwjeitv.com tcp
US 204.95.99.221:443 rvbwtbeitwjeitv.com tcp
GB 142.250.200.14:80 google.com tcp

Files

memory/1952-0-0x0000000010000000-0x0000000010065000-memory.dmp

memory/1952-2-0x0000000010000000-0x0000000010065000-memory.dmp

\Windows\SysWOW64\rundll32mgr.exe

MD5 a3b1f1c4cd75bea10095e054f990bf1d
SHA1 15bf037b2166d2533e12bbec9f1d5f9a3ad8c81b
SHA256 a4c51942f696650a7ce0530a88c3742380ac82bc1ddc75c24d1417f0958caaee
SHA512 7457591c9676baa6043e4c3ae6ede364f19964c4e4e6a91a06e148221402791cabf9d5ab2bfcb629120ab136fee0a2994c0830f7cbfb112c5c6b07109b6a1a94

memory/2272-16-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2272-15-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2272-24-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2272-23-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2272-17-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2272-14-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1952-6-0x00000000001D0000-0x0000000000204000-memory.dmp

memory/1952-4-0x0000000010000000-0x0000000010065000-memory.dmp

memory/1952-11-0x00000000001D0000-0x0000000000204000-memory.dmp

memory/2272-32-0x0000000002920000-0x00000000039AE000-memory.dmp

memory/2272-29-0x0000000002920000-0x00000000039AE000-memory.dmp

memory/2272-46-0x0000000000880000-0x0000000000881000-memory.dmp

memory/2272-26-0x0000000002920000-0x00000000039AE000-memory.dmp

memory/2272-27-0x0000000002920000-0x00000000039AE000-memory.dmp

memory/2272-20-0x0000000002920000-0x00000000039AE000-memory.dmp

memory/2272-13-0x0000000002920000-0x00000000039AE000-memory.dmp

memory/2272-28-0x0000000002920000-0x00000000039AE000-memory.dmp

memory/2272-48-0x00000000003F0000-0x00000000003F2000-memory.dmp

memory/2272-30-0x0000000002920000-0x00000000039AE000-memory.dmp

memory/2272-43-0x0000000000880000-0x0000000000881000-memory.dmp

memory/2272-42-0x00000000003F0000-0x00000000003F2000-memory.dmp

memory/2272-62-0x00000000003F0000-0x00000000003F2000-memory.dmp

memory/1240-35-0x0000000001CA0000-0x0000000001CA2000-memory.dmp

memory/2272-34-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2272-33-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2272-21-0x0000000002920000-0x00000000039AE000-memory.dmp

memory/2272-57-0x0000000002920000-0x00000000039AE000-memory.dmp

memory/320-82-0x0000000020010000-0x0000000020022000-memory.dmp

memory/320-107-0x0000000000090000-0x0000000000091000-memory.dmp

memory/2272-64-0x0000000004A20000-0x0000000004A54000-memory.dmp

memory/320-106-0x0000000000080000-0x0000000000081000-memory.dmp

memory/320-105-0x00000000000A0000-0x00000000000A1000-memory.dmp

memory/2468-104-0x000000007746F000-0x0000000077470000-memory.dmp

memory/2468-103-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2468-80-0x00000000003E0000-0x00000000003E1000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 4891b97273b2f9a024fd8aa3dbee7ba9
SHA1 a84287c63e56bc31d11981d96691a277064627b2
SHA256 916176b0f17638e29c6c98a1a267c65f7617b8bd447775c3b02245a0b4046d98
SHA512 9fee5e0f738320aa9ec56202de93413c9ce939b32918f1ddd1e881faddd1a6fcd00794c579027c5d17756791f09903be6b76030e8b726a2e95a411cc4ca8224e

memory/320-101-0x0000000020010000-0x0000000020022000-memory.dmp

memory/320-97-0x0000000020010000-0x0000000020022000-memory.dmp

memory/2468-95-0x0000000002790000-0x000000000381E000-memory.dmp

memory/320-91-0x0000000020010000-0x0000000020022000-memory.dmp

memory/2468-463-0x0000000002790000-0x000000000381E000-memory.dmp

memory/2468-467-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2468-468-0x000000007746F000-0x0000000077470000-memory.dmp

memory/2468-513-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2468-514-0x0000000002790000-0x000000000381E000-memory.dmp

