ryuk | 42115345e6724d8aec1aad5d19ffd8a8aae03c504bee41334fccc3f168ac0662

Analysis

max time kernel
112s
max time network
122s
platform
windows10_x64
resource
win10v20201028
submitted
07/03/2021, 22:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

rudZqlH.exe
Size

254KB
MD5

4540720d38ed99bceeb97161ca1ff401
SHA1

5714dfd839db561ebcb3cccfcb6f0e39ef644f7b
SHA256

4a87552c4238cdcf1b8611da467164e609da339ff897c50ad4d04aa105ec55bb
SHA512

2be902451da4262ed9899ecd570e12f31516f4d937909ee8e99f2c5dfcdbd7a218cc4eda494357678067ccc58a674944d08150248707a96e7d64ff01b83f0dbf

Score

10^/10

ryuk discovery persistence ransomware

Malware Config

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 1672 created 4288	1672	WerFault.exe	82
PID 5060 created 4684	5060	WerFault.exe	26

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 1 IoCs

pid	Process
4288	oNHAJZT.exe

Modifies file permissions 1 TTPs 4 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
936	icacls.exe
2588	icacls.exe
1868	icacls.exe
2172	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rudZqlH.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 25 IoCs

pid	pid_target	Process	procid_target
3400	4684	WerFault.exe	26
524	4684	WerFault.exe	26
708	4684	WerFault.exe	26
4172	4684	WerFault.exe	26
3352	4684	WerFault.exe	26
3220	4684	WerFault.exe	26
4088	4684	WerFault.exe	26
1772	4684	WerFault.exe	26
4500	4684	WerFault.exe	26
580	4684	WerFault.exe	26
892	4684	WerFault.exe	26
212	4288	WerFault.exe	82
3916	4288	WerFault.exe	82
4520	4288	WerFault.exe	82
440	4288	WerFault.exe	82
3296	4288	WerFault.exe	82
3984	4288	WerFault.exe	82
3552	4288	WerFault.exe	82
2136	4288	WerFault.exe	82
4416	4288	WerFault.exe	82
4320	4288	WerFault.exe	82
1672	4288	WerFault.exe	82
2076	4684	WerFault.exe	26
5060	4684	WerFault.exe	26
5064	4684	WerFault.exe	26

