Analysis
-
max time kernel
35s -
max time network
113s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
20-10-2020 10:12
Static task
static1
Behavioral task
behavioral1
Sample
8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe
Resource
win7v200722
Behavioral task
behavioral2
Sample
8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe
Resource
win10v200722
General
-
Target
8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe
-
Size
341KB
-
MD5
14ba7d3a1d28d8039695d2035182959e
-
SHA1
29c653f5f95aba672ed1110d225d1780aeebe4f4
-
SHA256
8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a
-
SHA512
a75f79f92ab8fd5b337b308c6476509e4fe4b06b93073ffdd6c04ebf547b6a77fda73a6f68286ec403b9d09f464467215738bcdd3ac021155a00de3d04fd7b44
Malware Config
Extracted
C:\035i588g-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/9D740AC6038D38FC
http://decryptor.cc/9D740AC6038D38FC
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exedescription ioc process File renamed C:\Users\Admin\Pictures\UnblockMount.tif => \??\c:\users\admin\pictures\UnblockMount.tif.035i588g 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe File renamed C:\Users\Admin\Pictures\ApproveDismount.tif => \??\c:\users\admin\pictures\ApproveDismount.tif.035i588g 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exedescription ioc process File opened (read-only) \??\F: 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe File opened (read-only) \??\K: 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe File opened (read-only) \??\L: 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe File opened (read-only) \??\V: 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe File opened (read-only) \??\Y: 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe File opened (read-only) \??\D: 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe File opened (read-only) \??\A: 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe File opened (read-only) \??\H: 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe File opened (read-only) \??\N: 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe File opened (read-only) \??\Q: 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe File opened (read-only) \??\T: 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe File opened (read-only) \??\U: 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe File opened (read-only) \??\W: 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe File opened (read-only) \??\X: 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe File opened (read-only) \??\B: 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe File opened (read-only) \??\E: 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe File opened (read-only) \??\G: 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe File opened (read-only) \??\I: 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe File opened (read-only) \??\J: 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe File opened (read-only) \??\S: 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe File opened (read-only) \??\M: 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe File opened (read-only) \??\O: 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe File opened (read-only) \??\P: 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe File opened (read-only) \??\R: 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe File opened (read-only) \??\Z: 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pgaxp3.bmp" 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe -
Drops file in Program Files directory 36 IoCs
Processes:
8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exedescription ioc process File opened for modification \??\c:\program files\InstallBackup.crw 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe File opened for modification \??\c:\program files\TestComplete.vst 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe File opened for modification \??\c:\program files\BackupTest.vdx 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe File opened for modification \??\c:\program files\DisconnectApprove.vssm 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe File opened for modification \??\c:\program files\DisconnectRead.edrwx 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe File opened for modification \??\c:\program files\HideMount.snd 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe File opened for modification \??\c:\program files\SplitMeasure.xls 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe File opened for modification \??\c:\program files\WatchConfirm.xlsx 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe File opened for modification \??\c:\program files\ExportInvoke.vbs 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe File opened for modification \??\c:\program files\MeasurePop.m3u 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe File opened for modification \??\c:\program files\RepairSave.asx 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe File opened for modification \??\c:\program files\ResumeRead.mpg 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe File created \??\c:\program files\035i588g-readme.txt 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe File created \??