C:\tmbo.exe

MD5 9fe71d2e99eb3b8e1e2ff0424f8e267c
SHA1 d5a7e728220bded4d49c7890ed0e12cf67aefbcd
SHA256 f1f536975e5e3045d9c5c1772e5c22aece0a8a908d62c681adb9d1041b15c1d0
SHA512 c5833004dcbc783d32440393355b8d3833c5f167d60f0d1c21c684f0379345c110983f050fa43cad444c849621b6a90bf862441fed31c5df944feaae216ce736

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

MD5 df6cbb040ca0b714a522f20902d56310
SHA1 730de50f9845e1c67e9947035ed860a80648d532
SHA256 f0e6bd9fd1ddccc10e26941683c85172359c714fc634a1978fe06f9c69db966a
SHA512 54aae1d430923666efe36d5b9254daee53615d8fa96a0d760dba19b86eb32aec7168f5fef9f2967239a16afc3e9e0e0825e48b5dbc78df58c15b121c3d0cefe3

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

MD5 4ff939af0aba1a79da86b756c703f32f
SHA1 5fc480b00cfe2758bd231a2e6b17e32f62ba19d3
SHA256 950c845afda8bcbea4a08192ade3000b73693eb441618349748feaa91c97a4b4
SHA512 1e0b8aad8fee7b50cc1333ed5ede98020974a64e782601f2fd5ac9cad5a6f4a5449340e0bdc1cf8ff27258538bee20f81dc1ef5edbe997f0a7e56529511ddcc1

C:\Program Files\7-Zip\Uninstall.exe

MD5 f4e89a2adbcf3050cfebe582a19c23de
SHA1 1e45141f0209cfbc3a2400cbe837d27a9192881d
SHA256 76a6bacf04b6fec330f90e9578717083258ead99c83e8b98da5f2006956f05c0
SHA512 fb08383996a3c218315589c3f820a9d1f36ffd0c2c67257fbafecfa64376e15cd9dd07b38c6e077160de5583d4e1ec9355aad418a9a31e01adb90cd520ef4e96

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-11 10:36

Reported

2024-11-11 10:38

Platform

win10v2004-20241007-en

Max time kernel

18s

Max time network

94s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Windows\SysWOW64\rundll32mgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\rundll32mgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Windows\SysWOW64\rundll32mgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Ramnit