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
4644	vssadmin.exe
1584	vssadmin.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3400	WerFault.exe
3400	WerFault.exe
3400	WerFault.exe
3400	WerFault.exe
3400	WerFault.exe
3400	WerFault.exe
3400	WerFault.exe
3400	WerFault.exe
3400	WerFault.exe
3400	WerFault.exe
3400	WerFault.exe
3400	WerFault.exe
3400	WerFault.exe
3400	WerFault.exe
524	WerFault.exe
524	WerFault.exe
524	WerFault.exe
524	WerFault.exe
524	WerFault.exe
524	WerFault.exe
524	WerFault.exe
524	WerFault.exe
524	WerFault.exe
524	WerFault.exe
524	WerFault.exe
524	WerFault.exe
524	WerFault.exe
524	WerFault.exe
708	WerFault.exe
708	WerFault.exe
708	WerFault.exe
708	WerFault.exe
708	WerFault.exe
708	WerFault.exe
708	WerFault.exe
708	WerFault.exe
708	WerFault.exe
708	WerFault.exe
708	WerFault.exe
708	WerFault.exe
708	WerFault.exe
708	WerFault.exe
4172	WerFault.exe
4172	WerFault.exe
4172	WerFault.exe
4172	WerFault.exe
4172	WerFault.exe
4172	WerFault.exe
4172	WerFault.exe
4172	WerFault.exe
4172	WerFault.exe
4172	WerFault.exe
4172	WerFault.exe
4172	WerFault.exe
4172	WerFault.exe
4172	WerFault.exe
3352	WerFault.exe
3352	WerFault.exe
3352	WerFault.exe
3352	WerFault.exe
3352	WerFault.exe
3352	WerFault.exe
3352	WerFault.exe
3352	WerFault.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	3400	WerFault.exe
Token: SeBackupPrivilege	3400	WerFault.exe
Token: SeDebugPrivilege	3400	WerFault.exe
Token: SeDebugPrivilege	524	WerFault.exe
Token: SeDebugPrivilege	708	WerFault.exe
Token: SeDebugPrivilege	4172	WerFault.exe
Token: SeDebugPrivilege	3352	WerFault.exe
Token: SeDebugPrivilege	3220	WerFault.exe
Token: SeDebugPrivilege	4684	rudZqlH.exe
Token: SeDebugPrivilege	4088	WerFault.exe
Token: SeDebugPrivilege	1772	WerFault.exe
Token: SeDebugPrivilege	4500	WerFault.exe
Token: SeDebugPrivilege	580	WerFault.exe
Token: SeDebugPrivilege	892	WerFault.exe
Token: SeBackupPrivilege	4288	oNHAJZT.exe
Token: SeDebugPrivilege	212	WerFault.exe
Token: SeIncreaseQuotaPrivilege	3144	WMIC.exe
Token: SeSecurityPrivilege	3144	WMIC.exe
Token: SeTakeOwnershipPrivilege	3144	WMIC.exe
Token: SeLoadDriverPrivilege	3144	WMIC.exe
Token: SeSystemProfilePrivilege	3144	WMIC.exe
Token: SeSystemtimePrivilege	3144	WMIC.exe
Token: SeProfSingleProcessPrivilege	3144	WMIC.exe
Token: SeIncBasePriorityPrivilege	3144	WMIC.exe
Token: SeCreatePagefilePrivilege	3144	WMIC.exe
Token: SeBackupPrivilege	3144	WMIC.exe
Token: SeRestorePrivilege	3144	WMIC.exe
Token: SeShutdownPrivilege	3144	WMIC.exe
Token: SeDebugPrivilege	3144	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3144	WMIC.exe
Token: SeRemoteShutdownPrivilege	3144	WMIC.exe
Token: SeUndockPrivilege	3144	WMIC.exe
Token: SeManageVolumePrivilege	3144	WMIC.exe
Token: 33	3144	WMIC.exe
Token: 34	3144	WMIC.exe
Token: 35	3144	WMIC.exe
Token: 36	3144	WMIC.exe
Token: SeBackupPrivilege	2684	vssvc.exe
Token: SeRestorePrivilege	2684	vssvc.exe
Token: SeAuditPrivilege	2684	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3144	WMIC.exe
Token: SeSecurityPrivilege	3144	WMIC.exe
Token: SeTakeOwnershipPrivilege	3144	WMIC.exe
Token: SeLoadDriverPrivilege	3144	WMIC.exe
Token: SeSystemProfilePrivilege	3144	WMIC.exe
Token: SeSystemtimePrivilege	3144	WMIC.exe
Token: SeProfSingleProcessPrivilege	3144	WMIC.exe
Token: SeIncBasePriorityPrivilege	3144	WMIC.exe
Token: SeCreatePagefilePrivilege	3144	WMIC.exe
Token: SeBackupPrivilege	3144	WMIC.exe
Token: SeRestorePrivilege	3144	WMIC.exe
Token: SeShutdownPrivilege	3144	WMIC.exe