\c:\program files (x86)\035i588g-readme.txt 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe File opened for modification \??\c:\program files\EnableRead.aiff 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe File opened for modification \??\c:\program files\JoinSkip.xml 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe File opened for modification \??\c:\program files\WatchAssert.kix 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe File opened for modification \??\c:\program files\DebugClose.pptm 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe File opened for modification \??\c:\program files\SyncEnter.TTS 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe File opened for modification \??\c:\program files\UnpublishSuspend.jpg 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe File opened for modification \??\c:\program files\PingCheckpoint.wmf 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe File opened for modification \??\c:\program files\ShowTrace.docx 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe File opened for modification \??\c:\program files\StartBackup.shtml 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe File opened for modification \??\c:\program files\CheckpointCompress.avi 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe File opened for modification \??\c:\program files\CopyExpand.ADTS 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe File opened for modification \??\c:\program files\CopyReset.bmp 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe File opened for modification \??\c:\program files\ExportPublish.asx 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe File opened for modification \??\c:\program files\MountClear.eprtx 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe File opened for modification \??\c:\program files\StopProtect.mpp 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe File opened for modification \??\c:\program files\UseTrace.M2V 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe File opened for modification \??\c:\program files\WatchRepair.xls 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe File opened for modification \??\c:\program files\WatchSubmit.mp4 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe File opened for modification \??\c:\program files\ConfirmMerge.mpg 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe File opened for modification \??\c:\program files\CopyResolve.mp2v 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe File opened for modification \??\c:\program files\RestoreConvertFrom.dwg 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe File opened for modification \??\c:\program files\UndoDisable.jpe 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe -
Program crash 12 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3556 3740 WerFault.exe 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe 3572 3740 WerFault.exe 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe 3460 3740 WerFault.exe 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe 1308 3740 WerFault.exe 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe 496 3740 WerFault.exe 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe 1052 3740 WerFault.exe 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe 4032 3740 WerFault.exe 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe 2152 3740 WerFault.exe 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe 276 3740 WerFault.exe 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe 3444 3740 WerFault.exe 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe 2060 3740 WerFault.exe 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe 3364 3740 WerFault.exe 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe -
Suspicious behavior: EnumeratesProcesses 173 IoCs
Processes:
8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exepowershell.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid process 3740 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe 3740 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe 2364 powershell.exe 2364 powershell.exe 2364 powershell.exe 3556 WerFault.exe 3556 WerFault.exe 3556 WerFault.exe 3556 WerFault.exe 3556 WerFault.exe 3556 WerFault.exe 3556 WerFault.exe 3556 WerFault.exe 3556 WerFault.exe 3556 WerFault.exe 3556 WerFault.exe 3556 WerFault.exe 3556 WerFault.exe 3556 WerFault.exe 3572 WerFault.exe 3572 WerFault.exe 3572 WerFault.exe 3572 WerFault.exe 3572 WerFault.exe 3572 WerFault.exe 3572 WerFault.exe 3572 WerFault.exe 3572 WerFault.exe 3572 WerFault.exe 3572 WerFault.exe 3572 WerFault.exe 3572 WerFault.exe 3572 WerFault.exe 3460 WerFault.exe 3460 WerFault.exe 3460 WerFault.exe 3460 WerFault.exe 3460 WerFault.exe 3460 WerFault.exe 3460 WerFault.exe 3460 WerFault.exe 3460 WerFault.exe 3460 WerFault.exe 3460 WerFault.exe 3460 WerFault.exe 3460 WerFault.exe 3460 WerFault.exe 1308 WerFault.exe 1308 WerFault.exe 1308 WerFault.exe 1308 WerFault.exe 1308 WerFault.exe 1308 WerFault.exe 1308 WerFault.exe 1308 WerFault.exe 1308 WerFault.exe 1308 WerFault.exe 1308 WerFault.exe 1308 WerFault.exe 1308 WerFault.exe 1308 WerFault.exe 496 WerFault.exe 496 WerFault.exe 496 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
Processes:
8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exepowershell.exeWerFault.exevssvc.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription pid process Token: SeDebugPrivilege 3740 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe Token: SeDebugPrivilege 2364 powershell.exe Token: SeRestorePrivilege 3556 WerFault.exe Token: SeBackupPrivilege 3556 WerFault.exe Token: SeDebugPrivilege 3556 WerFault.exe Token: SeBackupPrivilege 2808 vssvc.exe Token: SeRestorePrivilege 2808 vssvc.exe Token: SeAuditPrivilege 2808 vssvc.exe Token: SeDebugPrivilege 3572 WerFault.exe Token: SeTakeOwnershipPrivilege 3740 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe Token: SeDebugPrivilege 3460 WerFault.exe Token: SeDebugPrivilege 1308 WerFault.exe Token: SeDebugPrivilege 496 WerFault.exe Token: SeDebugPrivilege 1052 WerFault.exe Token: SeDebugPrivilege 4032 WerFault.exe Token: SeDebugPrivilege 2152 WerFault.exe Token: SeDebugPrivilege 276 WerFault.exe Token: SeDebugPrivilege 3444 WerFault.exe Token: SeDebugPrivilege 2060 WerFault.exe Token: SeDebugPrivilege 3364 WerFault.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exedescription pid process target process PID 3740 wrote to memory of 2364 3740 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe powershell.exe PID 3740 wrote to memory of 2364 3740 8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe"C:\Users\Admin\AppData\Local\Temp\8cdc6c54e57c51ca7ed43f1f56e09b352a8995a6c49dd163812e8ecfe03c613a.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3740 -s 6562⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3556 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2364 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3740 -s 8082⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3572 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3740 -s 8642⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3460 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3740 -s 8762⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1308 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3740 -s 9242⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:496 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3740 -s 9002⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1052 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3740 -s 9282⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4032 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3740 -s 9682⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2152 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3740 -s 9322⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:276 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3740 -s 9922⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3444 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3740 -s 9042⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2060 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3740 -s 9922⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3364
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:2808
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3512
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/276-47-0x0000000004A00000-0x0000000004A01000-memory.dmpFilesize
4KB
-
memory/276-44-0x00000000041D0000-0x00000000041D1000-memory.dmpFilesize
4KB
-
memory/496-27-0x0000000004B60000-0x0000000004B61000-memory.dmpFilesize
4KB
-
memory/496-24-0x0000000004530000-0x0000000004531000-memory.dmpFilesize
4KB
-
memory/1052-31-0x0000000004D40000-0x0000000004D41000-memory.dmpFilesize
4KB
-
memory/1052-28-0x0000000004710000-0x0000000004711000-memory.dmpFilesize
4KB
-
memory/1308-18-0x0000000004CE0000-0x0000000004CE1000-memory.dmpFilesize
4KB
-
memory/2060-118-0x0000000004BF0000-0x0000000004BF1000-memory.dmpFilesize
4KB
-
memory/2152-39-0x0000000004810000-0x0000000004811000-memory.dmpFilesize
4KB
-
memory/2152-36-0x00000000041D0000-0x00000000041D1000-memory.dmpFilesize
4KB
-
memory/2364-3-0x00007FFA6F190000-0x00007FFA6FB7C000-memory.dmpFilesize
9.9MB
-
memory/2364-2-0x0000000000000000-mapping.dmp
-
memory/2364-8-0x000001E5B3090000-0x000001E5B3091000-memory.dmpFilesize
4KB
-
memory/2364-7-0x000001E5B2EE0000-0x000001E5B2EE1000-memory.dmpFilesize
4KB
-
memory/3364-126-0x0000000004CF0000-0x0000000004CF1000-memory.dmpFilesize
4KB
-
memory/3364-122-0x00000000044C0000-0x00000000044C1000-memory.dmpFilesize
4KB
-
memory/3444-50-0x0000000004F00000-0x0000000004F01000-memory.dmpFilesize
4KB
-
memory/3444-54-0x0000000005730000-0x0000000005731000-memory.dmpFilesize
4KB
-
memory/3460-17-0x0000000004CA0000-0x0000000004CA1000-memory.dmpFilesize
4KB
-
memory/3460-14-0x0000000004570000-0x0000000004571000-memory.dmpFilesize
4KB
-
memory/3556-5-0x00000000041D0000-0x00000000041D1000-memory.dmpFilesize
4KB
-
memory/3556-9-0x0000000004800000-0x0000000004801000-memory.dmpFilesize
4KB
-
memory/3556-4-0x00000000041D0000-0x00000000041D1000-memory.dmpFilesize
4KB
-
memory/3572-10-0x00000000041D0000-0x00000000041D1000-memory.dmpFilesize
4KB
-
memory/3572-13-0x0000000004700000-0x0000000004701000-memory.dmpFilesize
4KB
-
memory/3740-0-0x0000000000BA0000-0x0000000000BA1000-memory.dmpFilesize
4KB
-
memory/3740-1-0x00000000028D0000-0x00000000028D1000-memory.dmpFilesize
4KB
-
memory/4032-32-0x00000000046C0000-0x00000000046C1000-memory.dmpFilesize
4KB
-
memory/4032-35-0x0000000004E70000-0x0000000004E71000-memory.dmpFilesize
4KB