trojan spyware stealer worm banker ramnit

Ramnit family

ramnit

Sality

backdoor sality

Sality family

sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\rundll32mgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\rundll32mgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\rundll32mgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\rundll32mgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\rundll32mgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\rundll32mgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Windows\SysWOW64\rundll32mgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\rundll32mgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Windows\SysWOW64\rundll32mgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\rundll32mgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\rundll32mgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\rundll32mgr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Windows\SysWOW64\rundll32mgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\rundll32mgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\rundll32mgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
File opened (read-only) \??\G: C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
File opened (read-only) \??\H: C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
File opened (read-only) \??\I: C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
File opened (read-only) \??\J: C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\rundll32mgr.exe C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\px8B58.tmp C:\Windows\SysWOW64\rundll32mgr.exe N/A
File created C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\rundll32mgr.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\rundll32mgr.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Windows\SysWOW64\rundll32mgr.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32mgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\WerFault.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SysWOW64\WerFault.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{D2EA51BC-A018-11EF-B9B6-520873AEBE93} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{D2E7EFD4-A018-11EF-B9B6-520873AEBE93} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2468 wrote to memory of 4140 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2468 wrote to memory of 4140 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2468 wrote to memory of 4140 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4140 wrote to memory of 2884 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 4140 wrote to memory of 2884 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 4140 wrote to memory of 2884 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 2884 wrote to memory of 776 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Windows\system32\fontdrvhost.exe
PID 2884 wrote to memory of 4012 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2884 wrote to memory of 4012 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2884 wrote to memory of 4012 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 4012 wrote to memory of 64 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 4012 wrote to memory of 64 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 4012 wrote to memory of 64 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 4012 wrote to memory of 64 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 4012 wrote to memory of 64 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 4012 wrote to memory of 64 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 4012 wrote to memory of 64 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 4012 wrote to memory of 64 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 4012 wrote to memory of 64 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 4012 wrote to memory of 776 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\system32\fontdrvhost.exe
PID 4012 wrote to memory of 784 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\system32\fontdrvhost.exe
PID 4012 wrote to memory of 384 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\system32\dwm.exe
PID 4012 wrote to memory of 2544 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\system32\sihost.exe
PID 4012 wrote to memory of 2608 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\system32\svchost.exe
PID 4012 wrote to memory of 2752 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\system32\taskhostw.exe
PID 4012 wrote to memory of 3560 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\Explorer.EXE
PID 4012 wrote to memory of 3664 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\system32\svchost.exe
PID 4012 wrote to memory of 3864 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\system32\DllHost.exe
PID 4012 wrote to memory of 3960 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4012 wrote to memory of 4028 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\System32\RuntimeBroker.exe
PID 4012 wrote to memory of 760 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4012 wrote to memory of 4196 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\System32\RuntimeBroker.exe
PID 4012 wrote to memory of 4084 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4012 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\System32\RuntimeBroker.exe
PID 4012 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\System32\RuntimeBroker.exe
PID 4012 wrote to memory of 2556 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4012 wrote to memory of 2468 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\system32\rundll32.exe
PID 4012 wrote to memory of 4140 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\rundll32.exe
PID 4012 wrote to memory of 4140 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\rundll32.exe
PID 4012 wrote to memory of 3356 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
PID 4012 wrote to memory of 4348 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\WerFault.exe
PID 4012 wrote to memory of 4348 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\WerFault.exe
PID 4012 wrote to memory of 1852 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4012 wrote to memory of 1852 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4012 wrote to memory of 1532 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4012 wrote to memory of 1532 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1852 wrote to memory of 1124 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1852 wrote to memory of 1124 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1852 wrote to memory of 1124 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1532 wrote to memory of 1592 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1532 wrote to memory of 1592 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1532 wrote to memory of 1592 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4012 wrote to memory of 776 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\system32\fontdrvhost.exe
PID 4012 wrote to memory of 784 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\system32\fontdrvhost.exe
PID 4012 wrote to memory of 384 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\system32\dwm.exe
PID 4012 wrote to memory of 2544 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\system32\sihost.exe
PID 4012 wrote to memory of 2608 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\system32\svchost.exe
PID 4012 wrote to memory of 2752 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\system32\taskhostw.exe
PID 4012 wrote to memory of 3560 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\Explorer.EXE
PID 4012 wrote to memory of 3664 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\system32\svchost.exe
PID 4012 wrote to memory of 3864 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\system32\DllHost.exe
PID 4012 wrote to memory of 3960 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4012 wrote to memory of 4028 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\System32\RuntimeBroker.exe
PID 4012 wrote to memory of 760 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\rundll32mgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\5318d1d121856d35ee5670f13c5aea7919edd08356cff866fd7d573a6aa611f9N.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\5318d1d121856d35ee5670f13c5aea7919edd08356cff866fd7d573a6aa611f9N.dll,#1

C:\Windows\SysWOW64\rundll32mgr.exe

C:\Windows\SysWOW64\rundll32mgr.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4140 -ip 4140

C:\Program Files (x86)\Microsoft\WaterMark.exe

"C:\Program Files (x86)\Microsoft\WaterMark.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 628

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1852 CREDAT:17410 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1532 CREDAT:17410 /prefetch:2

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\explorer.exe

explorer.exe /LOADSAVEDWINDOWS

C:\Windows\explorer.exe

explorer.exe

C:\Windows\system32\sihost.exe

sihost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/4140-0-0x0000000010000000-0x0000000010065000-memory.dmp

