dharma | 7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c

Analysis

max time kernel
152s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
19-04-2022 13:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
Size

253KB
MD5

651a44b6585b8f178752dae7a8aeef57
SHA1

2b81118b2ed620d26181a1e97decdb93c47b8ed1
SHA256

7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c
SHA512

b6ac1947c4d36c2bdc357ecd4ceed4612046f524978579003d9e9e5ba0e5b95ee48420127020a50ecd6b665095a07b4ac2c116703cb3cdd242dd5ad50f488883

Score

10^/10

dharma persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

YOUR FILES ARE ENCRYPTED Don't worry,you can return all your files! If you want to restore them, follow this link: http://dj55huaqbbsnhwngb5rgeq65ns3nteyon7wlp32gkamzs3k2ogrdr5qd.onion/chat.php or Telegram telegram_@spacedatax Your ID DF56BDA4 Use Tor Browser to access this address. If you have not been answered via the link within 12 hours, write to us by e-mail: telegram_@spacedatax Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

URLs

http://dj55huaqbbsnhwngb5rgeq65ns3nteyon7wlp32gkamzs3k2ogrdr5qd.onion/chat.php

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\ClearLimit.tiff	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Users\Admin\Pictures\RemoveStop.tiff	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe

Drops startup file 5 IoCs

Processes:

7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-DF56BDA4.[telegram_@spacedatax].ROGER	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-DF56BDA4.[telegram_@spacedatax].ROGER	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe = "C:\\Windows\\System32\\7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe"	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Users\Public\desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Program Files\desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe

Drops file in System32 directory 2 IoCs

Processes:

7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe

description	ioc	process
File created	C:\Windows\System32\7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File created	C:\Windows\System32\Info.hta	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe

Drops file in Program Files directory 64 IoCs

Processes:

7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf.id-DF56BDA4.[telegram_@spacedatax].ROGER	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\rhp_world_icon_2x.png	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\lt_get.svg.id-DF56BDA4.[telegram_@spacedatax].ROGER	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-1809750270-3141839489-3074374771-1000-MergedResources-0.pri	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-pl.xrm-ms.id-DF56BDA4.[telegram_@spacedatax].ROGER	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-runtime-l1-1-0.dll	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\offsymxb.ttf	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.httpcomponents.httpcore_4.2.5.v201311072007.jar.id-DF56BDA4.[telegram_@spacedatax].ROGER	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-96_altform-unplated.png	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ul-phn.xrm-ms.id-DF56BDA4.[telegram_@spacedatax].ROGER	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarWideTile.scale-100.png	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-ppd.xrm-ms.id-DF56BDA4.[telegram_@spacedatax].ROGER	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libsmb_plugin.dll	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\It.Tests.ps1	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup.xml	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL115.XML.id-DF56BDA4.[telegram_@spacedatax].ROGER	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ul-oob.xrm-ms	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\selector.js	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libbluray-j2se-1.0.2.jar.id-DF56BDA4.[telegram_@spacedatax].ROGER	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Xml.Serialization.dll	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-pl.xrm-ms.id-DF56BDA4.[telegram_@spacedatax].ROGER	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Utilities.v3.5.dll	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-pl.xrm-ms	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\AddressBook2x.png	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsrus.xml	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File created	C:\Program Files\7-Zip\descript.ion.id-DF56BDA4.[telegram_@spacedatax].ROGER	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\splashscreen.dll	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\TagAlbumDefinitions\B6D67B96-7485-47C3-86B5-53EBE626BF73.json	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ReachFramework.dll	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\dot.cur.id-DF56BDA4.[telegram_@spacedatax].ROGER	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.scale-200_contrast-white.png	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\net.properties.id-DF56BDA4.[telegram_@spacedatax].ROGER	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\cs-cz\ui-strings.js.id-DF56BDA4.[telegram_@spacedatax].ROGER	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nb-no\ui-strings.js.id-DF56BDA4.[telegram_@spacedatax].ROGER	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\rhp_world_icon_hover.png	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\Accessible.tlb.id-DF56BDA4.[telegram_@spacedatax].ROGER	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\kok.pak.id-DF56BDA4.[telegram_@spacedatax].ROGER	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\ECLIPSE_.RSA	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_scale-200.png	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-30_altform-unplated_contrast-white.png	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-40_altform-unplated_contrast-black.png	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msvcr120.dll.id-DF56BDA4.[telegram_@spacedatax].ROGER	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_http_plugin.dll.id-DF56BDA4.[telegram_@spacedatax].ROGER	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\ga.pak.DATA	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.xml.id-DF56BDA4.[telegram_@spacedatax].ROGER	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ktab.exe.id-DF56BDA4.[telegram_@spacedatax].ROGER	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp3.scale-100.png	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\offline\offlineUtilities.js	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\OrientationControlFrontIndicatorHover.png	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\selector.js.id-DF56BDA4.[telegram_@spacedatax].ROGER	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-pl.xrm-ms.id-DF56BDA4.[telegram_@spacedatax].ROGER	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\IRIS\IRIS.INF.id-DF56BDA4.[telegram_@spacedatax].ROGER	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraWinChart.v11.1.dll.id-DF56BDA4.[telegram_@spacedatax].ROGER	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.alert.ja_5.5.0.165303.jar.id-DF56BDA4.[telegram_@spacedatax].ROGER	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\SmallTile.scale-200.png	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\back-arrow-down.svg	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.SPClient.Interfaces.DLL.id-DF56BDA4.[telegram_@spacedatax].ROGER	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoetwres.dll.id-DF56BDA4.[telegram_@spacedatax].ROGER	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\de-de\ui-strings.js	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\de-de\ui-strings.js.id-DF56BDA4.[telegram_@spacedatax].ROGER	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-il\ui-strings.js.id-DF56BDA4.[telegram_@spacedatax].ROGER	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core.xml.id-DF56BDA4.[telegram_@spacedatax].ROGER	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\MANIFEST.MF.id-DF56BDA4.[telegram_@spacedatax].ROGER	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ScreenSketchSquare310x310Logo.scale-100_contrast-white.png	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 62 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2500	3608	WerFault.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
1652	3608	WerFault.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
2824	3608	WerFault.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
244	3608	WerFault.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
4308	3608	WerFault.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
1312	3608	WerFault.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
4416	3608	WerFault.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
1880	3608	WerFault.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
4612	3608	WerFault.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3464	3608	WerFault.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
824	3608	WerFault.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
4848	3608	WerFault.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
1412	3608	WerFault.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
2400	3608	WerFault.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
1808	3608	WerFault.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
4832	3608	WerFault.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
1924	3608	WerFault.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
4940	3608	WerFault.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3524	3608	WerFault.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3724	3608	WerFault.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
4292	3608	WerFault.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
4368	3608	WerFault.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
4888	3608	WerFault.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
656	3608	WerFault.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
1484	3608	WerFault.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
1608	3608	WerFault.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3584	3608	WerFault.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
4644	3608	WerFault.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
308	3608	WerFault.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
2452	3608	WerFault.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3364	3608	WerFault.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
1748	3608	WerFault.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
4896	3608	WerFault.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
244	3608	WerFault.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
4308	3608	WerFault.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
4928	3608	WerFault.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3508	3608	WerFault.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
4484	3608	WerFault.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3572	3608	WerFault.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
2300	3608	WerFault.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
4312	3608	WerFault.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
1640	3608	WerFault.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
2400	3608	WerFault.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3476	3608	WerFault.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
4788	3608	WerFault.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
4892	3608	WerFault.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
4136	3608	WerFault.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3424	3608	WerFault.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
4220	3608	WerFault.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
324	3608	WerFault.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
2528	3608	WerFault.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
2216	3608	WerFault.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3880	3608	WerFault.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3888	3608	WerFault.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3732	3608	WerFault.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
4992	3608	WerFault.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
4904	3608	WerFault.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
4500	3608	WerFault.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
4168	3608	WerFault.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
2828	3608	WerFault.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
2044	3608	WerFault.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3652	3608	WerFault.exe	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

4352 vssadmin.exe
4336 vssadmin.exe

pid	process
4352	vssadmin.exe
4336	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe

pid	process
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 4228 vssvc.exe
Token: SeRestorePrivilege 4228 vssvc.exe
Token: SeAuditPrivilege 4228 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	4228	vssvc.exe
Token: SeRestorePrivilege	4228	vssvc.exe
Token: SeAuditPrivilege	4228	vssvc.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.execmd.execmd.exe

description	pid	process	target process
PID 3608 wrote to memory of 2084	3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe	cmd.exe
PID 3608 wrote to memory of 2084	3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe	cmd.exe
PID 2084 wrote to memory of 4252	2084	cmd.exe	mode.com
PID 2084 wrote to memory of 4252	2084	cmd.exe	mode.com
PID 2084 wrote to memory of 4352	2084	cmd.exe	vssadmin.exe
PID 2084 wrote to memory of 4352	2084	cmd.exe	vssadmin.exe
PID 3608 wrote to memory of 3780	3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe	cmd.exe
PID 3608 wrote to memory of 3780	3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe	cmd.exe
PID 3780 wrote to memory of 360	3780	cmd.exe	mode.com
PID 3780 wrote to memory of 360	3780	cmd.exe	mode.com
PID 3780 wrote to memory of 4336	3780	cmd.exe	vssadmin.exe
PID 3780 wrote to memory of 4336	3780	cmd.exe	vssadmin.exe
PID 3608 wrote to memory of 1800	3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe	mshta.exe
PID 3608 wrote to memory of 1800	3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe	mshta.exe
PID 3608 wrote to memory of 5064	3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe	mshta.exe
PID 3608 wrote to memory of 5064	3608	7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe	mshta.exe

C:\Users\Admin\AppData\Local\Temp\7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe
"C:\Users\Admin\AppData\Local\Temp\7da1eedc1d33ae42f326c4ac222a911c5a3bd1e9997b913fc550debf9b53a58c.exe"
1⤵
- Modifies extensions of user files
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3608
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Windows\system32\mode.com
    mode con cp select=1251
    3⤵
    PID:4252
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:4352
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 524
  2⤵
  - Program crash
  PID:2500
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 568
  2⤵
  - Program crash
  PID:1652
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 576
  2⤵
  - Program crash
  PID:2824
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 596
  2⤵
  - Program crash
  PID:244
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 588
  2⤵
  - Program crash
  PID:4308
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 552
  2⤵
  - Program crash
  PID:1312
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 664
  2⤵
  - Program crash
  PID:4416
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 672
  2⤵
  - Program crash
  PID:1880
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 700
  2⤵
  - Program crash
  PID:4612
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 716
  2⤵
  - Program crash
  PID:3464
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 732
  2⤵
  - Program crash
  PID:824
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 752
  2⤵
  - Program crash
  PID:4848
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 764
  2⤵
  - Program crash
  PID:1412
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 820
  2⤵
  - Program crash
  PID:2400
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 828
  2⤵
  - Program crash
  PID:1808
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 932
  2⤵
  - Program crash
  PID:4832
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 944
  2⤵
  - Program crash
  PID:1924
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 1012
  2⤵
  - Program crash
  PID:4940
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 912
  2⤵
  - Program crash
  PID:3524
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 1000
  2⤵
  - Program crash
  PID:3724
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 892
  2⤵
  - Program crash
  PID:4292
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 824
  2⤵
  - Program crash
  PID:4368
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 984
  2⤵
  - Program crash
  PID:4888
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 912
  2⤵
  - Program crash
  PID:656
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 908
  2⤵
  - Program crash
  PID:1484
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 940
  2⤵
  - Program crash
  PID:1608
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 868
  2⤵
  - Program crash
  PID:3584
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 872
  2⤵
  - Program crash
  PID:4644
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 936
  2⤵
  - Program crash
  PID:308
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 868
  2⤵
  - Program crash
  PID:2452
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 960
  2⤵
  - Program crash
  PID:3364
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 1000
  2⤵
  - Program crash
  PID:1748
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 764
  2⤵
  - Program crash
  PID:4896
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 728
  2⤵
  - Program crash
  PID:244
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 860
  2⤵
  - Program crash
  PID:4308
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 852
  2⤵
  - Program crash
  PID:4928
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 884
  2⤵
  - Program crash
  PID:3508
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 912
  2⤵
  - Program crash
  PID:4484
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 944
  2⤵
  - Program crash
  PID:3572
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 828
  2⤵
  - Program crash
  PID:2300
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 868
  2⤵
  - Program crash
  PID:4312
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 1016
  2⤵
  - Program crash
  PID:1640
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 852
  2⤵
  - Program crash
  PID:2400
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 1016
  2⤵
  - Program crash
  PID:3476
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 768
  2⤵
  - Program crash
  PID:4788
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 760
  2⤵
  - Program crash
  PID:4892
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 888
  2⤵
  - Program crash
  PID:4136
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 936
  2⤵
  - Program crash
  PID:3424
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 832
  2⤵
  - Program crash
  PID:4220
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 912
  2⤵
  - Program crash
  PID:324
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 848
  2⤵
  - Program crash
  PID:2528
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 928
  2⤵
  - Program crash
  PID:2216
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 888
  2⤵
  - Program crash
  PID:3880
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 636
  2⤵
  - Program crash
  PID:3888
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3780
- - C:\Windows\system32\mode.com
    mode con cp select=1251
    3⤵
    PID:360
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:4336
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 812
  2⤵
  - Program crash
  PID:3732
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 1060
  2⤵
  - Program crash
  PID:4992
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 1060
  2⤵
  - Program crash
  PID:4904
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 1336
  2⤵
  - Program crash
  PID:4500
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 1156
  2⤵
  - Program crash
  PID:4168
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
  2⤵
  PID:1800
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 1300
  2⤵
  - Program crash
  PID:2828
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 1048
  2⤵
  - Program crash
  PID:2044
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
  2⤵
  PID:5064
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 1300
  2⤵
  - Program crash
  PID:3652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3608 -ip 3608
1⤵
PID:1784

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3608 -ip 3608
1⤵
PID:2032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3608 -ip 3608
1⤵
PID:2844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3608 -ip 3608
1⤵
PID:880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3608 -ip 3608
1⤵
PID:204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3608 -ip 3608
1⤵
PID:4336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3608 -ip 3608
1⤵
PID:1396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3608 -ip 3608
1⤵
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3608 -ip 3608
1⤵
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3608 -ip 3608
1⤵
PID:1288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3608 -ip 3608
1⤵
PID:1488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3608 -ip 3608
1⤵
PID:4884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3608 -ip 3608
1⤵
PID:1100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3608 -ip 3608
1⤵
PID:1856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3608 -ip 3608
1⤵
PID:4944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3608 -ip 3608
1⤵
PID:1172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3608 -ip 3608
1⤵
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3608 -ip 3608
1⤵
PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3608 -ip 3608
1⤵
PID:1356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3608 -ip 3608
1⤵
PID:1316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3608 -ip 3608
1⤵
PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3608 -ip 3608
1⤵
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3608 -ip 3608
1⤵
PID:4408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3608 -ip 3608
1⤵
PID:4908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 3608 -ip 3608
1⤵
PID:1568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 3608 -ip 3608
1⤵
PID:4220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 3608 -ip 3608
1⤵
PID:1536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 3608 -ip 3608
1⤵
PID:3256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3608 -ip 3608
1⤵
PID:2376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3608 -ip 3608
1⤵
PID:4184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 3608 -ip 3608
1⤵
PID:3764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3608 -ip 3608
1⤵
PID:2956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 3608 -ip 3608
1⤵
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 3608 -ip 3608
1⤵
PID:3776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 3608 -ip 3608
1⤵
PID:3956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3608 -ip 3608
1⤵
PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3608 -ip 3608
1⤵
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 3608 -ip 3608
1⤵
PID:1572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 3608 -ip 3608
1⤵
PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 3608 -ip 3608
1⤵
PID:4212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 3608 -ip 3608
1⤵
PID:2828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 3608 -ip 3608
1⤵
PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 3608 -ip 3608
1⤵
PID:1856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 3608 -ip 3608
1⤵
PID:2392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 776 -p 3608 -ip 3608
1⤵
PID:3204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 3608 -ip 3608
1⤵
PID:2680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 3608 -ip 3608
1⤵
PID:1384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 776 -p 3608 -ip 3608
1⤵
PID:3700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 3608 -ip 3608
1⤵
PID:3088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 3608 -ip 3608
1⤵
PID:2364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 3608 -ip 3608
1⤵
PID:2452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 3608 -ip 3608
1⤵
PID:3512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 3608 -ip 3608
1⤵
PID:1276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 792 -p 3608 -ip 3608
1⤵
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 772 -p 3608 -ip 3608
1⤵
PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 800 -p 3608 -ip 3608
1⤵
PID:4272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 3608 -ip 3608
1⤵
PID:1312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 800 -p 3608 -ip 3608
1⤵
PID:3508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 772 -p 3608 -ip 3608
1⤵
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 828 -p 3608 -ip 3608
1⤵
PID:1488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 808 -p 3608 -ip 3608
1⤵
PID:1252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 820 -p 3608 -ip 3608
1⤵
PID:3792

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Filesize
7KB

MD5
4d1354f69aa3b20621123cddc4483738

SHA1
3d4bfb2c2e0ad59f9434353a1a35db98f57cfb95

SHA256
f92d92081d457569809a7eb51c0e4043116071d46cabbee622a8bef9333e2cc6

SHA512
05f54ee5d0d3e3de266d659ceffa795558a712df3976ee22f944f4d73378edbc20f59b46a0e370313204fb3389f15b534d14146594db4efcffa63ce36d2123c6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Filesize
7KB

MD5
4d1354f69aa3b20621123cddc4483738

SHA1
3d4bfb2c2e0ad59f9434353a1a35db98f57cfb95

SHA256
f92d92081d457569809a7eb51c0e4043116071d46cabbee622a8bef9333e2cc6

SHA512
05f54ee5d0d3e3de266d659ceffa795558a712df3976ee22f944f4d73378edbc20f59b46a0e370313204fb3389f15b534d14146594db4efcffa63ce36d2123c6

Download Submit
memory/360-137-0x0000000000000000-mapping.dmp

Download
memory/1800-139-0x0000000000000000-mapping.dmp

Download
memory/2084-130-0x0000000000000000-mapping.dmp

Download
memory/3608-133-0x000000000247A000-0x000000000248D000-memory.dmp

Filesize
76KB

Download
memory/3608-135-0x0000000000400000-0x00000000022FC000-memory.dmp

Filesize
31.0MB

Download
memory/3608-134-0x0000000002440000-0x0000000002459000-memory.dmp

Filesize
100KB

Download
memory/3780-136-0x0000000000000000-mapping.dmp

Download
memory/4252-131-0x0000000000000000-mapping.dmp

Download
memory/4336-138-0x0000000000000000-mapping.dmp

Download
memory/4352-132-0x0000000000000000-mapping.dmp

Download
memory/5064-142-0x0000000000000000-mapping.dmp

Download