dharma | ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72

Analysis

max time kernel
153s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
18-04-2022 10:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
Size

267KB
MD5

e738a4ceec768287bb4fd511d5716347
SHA1

40be6837dbb3d2b3a03c0899777bf737a5349206
SHA256

ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72
SHA512

f07bd25fb220f45b6f488caeb235f482d6c0abcca7036e85614244dc56e7fa566e17e89fab354281caa7bacf21e251e3d3d80cfa59bc1fcbf31c8887826e39a5

Score

10^/10

dharma persistence ransomware

Malware Config

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Drops startup file 1 IoCs

Processes:

ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe = "C:\\Windows\\System32\\ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe"	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe

Drops desktop.ini file(s) 3 IoCs

Processes:

ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe

description	ioc	process
File opened for modification	C:\Program Files\desktop.ini	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3751123196-3323558407-1869646069-1000\desktop.ini	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe

Drops file in System32 directory 1 IoCs

Processes:

ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe

description	ioc	process
File created	C:\Windows\System32\ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe

Drops file in Program Files directory 64 IoCs

Processes:

ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.xml	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\epl-v10.html.id-3FDF0631.[telegram_@spacedatax].ROGER	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicTSFrame.png.id-3FDF0631.[telegram_@spacedatax].ROGER	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\fa.pak	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\hi.pak.id-3FDF0631.[telegram_@spacedatax].ROGER	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessBasic2019_eula.txt.id-3FDF0631.[telegram_@spacedatax].ROGER	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MEDIA\WHOOSH.WAV	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\[email protected].[telegram_@spacedatax].ROGER	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL115.XML.id-3FDF0631.[telegram_@spacedatax].ROGER	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-100.png.id-3FDF0631.[telegram_@spacedatax].ROGER	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt.id-3FDF0631.[telegram_@spacedatax].ROGER	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-loaders.xml.id-3FDF0631.[telegram_@spacedatax].ROGER	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe.id-3FDF0631.[telegram_@spacedatax].ROGER	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html.id-3FDF0631.[telegram_@spacedatax].ROGER	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\minimalist.dotx.id-3FDF0631.[telegram_@spacedatax].ROGER	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\as80.xsl	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL065.XML	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-queries.xml.id-3FDF0631.[telegram_@spacedatax].ROGER	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\casual.dotx.id-3FDF0631.[telegram_@spacedatax].ROGER	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.config.id-3FDF0631.[telegram_@spacedatax].ROGER	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql90.xsl.id-3FDF0631.[telegram_@spacedatax].ROGER	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN054.XML.id-3FDF0631.[telegram_@spacedatax].ROGER	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClientIsv.man	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-heapwalker.xml.id-3FDF0631.[telegram_@spacedatax].ROGER	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sk-sk.dll	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri.xml.id-3FDF0631.[telegram_@spacedatax].ROGER	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\centered.dotx.id-3FDF0631.[telegram_@spacedatax].ROGER	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\BI-Report.png.id-3FDF0631.[telegram_@spacedatax].ROGER	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\feedbck2.gif	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-tw.dll.id-3FDF0631.[telegram_@spacedatax].ROGER	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\ja-JP\msaddsr.dll.mui	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-140.png	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-fallback.xml.id-3FDF0631.[telegram_@spacedatax].ROGER	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-140.png.id-3FDF0631.[telegram_@spacedatax].ROGER	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\startNetworkServer.bat	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-impl.xml	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-math-l1-1-0.dll.id-3FDF0631.[telegram_@spacedatax].ROGER	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe.id-3FDF0631.[telegram_@spacedatax].ROGER	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\gmail.crx.id-3FDF0631.[telegram_@spacedatax].ROGER	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe.id-3FDF0631.[telegram_@spacedatax].ROGER	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_zh_TW.jar	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-180.png.id-3FDF0631.[telegram_@spacedatax].ROGER	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT-Rockwell.xml.id-3FDF0631.[telegram_@spacedatax].ROGER	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\cs.pak.id-3FDF0631.[telegram_@spacedatax].ROGER	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-140.png.id-3FDF0631.[telegram_@spacedatax].ROGER	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmiregistry.exe	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\tabskb.dll.mui	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-spi-quicksearch.xml	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-140.png	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-80.png.id-3FDF0631.[telegram_@spacedatax].ROGER	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt.id-3FDF0631.[telegram_@spacedatax].ROGER	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fi-fi.dll.id-3FDF0631.[telegram_@spacedatax].ROGER	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\es-419.pak.id-3FDF0631.[telegram_@spacedatax].ROGER	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\id.pak	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql120.xsl	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL092.XML	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\prism_common.dll.id-3FDF0631.[telegram_@spacedatax].ROGER	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsita.xml	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_100_percent.pak.id-3FDF0631.[telegram_@spacedatax].ROGER	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt.id-3FDF0631.[telegram_@spacedatax].ROGER	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\de-DE\msaddsr.dll.mui	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\officeinventoryagentfallback.xml	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe

Program crash 29 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1992	1708	WerFault.exe	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
4936	1708	WerFault.exe	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
4804	1708	WerFault.exe	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
3876	1708	WerFault.exe	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
5032	1708	WerFault.exe	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
744	1708	WerFault.exe	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
5028	1708	WerFault.exe	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
3816	1708	WerFault.exe	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
220	1708	WerFault.exe	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
2300	1708	WerFault.exe	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1964	1708	WerFault.exe	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
2028	1708	WerFault.exe	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
4780	1708	WerFault.exe	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
2468	1708	WerFault.exe	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1488	1708	WerFault.exe	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
2000	1708	WerFault.exe	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
2432	1708	WerFault.exe	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
3368	1708	WerFault.exe	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
4068	1708	WerFault.exe	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1412	1708	WerFault.exe	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1312	1708	WerFault.exe	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1548	1708	WerFault.exe	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
3728	1708	WerFault.exe	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1028	1708	WerFault.exe	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
4948	1708	WerFault.exe	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
5100	1708	WerFault.exe	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
780	1708	WerFault.exe	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1848	1708	WerFault.exe	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
292	1708	WerFault.exe	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

3044 vssadmin.exe

pid	process
3044	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe

pid	process
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 3800 vssvc.exe
Token: SeRestorePrivilege 3800 vssvc.exe
Token: SeAuditPrivilege 3800 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	3800	vssvc.exe
Token: SeRestorePrivilege	3800	vssvc.exe
Token: SeAuditPrivilege	3800	vssvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.execmd.exe

description	pid	process	target process
PID 1708 wrote to memory of 872	1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe	cmd.exe
PID 1708 wrote to memory of 872	1708	ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe	cmd.exe
PID 872 wrote to memory of 2512	872	cmd.exe	mode.com
PID 872 wrote to memory of 2512	872	cmd.exe	mode.com
PID 872 wrote to memory of 3044	872	cmd.exe	vssadmin.exe
PID 872 wrote to memory of 3044	872	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe
"C:\Users\Admin\AppData\Local\Temp\ea0b83c9616db34698c08fa0a58adf67f18f0c9d7d7f153dbc9c50e5b7683a72.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:872
- - C:\Windows\system32\mode.com
    mode con cp select=1251
    3⤵
    PID:2512
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:3044
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 520
  2⤵
  - Program crash
  PID:1992
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 528
  2⤵
  - Program crash
  PID:4936
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 560
  2⤵
  - Program crash
  PID:4804
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 572
  2⤵
  - Program crash
  PID:3876
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 580
  2⤵
  - Program crash
  PID:5032
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 592
  2⤵
  - Program crash
  PID:744
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 620
  2⤵
  - Program crash
  PID:5028
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 652
  2⤵
  - Program crash
  PID:3816
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 644
  2⤵
  - Program crash
  PID:220
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 704
  2⤵
  - Program crash
  PID:2300
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 740
  2⤵
  - Program crash
  PID:1964
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 764
  2⤵
  - Program crash
  PID:2028
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 800
  2⤵
  - Program crash
  PID:4780
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 808
  2⤵
  - Program crash
  PID:2468
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 780
  2⤵
  - Program crash
  PID:1488
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 784
  2⤵
  - Program crash
  PID:2000
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 832
  2⤵
  - Program crash
  PID:2432
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 908
  2⤵
  - Program crash
  PID:3368
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 884
  2⤵
  - Program crash
  PID:4068
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 672
  2⤵
  - Program crash
  PID:1412
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 780
  2⤵
  - Program crash
  PID:1312
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 740
  2⤵
  - Program crash
  PID:1548
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 964
  2⤵
  - Program crash
  PID:3728
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 1016
  2⤵
  - Program crash
  PID:1028
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 816
  2⤵
  - Program crash
  PID:4948
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 928
  2⤵
  - Program crash
  PID:5100
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 844
  2⤵
  - Program crash
  PID:780
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 796
  2⤵
  - Program crash
  PID:1848
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 1016
  2⤵
  - Program crash
  PID:292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1708 -ip 1708
1⤵
PID:1880

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1708 -ip 1708
1⤵
PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1708 -ip 1708
1⤵
PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1708 -ip 1708
1⤵
PID:3668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1708 -ip 1708
1⤵
PID:4632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1708 -ip 1708
1⤵
PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1708 -ip 1708
1⤵
PID:4352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1708 -ip 1708
1⤵
PID:2664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1708 -ip 1708
1⤵
PID:3988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1708 -ip 1708
1⤵
PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1708 -ip 1708
1⤵
PID:764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1708 -ip 1708
1⤵
PID:2124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1708 -ip 1708
1⤵
PID:3624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1708 -ip 1708
1⤵
PID:3512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1708 -ip 1708
1⤵
PID:1088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1708 -ip 1708
1⤵
PID:384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1708 -ip 1708
1⤵
PID:1632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1708 -ip 1708
1⤵
PID:1792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1708 -ip 1708
1⤵
PID:916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1708 -ip 1708
1⤵
PID:1132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1708 -ip 1708
1⤵
PID:4908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1708 -ip 1708
1⤵
PID:1212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1708 -ip 1708
1⤵
PID:1636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1708 -ip 1708
1⤵
PID:3828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1708 -ip 1708
1⤵
PID:768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1708 -ip 1708
1⤵
PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1708 -ip 1708
1⤵
PID:2912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1708 -ip 1708
1⤵
PID:2360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1708 -ip 1708
1⤵
PID:268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1708 -ip 1708
1⤵
PID:3724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/872-131-0x0000000000000000-mapping.dmp

Download
memory/1708-130-0x0000000000F38000-0x0000000000F4C000-memory.dmp

Filesize
80KB

Download
memory/1708-133-0x0000000000F38000-0x0000000000F4C000-memory.dmp

Filesize
80KB

Download
memory/1708-134-0x0000000000DA0000-0x0000000000DB9000-memory.dmp

Filesize
100KB

Download
memory/1708-136-0x0000000000400000-0x0000000000C1C000-memory.dmp

Filesize
8.1MB

Download
memory/2512-132-0x0000000000000000-mapping.dmp

Download
memory/3044-135-0x0000000000000000-mapping.dmp

Download