C:\Windows\SysWOW64\rundll32mgr.exe

MD5 a3b1f1c4cd75bea10095e054f990bf1d
SHA1 15bf037b2166d2533e12bbec9f1d5f9a3ad8c81b
SHA256 a4c51942f696650a7ce0530a88c3742380ac82bc1ddc75c24d1417f0958caaee
SHA512 7457591c9676baa6043e4c3ae6ede364f19964c4e4e6a91a06e148221402791cabf9d5ab2bfcb629120ab136fee0a2994c0830f7cbfb112c5c6b07109b6a1a94

memory/2884-5-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2884-9-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2884-8-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2884-13-0x00000000037D0000-0x000000000485E000-memory.dmp

memory/2884-22-0x00000000037D0000-0x000000000485E000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 6378cb77f3bfd2c0d3384cc9f36e4709
SHA1 68750e8a83b5dbe5e497786a47f7dab9ec35ff0e
SHA256 e209427bbe25b94fccc7e494ba4ca73f3ababae02a00d6cff4258b6ecbe647e1
SHA512 e9a83c73db9fed299a4266f188f73062ef90900791481fe0e0145a832f149a00d67b58eb578b66312507ba9f630a06244003683ccf56677e8844d578580f18ad

memory/4012-31-0x0000000000401000-0x0000000000402000-memory.dmp

memory/4012-30-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2884-29-0x00000000037D0000-0x000000000485E000-memory.dmp

memory/2884-28-0x0000000000401000-0x0000000000416000-memory.dmp

memory/2884-27-0x0000000000416000-0x0000000000420000-memory.dmp

memory/2884-26-0x0000000000401000-0x0000000000405000-memory.dmp

memory/2884-14-0x00000000037D0000-0x000000000485E000-memory.dmp

memory/2884-21-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2884-6-0x00000000037D0000-0x000000000485E000-memory.dmp

memory/2884-16-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2884-12-0x00000000037D0000-0x000000000485E000-memory.dmp

memory/2884-11-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2884-17-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2884-7-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4012-43-0x0000000000060000-0x0000000000061000-memory.dmp

memory/64-56-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

memory/4348-62-0x0000000001370000-0x0000000001371000-memory.dmp

memory/4348-65-0x0000000001260000-0x0000000001262000-memory.dmp

memory/4348-68-0x0000000001260000-0x0000000001262000-memory.dmp

memory/4012-67-0x0000000000080000-0x0000000000082000-memory.dmp

memory/4140-66-0x00000000009F0000-0x00000000009F2000-memory.dmp

memory/4012-64-0x0000000000080000-0x0000000000082000-memory.dmp

memory/4140-63-0x00000000009F0000-0x00000000009F2000-memory.dmp

memory/4012-54-0x0000000003190000-0x000000000421E000-memory.dmp

memory/4012-48-0x0000000003190000-0x000000000421E000-memory.dmp

memory/4012-53-0x0000000003190000-0x000000000421E000-memory.dmp

memory/4140-81-0x00000000009F0000-0x00000000009F2000-memory.dmp

memory/4140-84-0x0000000010000000-0x0000000010065000-memory.dmp

memory/4348-78-0x0000000001260000-0x0000000001262000-memory.dmp

memory/4012-60-0x0000000000090000-0x0000000000091000-memory.dmp

memory/4140-58-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

memory/4140-57-0x00000000009F0000-0x00000000009F2000-memory.dmp

memory/4012-47-0x0000000003190000-0x000000000421E000-memory.dmp

memory/4012-45-0x0000000003190000-0x000000000421E000-memory.dmp

memory/64-55-0x0000000000B80000-0x0000000000B81000-memory.dmp

memory/4012-52-0x0000000077752000-0x0000000077753000-memory.dmp

memory/4012-51-0x00000000009B0000-0x00000000009B1000-memory.dmp

memory/4012-50-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4012-44-0x0000000003190000-0x000000000421E000-memory.dmp

memory/4012-49-0x0000000003190000-0x000000000421E000-memory.dmp

memory/4012-32-0x0000000003190000-0x000000000421E000-memory.dmp

memory/4012-34-0x0000000003190000-0x000000000421E000-memory.dmp

memory/4012-86-0x0000000003190000-0x000000000421E000-memory.dmp

memory/4012-85-0x0000000003190000-0x000000000421E000-memory.dmp

memory/4012-87-0x0000000003190000-0x000000000421E000-memory.dmp

memory/4012-88-0x00000000009E0000-0x00000000009E1000-memory.dmp

memory/4012-89-0x0000000003190000-0x000000000421E000-memory.dmp

memory/4012-90-0x0000000003190000-0x000000000421E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D2EA51BC-A018-11EF-B9B6-520873AEBE93}.dat

