dharma | 3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1

Analysis

max time kernel
157s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
18-04-2022 10:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
Size

268KB
MD5

30b33d6394125d6c20049c0857ca839d
SHA1

728104018c815058007a506dd2495a9865879ead
SHA256

3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1
SHA512

ed5539bcf6967c02d974744a876729900170e16db75da04140894e1da1b89e043fb75844380f904285a5d5a850859b2687b589a62f83c76a309d19c994cc24e9

Score

10^/10

dharma persistence ransomware

Malware Config

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Drops startup file 1 IoCs

Processes:

3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe = "C:\\Windows\\System32\\3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe"	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe

Drops desktop.ini file(s) 3 IoCs

Processes:

3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1081944012-3634099177-1681222835-1000\desktop.ini	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File opened for modification	C:\Program Files\desktop.ini	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe

Drops file in System32 directory 1 IoCs

Processes:

3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe

description	ioc	process
File created	C:\Windows\System32\3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe

Drops file in Program Files directory 64 IoCs

Processes:

3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe

description	ioc	process
File opened for modification	C:\Program Files\GroupEnable.avi	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\HostConfigHighContrast.json	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\manifest.json	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-windows_ja.jar	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\LargeTile.scale-400.png	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-ul-phn.xrm-ms	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteWideTile.scale-125.png	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\no\msipc.dll.mui.id-5018FF5F.[telegram_@spacedatax].ROGER	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\javax.servlet_3.0.0.v201112011016.jar.id-5018FF5F.[telegram_@spacedatax].ROGER	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ul-oob.xrm-ms.id-5018FF5F.[telegram_@spacedatax].ROGER	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\15.jpg	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-32.png	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-96_altform-unplated.png	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-awt.jar.id-5018FF5F.[telegram_@spacedatax].ROGER	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL089.XML.id-5018FF5F.[telegram_@spacedatax].ROGER	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\security\blacklisted.certs	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOADFPS.DLL.id-5018FF5F.[telegram_@spacedatax].ROGER	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.core.commands_0.10.2.v20140424-2344.jar	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Gothic.xml.id-5018FF5F.[telegram_@spacedatax].ROGER	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-140.png	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-100.png.id-5018FF5F.[telegram_@spacedatax].ROGER	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\deploy.dll	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_fr.jar.id-5018FF5F.[telegram_@spacedatax].ROGER	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-pl.xrm-ms.id-5018FF5F.[telegram_@spacedatax].ROGER	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ppd.xrm-ms.id-5018FF5F.[telegram_@spacedatax].ROGER	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-64_altform-lightunplated.png	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-pl.xrm-ms.id-5018FF5F.[telegram_@spacedatax].ROGER	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-ppd.xrm-ms.id-5018FF5F.[telegram_@spacedatax].ROGER	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ul-oob.xrm-ms.id-5018FF5F.[telegram_@spacedatax].ROGER	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-pl.xrm-ms.id-5018FF5F.[telegram_@spacedatax].ROGER	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark.css.id-5018FF5F.[telegram_@spacedatax].ROGER	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\msql.xsl	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\commerce\taster_post_call_illustration.png	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BIPLAT.DLL.id-5018FF5F.[telegram_@spacedatax].ROGER	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-32_altform-unplated.png	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-progress-ui.jar	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-services.jar.id-5018FF5F.[telegram_@spacedatax].ROGER	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessDemoR_BypassTrial365-ul-oob.xrm-ms	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentDemoR_BypassTrial180-ul-oob.xrm-ms.id-5018FF5F.[telegram_@spacedatax].ROGER	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ppd.xrm-ms.id-5018FF5F.[telegram_@spacedatax].ROGER	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupLargeTile.scale-150.png	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ppd.xrm-ms.id-5018FF5F.[telegram_@spacedatax].ROGER	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_COL.HXT.id-5018FF5F.[telegram_@spacedatax].ROGER	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Author2String.XSL.id-5018FF5F.[telegram_@spacedatax].ROGER	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ul.xrm-ms.id-5018FF5F.[telegram_@spacedatax].ROGER	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-ul-oob.xrm-ms	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_scale-100.png	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\iexplore.exe.mui	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaSansRegular.ttf	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PPT_WHATSNEW.XML.id-5018FF5F.[telegram_@spacedatax].ROGER	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state_1.0.1.v20140709-1414.jar.id-5018FF5F.[telegram_@spacedatax].ROGER	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ppd.xrm-ms.id-5018FF5F.[telegram_@spacedatax].ROGER	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-ul-phn.xrm-ms.id-5018FF5F.[telegram_@spacedatax].ROGER	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-ul-phn.xrm-ms.id-5018FF5F.[telegram_@spacedatax].ROGER	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-pl.xrm-ms.id-5018FF5F.[telegram_@spacedatax].ROGER	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-windows.xml	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\METCONV.TXT.id-5018FF5F.[telegram_@spacedatax].ROGER	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNotePageWideTile.scale-150.png	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\excel-udf-host.win32.bundle.id-5018FF5F.[telegram_@spacedatax].ROGER	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-256_contrast-white.png	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial-Times New Roman.xml.id-5018FF5F.[telegram_@spacedatax].ROGER	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\vccorlib140.dll	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Top Shadow.eftx	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected].[telegram_@spacedatax].ROGER	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe

Program crash 42 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
536	1152	WerFault.exe	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
4984	1152	WerFault.exe	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
4284	1152	WerFault.exe	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1964	1152	WerFault.exe	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
3360	1152	WerFault.exe	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
2924	1152	WerFault.exe	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
3820	1152	WerFault.exe	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
2220	1152	WerFault.exe	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
2832	1152	WerFault.exe	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
392	1152	WerFault.exe	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
3584	1152	WerFault.exe	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
3664	1152	WerFault.exe	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
4504	1152	WerFault.exe	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
3432	1152	WerFault.exe	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
2468	1152	WerFault.exe	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
2432	1152	WerFault.exe	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
2096	1152	WerFault.exe	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
5036	1152	WerFault.exe	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
4244	1152	WerFault.exe	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
4336	1152	WerFault.exe	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
2124	1152	WerFault.exe	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
4476	1152	WerFault.exe	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
3768	1152	WerFault.exe	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
3176	1152	WerFault.exe	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
3548	1152	WerFault.exe	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
3868	1152	WerFault.exe	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
528	1152	WerFault.exe	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
4404	1152	WerFault.exe	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
4820	1152	WerFault.exe	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1332	1152	WerFault.exe	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
4540	1152	WerFault.exe	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
4208	1152	WerFault.exe	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
4128	1152	WerFault.exe	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
4984	1152	WerFault.exe	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
376	1152	WerFault.exe	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
520	1152	WerFault.exe	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
2668	1152	WerFault.exe	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
4048	1152	WerFault.exe	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
4240	1152	WerFault.exe	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
4144	1152	WerFault.exe	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
2608	1152	WerFault.exe	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
4060	1152	WerFault.exe	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2476 vssadmin.exe

pid	process
2476	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe

pid	process
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 2448 vssvc.exe
Token: SeRestorePrivilege 2448 vssvc.exe
Token: SeAuditPrivilege 2448 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	2448	vssvc.exe
Token: SeRestorePrivilege	2448	vssvc.exe
Token: SeAuditPrivilege	2448	vssvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.execmd.exe

description	pid	process	target process
PID 1152 wrote to memory of 4756	1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe	cmd.exe
PID 1152 wrote to memory of 4756	1152	3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe	cmd.exe
PID 4756 wrote to memory of 2744	4756	cmd.exe	mode.com
PID 4756 wrote to memory of 2744	4756	cmd.exe	mode.com
PID 4756 wrote to memory of 2476	4756	cmd.exe	vssadmin.exe
PID 4756 wrote to memory of 2476	4756	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe
"C:\Users\Admin\AppData\Local\Temp\3f083bbc36e3491c317ac43ff994a1ad75314a3c0b41ddb3b5079e18ba4110b1.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4756
- - C:\Windows\system32\mode.com
    mode con cp select=1251
    3⤵
    PID:2744
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2476
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 628
  2⤵
  - Program crash
  PID:536
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 636
  2⤵
  - Program crash
  PID:4984
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 628
  2⤵
  - Program crash
  PID:4284
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 700
  2⤵
  - Program crash
  PID:1964
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 652
  2⤵
  - Program crash
  PID:3360
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 748
  2⤵
  - Program crash
  PID:2924
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 752
  2⤵
  - Program crash
  PID:3820
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 800
  2⤵
  - Program crash
  PID:2220
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 808
  2⤵
  - Program crash
  PID:2832
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 840
  2⤵
  - Program crash
  PID:392
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 872
  2⤵
  - Program crash
  PID:3584
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 880
  2⤵
  - Program crash
  PID:3664
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 852
  2⤵
  - Program crash
  PID:4504
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 908
  2⤵
  - Program crash
  PID:3432
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 888
  2⤵
  - Program crash
  PID:2468
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 944
  2⤵
  - Program crash
  PID:2432
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 884
  2⤵
  - Program crash
  PID:2096
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 872
  2⤵
  - Program crash
  PID:5036
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 852
  2⤵
  - Program crash
  PID:4244
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 888
  2⤵
  - Program crash
  PID:4336
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 968
  2⤵
  - Program crash
  PID:2124
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 976
  2⤵
  - Program crash
  PID:4476
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 1004
  2⤵
  - Program crash
  PID:3768
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 872
  2⤵
  - Program crash
  PID:3176
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 976
  2⤵
  - Program crash
  PID:3548
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 1020
  2⤵
  - Program crash
  PID:3868
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 1012
  2⤵
  - Program crash
  PID:528
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 956
  2⤵
  - Program crash
  PID:4404
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 996
  2⤵
  - Program crash
  PID:4820
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 888
  2⤵
  - Program crash
  PID:1332
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 924
  2⤵
  - Program crash
  PID:4540
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 852
  2⤵
  - Program crash
  PID:4208
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 948
  2⤵
  - Program crash
  PID:4128
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 828
  2⤵
  - Program crash
  PID:4984
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 940
  2⤵
  - Program crash
  PID:376
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 916
  2⤵
  - Program crash
  PID:520
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 920
  2⤵
  - Program crash
  PID:2668
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 932
  2⤵
  - Program crash
  PID:4048
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 864
  2⤵
  - Program crash
  PID:4240
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 924
  2⤵
  - Program crash
  PID:4144
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 728
  2⤵
  - Program crash
  PID:2608
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 1000
  2⤵
  - Program crash
  PID:4060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1152 -ip 1152
1⤵
PID:2212

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1152 -ip 1152
1⤵
PID:1332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1152 -ip 1152
1⤵
PID:1588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1152 -ip 1152
1⤵
PID:4648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1152 -ip 1152
1⤵
PID:992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1152 -ip 1152
1⤵
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1152 -ip 1152
1⤵
PID:2252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1152 -ip 1152
1⤵
PID:3788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1152 -ip 1152
1⤵
PID:1524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1152 -ip 1152
1⤵
PID:3560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 1152 -ip 1152
1⤵
PID:444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 1152 -ip 1152
1⤵
PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 1152 -ip 1152
1⤵
PID:3800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 1152 -ip 1152
1⤵
PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 1152 -ip 1152
1⤵
PID:440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 788 -p 1152 -ip 1152
1⤵
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 816 -p 1152 -ip 1152
1⤵
PID:1360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 848 -p 1152 -ip 1152
1⤵
PID:2268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 864 -p 1152 -ip 1152
1⤵
PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 812 -p 1152 -ip 1152
1⤵
PID:3156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 876 -p 1152 -ip 1152
1⤵
PID:3044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 912 -p 1152 -ip 1152
1⤵
PID:1224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 952 -p 1152 -ip 1152
1⤵
PID:1132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 956 -p 1152 -ip 1152
1⤵
PID:4408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 920 -p 1152 -ip 1152
1⤵
PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 988 -p 1152 -ip 1152
1⤵
PID:3692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 968 -p 1152 -ip 1152
1⤵
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 920 -p 1152 -ip 1152
1⤵
PID:280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1016 -p 1152 -ip 1152
1⤵
PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 980 -p 1152 -ip 1152
1⤵
PID:1520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 976 -p 1152 -ip 1152
1⤵
PID:3900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1020 -p 1152 -ip 1152
1⤵
PID:4136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 980 -p 1152 -ip 1152
1⤵
PID:3356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1012 -p 1152 -ip 1152
1⤵
PID:1952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 964 -p 1152 -ip 1152
1⤵
PID:2148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 976 -p 1152 -ip 1152
1⤵
PID:3876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1020 -p 1152 -ip 1152
1⤵
PID:2300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 992 -p 1152 -ip 1152
1⤵
PID:4712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 996 -p 1152 -ip 1152
1⤵
PID:2252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 988 -p 1152 -ip 1152
1⤵
PID:3512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 980 -p 1152 -ip 1152
1⤵
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 988 -p 1152 -ip 1152
1⤵
PID:2232

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1152-130-0x0000000000E8A000-0x0000000000E9D000-memory.dmp

Filesize
76KB

Download
memory/1152-131-0x0000000000DD0000-0x0000000000DE9000-memory.dmp

Filesize
100KB

Download
memory/1152-132-0x0000000000400000-0x0000000000C1D000-memory.dmp

Filesize
8.1MB

Download
memory/2476-135-0x0000000000000000-mapping.dmp

Download
memory/2744-134-0x0000000000000000-mapping.dmp

Download
memory/4756-133-0x0000000000000000-mapping.dmp

Download