Token: SeDebugPrivilege	3144	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3144	WMIC.exe
Token: SeRemoteShutdownPrivilege	3144	WMIC.exe
Token: SeUndockPrivilege	3144	WMIC.exe
Token: SeManageVolumePrivilege	3144	WMIC.exe
Token: 33	3144	WMIC.exe
Token: 34	3144	WMIC.exe
Token: 35	3144	WMIC.exe
Token: 36	3144	WMIC.exe
Token: SeDebugPrivilege	3916	WerFault.exe
Token: SeDebugPrivilege	4520	WerFault.exe
Token: SeDebugPrivilege	440	WerFault.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 4684 wrote to memory of 4288	4684	rudZqlH.exe	82
PID 4684 wrote to memory of 4288	4684	rudZqlH.exe	82
PID 4684 wrote to memory of 4288	4684	rudZqlH.exe	82
PID 4684 wrote to memory of 2880	4684	rudZqlH.exe	13
PID 4684 wrote to memory of 2928	4684	rudZqlH.exe	12
PID 4684 wrote to memory of 4432	4684	rudZqlH.exe	85
PID 4684 wrote to memory of 4432	4684	rudZqlH.exe	85
PID 4684 wrote to memory of 4432	4684	rudZqlH.exe	85
PID 4432 wrote to memory of 4448	4432	net.exe	88
PID 4432 wrote to memory of 4448	4432	net.exe	88
PID 4432 wrote to memory of 4448	4432	net.exe	88
PID 4684 wrote to memory of 3036	4684	rudZqlH.exe	10
PID 4684 wrote to memory of 884	4684	rudZqlH.exe	90
PID 4684 wrote to memory of 884	4684	rudZqlH.exe	90
PID 4684 wrote to memory of 884	4684	rudZqlH.exe	90
PID 884 wrote to memory of 1228	884	net.exe	93
PID 884 wrote to memory of 1228	884	net.exe	93
PID 884 wrote to memory of 1228	884	net.exe	93
PID 4684 wrote to memory of 3376	4684	rudZqlH.exe	2
PID 4684 wrote to memory of 3408	4684	rudZqlH.exe	9
PID 4684 wrote to memory of 3624	4684	rudZqlH.exe	8
PID 4684 wrote to memory of 3900	4684	rudZqlH.exe	7
PID 4288 wrote to memory of 1868	4288	oNHAJZT.exe	96
PID 4288 wrote to memory of 1868	4288	oNHAJZT.exe	96
PID 4288 wrote to memory of 1868	4288	oNHAJZT.exe	96
PID 4288 wrote to memory of 2172	4288	oNHAJZT.exe	98
PID 4288 wrote to memory of 2172	4288	oNHAJZT.exe	98
PID 4288 wrote to memory of 2172	4288	oNHAJZT.exe	98
PID 4288 wrote to memory of 2264	4288	oNHAJZT.exe	100
PID 4288 wrote to memory of 2264	4288	oNHAJZT.exe	100
PID 4288 wrote to memory of 2264	4288	oNHAJZT.exe	100
PID 4288 wrote to memory of 4644	4288	oNHAJZT.exe	102
PID 4288 wrote to memory of 4644	4288	oNHAJZT.exe	102
PID 4288 wrote to memory of 4644	4288	oNHAJZT.exe	102
PID 2264 wrote to memory of 3144	2264	cmd.exe	105
PID 2264 wrote to memory of 3144	2264	cmd.exe	105
PID 2264 wrote to memory of 3144	2264	cmd.exe	105
PID 4684 wrote to memory of 936	4684	rudZqlH.exe	118
PID 4684 wrote to memory of 936	4684	rudZqlH.exe	118
PID 4684 wrote to memory of 936	4684	rudZqlH.exe	118
PID 4684 wrote to memory of 2588	4684	rudZqlH.exe	120
PID 4684 wrote to memory of 2588	4684	rudZqlH.exe	120
PID 4684 wrote to memory of 2588	4684	rudZqlH.exe	120
PID 4684 wrote to memory of 1588	4684	rudZqlH.exe	121
PID 4684 wrote to memory of 1588	4684	rudZqlH.exe	121
PID 4684 wrote to memory of 1588	4684	rudZqlH.exe	121
PID 4684 wrote to memory of 1584	4684	rudZqlH.exe	122
PID 4684 wrote to memory of 1584	4684	rudZqlH.exe	122
PID 4684 wrote to memory of 1584	4684	rudZqlH.exe	122
PID 4684 wrote to memory of 1400	4684	rudZqlH.exe	126
PID 4684 wrote to memory of 1400	4684	rudZqlH.exe	126
PID 4684 wrote to memory of 1400	4684	rudZqlH.exe	126
PID 1588 wrote to memory of 3524	1588	cmd.exe	132
PID 1588 wrote to memory of 3524	1588	cmd.exe	132
PID 1588 wrote to memory of 3524	1588	cmd.exe	132
PID 1400 wrote to memory of 3660	1400	cmd.exe	133
PID 1400 wrote to memory of 3660	1400	cmd.exe	133
PID 1400 wrote to memory of 3660	1400	cmd.exe	133

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3376

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3900

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3624

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3408

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:3036

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2928

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2880

C:\Users\Admin\AppData\Local\Temp\rudZqlH.exe
"C:\Users\Admin\AppData\Local\Temp\rudZqlH.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4684
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 908
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3400
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 912
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:524
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1000
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:708
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1036
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4172
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1044
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3352
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1084
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:3220
- C:\Users\Admin\AppData\Local\Temp\oNHAJZT.exe
  "C:\Users\Admin\AppData\Local\Temp\oNHAJZT.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4288
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:1868
- - C:\Windows\SysWOW64\icacls.exe
    icacls "D:\*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:2172
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "WMIC.exe shadowcopy delet"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2264
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC.exe shadowcopy delet
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3144
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:4644
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 680
    3⤵
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    PID:212
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 672
    3⤵
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    PID:3916
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 760
    3⤵
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    PID:4520
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 836
    3⤵
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    PID:440
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 968
    3⤵
    - Program crash
    PID:3296
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 1104
    3⤵
    - Program crash
    PID:3984
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 1068
    3⤵
    - Program crash
    PID:3552
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 1148
    3⤵
    - Program crash
    PID:2136
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 1184
    3⤵
    - Program crash
    PID:4416
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 1212
    3⤵
    - Program crash
    PID:4320
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 1204
    3⤵
    - Suspicious use of NtCreateProcessExOtherParentProcess
    - Program crash
    PID:1672
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1252
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:4088
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1264
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:1772
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4432
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:4448
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1240
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:4500
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1128
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:580
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:884
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1228
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1204
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:892
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:936
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2588
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "WMIC.exe shadowcopy delet"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1588
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC.exe shadowcopy delet
    3⤵
    PID:3524
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:1584
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\rudZqlH.exe" /f /reg:64
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1400
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\rudZqlH.exe" /f /reg:64
    3⤵
    - Adds Run key to start application
    PID:3660
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1376
  2⤵
  - Program crash
  PID:2076
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1868
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  PID:5060
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1912
  2⤵
  - Program crash
  PID:5064

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/212-64-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

Filesize
4KB

Download
memory/440-119-0x00000000043E0000-0x00000000043E1000-memory.dmp

Filesize
4KB

Download
memory/524-8-0x0000000004990000-0x0000000004991000-memory.dmp

Filesize
4KB

Download
memory/524-11-0x0000000004990000-0x0000000004991000-memory.dmp

Filesize
4KB

Download
memory/580-47-0x0000000004450000-0x0000000004451000-memory.dmp

Filesize
4KB

Download
memory/708-12-0x0000000004760000-0x0000000004761000-memory.dmp

Filesize
4KB

Download
memory/892-51-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/1672-146-0x00000000047A0000-0x00000000047A1000-memory.dmp

Filesize
4KB

Download
memory/1772-35-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/2076-155-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/2136-131-0x0000000004210000-0x0000000004211000-memory.dmp

Filesize
4KB

Download
memory/3220-23-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/3296-122-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/3352-19-0x0000000004A30000-0x0000000004A31000-memory.dmp

Filesize
4KB

Download
memory/3400-3-0x0000000004670000-0x0000000004671000-memory.dmp

Filesize
4KB

Download
memory/3400-4-0x0000000004670000-0x0000000004671000-memory.dmp

Filesize
4KB

Download
memory/3552-128-0x00000000046A0000-0x00000000046A1000-memory.dmp

Filesize
4KB

Download
memory/3916-69-0x00000000043B0000-0x00000000043B1000-memory.dmp

Filesize
4KB

Download
memory/3984-125-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/4088-30-0x0000000004660000-0x0000000004661000-memory.dmp

Filesize
4KB

Download
memory/4172-15-0x0000000004680000-0x0000000004681000-memory.dmp

Filesize
4KB

Download
memory/4288-34-0x0000000002080000-0x0000000002081000-memory.dmp

Filesize
4KB

Download
memory/4288-72-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/4288-73-0x0000000002C10000-0x0000000002C11000-memory.dmp

Filesize
4KB

Download
memory/4320-143-0x0000000004F20000-0x0000000004F21000-memory.dmp

Filesize
4KB

Download
memory/4320-144-0x0000000004F20000-0x0000000004F21000-memory.dmp

Filesize
4KB

Download
memory/4320-140-0x0000000004B20000-0x0000000004B21000-memory.dmp

Filesize
4KB

Download
memory/4416-135-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

Filesize
4KB

Download
memory/4500-40-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download
memory/4520-80-0x0000000004450000-0x0000000004451000-memory.dmp

Filesize
4KB

Download
memory/4520-96-0x0000000004450000-0x0000000004451000-memory.dmp

Filesize
4KB

Download
memory/4520-74-0x0000000004450000-0x0000000004451000-memory.dmp

Filesize
4KB

Download
memory/4520-117-0x0000000004450000-0x0000000004451000-memory.dmp

Filesize
4KB

Download
memory/4520-116-0x0000000004450000-0x0000000004451000-memory.dmp

Filesize
4KB

Download
memory/4520-115-0x0000000004450000-0x0000000004451000-memory.dmp

Filesize
4KB

Download
memory/4520-114-0x0000000004450000-0x0000000004451000-memory.dmp

Filesize
4KB

Download
memory/4520-113-0x0000000004450000-0x0000000004451000-memory.dmp

Filesize
4KB

Download
memory/4520-112-0x0000000004450000-0x0000000004451000-memory.dmp

Filesize
4KB

Download
memory/4520-109-0x0000000004450000-0x0000000004451000-memory.dmp

Filesize
4KB

Download
memory/4520-111-0x0000000004450000-0x0000000004451000-memory.dmp

Filesize
4KB

Download
memory/4520-110-0x0000000004450000-0x0000000004451000-memory.dmp

Filesize
4KB

Download
memory/4520-108-0x0000000004450000-0x0000000004451000-memory.dmp

Filesize
4KB

Download
memory/4520-107-0x0000000004450000-0x0000000004451000-memory.dmp

Filesize
4KB

Download
memory/4520-105-0x0000000004450000-0x0000000004451000-memory.dmp

Filesize
4KB

Download
memory/4520-106-0x0000000004450000-0x0000000004451000-memory.dmp

Filesize
4KB

Download
memory/4520-104-0x0000000004450000-0x0000000004451000-memory.dmp

Filesize
4KB

Download
memory/4520-103-0x0000000004450000-0x0000000004451000-memory.dmp

Filesize
4KB

Download
memory/4520-102-0x0000000004450000-0x0000000004451000-memory.dmp

Filesize
4KB

Download
memory/4520-101-0x0000000004450000-0x0000000004451000-memory.dmp

Filesize
4KB

Download
memory/4520-100-0x0000000004450000-0x0000000004451000-memory.dmp

Filesize
4KB

Download
memory/4520-99-0x0000000004450000-0x0000000004451000-memory.dmp

Filesize
4KB

Download
memory/4520-98-0x0000000004450000-0x0000000004451000-memory.dmp

Filesize
4KB

Download
memory/4520-77-0x0000000004450000-0x0000000004451000-memory.dmp

Filesize
4KB

Download
memory/4520-97-0x0000000004450000-0x0000000004451000-memory.dmp

Filesize
4KB

Download
memory/4520-95-0x0000000004450000-0x0000000004451000-memory.dmp

Filesize
4KB

Download
memory/4520-94-0x0000000004450000-0x0000000004451000-memory.dmp

Filesize
4KB

Download
memory/4520-93-0x0000000004450000-0x0000000004451000-memory.dmp

Filesize
4KB

Download
memory/4520-90-0x0000000004450000-0x0000000004451000-memory.dmp

Filesize
4KB

Download
memory/4520-92-0x0000000004450000-0x0000000004451000-memory.dmp

Filesize
4KB

Download
memory/4520-91-0x0000000004450000-0x0000000004451000-memory.dmp

Filesize
4KB

Download
memory/4520-89-0x0000000004450000-0x0000000004451000-memory.dmp

Filesize
4KB

Download
memory/4520-88-0x0000000004450000-0x0000000004451000-memory.dmp

Filesize
4KB

Download
memory/4520-87-0x0000000004450000-0x0000000004451000-memory.dmp

Filesize
4KB

Download
memory/4520-86-0x0000000004450000-0x0000000004451000-memory.dmp

Filesize
4KB

Download
memory/4520-85-0x0000000004450000-0x0000000004451000-memory.dmp

Filesize
4KB

Download
memory/4520-84-0x0000000004450000-0x0000000004451000-memory.dmp

Filesize
4KB

Download
memory/4520-83-0x0000000004450000-0x0000000004451000-memory.dmp

Filesize
4KB

Download
memory/4520-81-0x0000000004450000-0x0000000004451000-memory.dmp

Filesize
4KB

Download
memory/4520-82-0x0000000004450000-0x0000000004451000-memory.dmp

Filesize
4KB

Download
memory/4520-78-0x0000000004450000-0x0000000004451000-memory.dmp

Filesize
4KB

Download
memory/4520-79-0x0000000004450000-0x0000000004451000-memory.dmp

Filesize
4KB

Download
memory/4684-2-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/4684-7-0x0000000030000000-0x0000000030170000-memory.dmp

Filesize
1.4MB

Download
memory/4684-6-0x0000000002010000-0x0000000002042000-memory.dmp

Filesize
200KB

Download
memory/5060-169-0x0000000004950000-0x0000000004951000-memory.dmp

Filesize
4KB

Download
memory/5064-166-0x00000000048B0000-0x00000000048B1000-memory.dmp

Filesize
4KB

Download