MD5 68e29e1fd2f8079c337da9fb249e21db
SHA1 ec60fcd1d0a2cfae80a42c6b8e8273e1b817e10c
SHA256 d74e272e3e98c81af4dfcbb710c05f184a2b1dab4370257502d1622204caf1c5
SHA512 06f318d5f07c9dece6e9b3b8b6e37aeb7234245684c22009d02e8d9713b9d075f9b13d457f6aef14534b60e808085c00ed5319282e424b4b564c596a4927ecd2

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D2E7EFD4-A018-11EF-B9B6-520873AEBE93}.dat

MD5 8623088696786e2e093fa3796e43852e
SHA1 b812566faa617fa377af15c9b6d3a5dda33ffc80
SHA256 54ade485b57fdc98db297352d60375216fa8b2040164e6cba5197635dfdb3029
SHA512 657b79208966335853d1b98b6ecb236f33ba17bfc3101d9016ec5e8c5edb9940c8c0ebcd0c82f113642df469d1ee6b11bb4a4e0dc73d8ecf78807ccb93ecfc5a

memory/4012-94-0x0000000003190000-0x000000000421E000-memory.dmp

memory/4012-95-0x0000000000401000-0x0000000000402000-memory.dmp

memory/4012-96-0x0000000003190000-0x000000000421E000-memory.dmp

memory/4012-97-0x0000000003190000-0x000000000421E000-memory.dmp

memory/4012-100-0x0000000077752000-0x0000000077753000-memory.dmp

memory/4012-99-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4012-101-0x0000000003190000-0x000000000421E000-memory.dmp

memory/4012-102-0x0000000003190000-0x000000000421E000-memory.dmp

memory/4012-104-0x0000000000080000-0x0000000000082000-memory.dmp

memory/4012-106-0x0000000003190000-0x000000000421E000-memory.dmp

memory/4012-112-0x0000000003190000-0x000000000421E000-memory.dmp

memory/4012-135-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4012-136-0x0000000003190000-0x000000000421E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 ea6f4f772f0c592e24ca8ec502eac7ba
SHA1 fe49ef754f38cc6f22d79f702e087263c7ce5ed3
SHA256 c66e4655524d70901b0e460076e5088f0033d09c7c8f175e05221569cf572e13
SHA512 070d13ecefac10740d746931329d32f12f69f70442e86ab955dff74a3b4cee16beb0cefd124ba97d39deaa67c7442022332d2e2eb30e416d8350a428da9d6f60

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 2617fa049cad301f96b6cc6c3399ed25
SHA1 d299b67d1abacfde916133e7c1bb7732e7eea154
SHA256 25cd6fcc8d87c4e63155754b6ec4b7e7e77bcebb9e5233e493978d9a3ac7002e
SHA512 f9ebaeb5f14dd69c3c5ffa01783ce4a3a49338895f0d505e1fbcee47905c467f87c6697e90c04d2991f481f8ec4f75186434458ffd33893b814230853629467c

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver2C6A.tmp

MD5 1a545d0052b581fbb2ab4c52133846bc
SHA1 62f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512 bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

C:\htlhlm.pif

MD5 a5761af4488a6acb8ff4a8e6c68ce499
SHA1 5ede26672a8b9ebd27a107fff009164bbd259ed4
SHA256 1b65f81c02ef9d804e1a0db45f96b8a47ae8d8f48c9a207ff7bd04fe041759de
SHA512 79e99e86637b6a29c0ddfbd8cc82a9640e1bef8c445905895fffa7c774cae0f102d3b3a6d46b9d7944e217308d55eeb8894b32497a6776f2531bea6f3d5814cb

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9MFSIIMR\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee