ryuk | 42115345e6724d8aec1aad5d19ffd8a8aae03c504bee41334fccc3f168ac0662

Analysis

max time kernel
115s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2024 22:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rudZqlH.exe
Size

254KB
MD5

4540720d38ed99bceeb97161ca1ff401
SHA1

5714dfd839db561ebcb3cccfcb6f0e39ef644f7b
SHA256

4a87552c4238cdcf1b8611da467164e609da339ff897c50ad4d04aa105ec55bb
SHA512

2be902451da4262ed9899ecd570e12f31516f4d937909ee8e99f2c5dfcdbd7a218cc4eda494357678067ccc58a674944d08150248707a96e7d64ff01b83f0dbf
SSDEEP

3072:jrfwrgyViUc2LHCGwb4EVI3KwyuREPPg3Ubb5eW9OOH3F7ZHWAAf:vfgVNVbJ64EVKKXuREw33oHzuf

Score

10^/10

ryuk credential_access discovery persistence ransomware stealer

Malware Config

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Ryuk family
ryuk

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	rudZqlH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	bUnodPu.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Executes dropped EXE 1 IoCs

pid	Process
5060	bUnodPu.exe

Modifies file permissions 1 TTPs 6 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3720	icacls.exe
220	icacls.exe
368	icacls.exe
3160	icacls.exe
744	icacls.exe
2796	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rudZqlH.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bUnodPu.exe"	reg.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

pid	pid_target	Process	procid_target
1664	2312	WerFault.exe	82
60	2312	WerFault.exe	82
228	2312	WerFault.exe	82
2108	2312	WerFault.exe	82
4628	2312	WerFault.exe	82
1056	2312	WerFault.exe	82
4028	2312	WerFault.exe	82
2608	2312	WerFault.exe	82
1304	2312	WerFault.exe	82
2352	2312	WerFault.exe	82
3752	2312	WerFault.exe	82
3572	5060	WerFault.exe	96
2224	5060	WerFault.exe	96
4372	5060	WerFault.exe	96
548	5060	WerFault.exe	96
3676	5060	WerFault.exe	96
3556	5060	WerFault.exe	96
1316	2312	WerFault.exe	82
3164	5060	WerFault.exe	96
1576	2312	WerFault.exe	82
4648	5060	WerFault.exe	96
1520	2312	WerFault.exe	82
1580	5060	WerFault.exe	96
3252	5060	WerFault.exe	96
4872	2312	WerFault.exe	82
3360	5060	WerFault.exe	96
1264	2312	WerFault.exe	82
3160	2312	WerFault.exe	82
1664	2312	WerFault.exe	82
5008	2312	WerFault.exe	82
5028	2312	WerFault.exe	82
3596	2312	WerFault.exe	82
4532	2312	WerFault.exe	82
5100	2312	WerFault.exe	82
3276	2312	WerFault.exe	82
412	2312	WerFault.exe	82
3804	2312	WerFault.exe	82
3048	2312	WerFault.exe	82
3492	2312	WerFault.exe	82
3996	2312	WerFault.exe	82
4712	2312	WerFault.exe	82
224	2312	WerFault.exe	82
10208	5060	WerFault.exe	96
10036	2312	WerFault.exe	82
10180	2312	WerFault.exe	82
9992	2312	WerFault.exe	82
10048	2312	WerFault.exe	82
2532	2312	WerFault.exe	82
10144	2312	WerFault.exe	82
10172	2312	WerFault.exe	82
10016	2312	WerFault.exe	82
10024	5060	WerFault.exe	96
3908	2312	WerFault.exe	82
10076	2312	WerFault.exe	82
4636	2312	WerFault.exe	82
3352	2312	WerFault.exe	82
9996	2312	WerFault.exe	82
10032	2312	WerFault.exe	82
10088	2312	WerFault.exe	82
2680	2312	WerFault.exe	82
10164	2312	WerFault.exe	82
10072	2312	WerFault.exe	82
10188	2312	WerFault.exe	82
10224	2312	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bUnodPu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rudZqlH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2312	rudZqlH.exe
2312	rudZqlH.exe
2312	rudZqlH.exe
2312	rudZqlH.exe
5060	bUnodPu.exe
5060	bUnodPu.exe
2312	rudZqlH.exe
2312	rudZqlH.exe
2312	rudZqlH.exe
2312	rudZqlH.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2312	rudZqlH.exe
Token: SeBackupPrivilege	5060	bUnodPu.exe
Token: SeIncreaseQuotaPrivilege	4280	WMIC.exe
Token: SeSecurityPrivilege	4280	WMIC.exe
Token: SeTakeOwnershipPrivilege	4280	WMIC.exe
Token: SeLoadDriverPrivilege	4280	WMIC.exe
Token: SeSystemProfilePrivilege	4280	WMIC.exe
Token: SeSystemtimePrivilege	4280	WMIC.exe
Token: SeProfSingleProcessPrivilege	4280	WMIC.exe
Token: SeIncBasePriorityPrivilege	4280	WMIC.exe
Token: SeCreatePagefilePrivilege	4280	WMIC.exe
Token: SeBackupPrivilege	4280	WMIC.exe
Token: SeRestorePrivilege	4280	WMIC.exe
Token: SeShutdownPrivilege	4280	WMIC.exe
Token: SeDebugPrivilege	4280	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4280	WMIC.exe
Token: SeRemoteShutdownPrivilege	4280	WMIC.exe
Token: SeUndockPrivilege	4280	WMIC.exe
Token: SeManageVolumePrivilege	4280	WMIC.exe
Token: 33	4280	WMIC.exe
Token: 34	4280	WMIC.exe
Token: 35	4280	WMIC.exe
Token: 36	4280	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4280	WMIC.exe
Token: SeSecurityPrivilege	4280	WMIC.exe
Token: SeTakeOwnershipPrivilege	4280	WMIC.exe
Token: SeLoadDriverPrivilege	4280	WMIC.exe
Token: SeSystemProfilePrivilege	4280	WMIC.exe
Token: SeSystemtimePrivilege	4280	WMIC.exe
Token: SeProfSingleProcessPrivilege	4280	WMIC.exe
Token: SeIncBasePriorityPrivilege	4280	WMIC.exe
Token: SeCreatePagefilePrivilege	4280	WMIC.exe
Token: SeBackupPrivilege	4280	WMIC.exe
Token: SeRestorePrivilege	4280	WMIC.exe
Token: SeShutdownPrivilege	4280	WMIC.exe
Token: SeDebugPrivilege	4280	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4280	WMIC.exe
Token: SeRemoteShutdownPrivilege	4280	WMIC.exe
Token: SeUndockPrivilege	4280	WMIC.exe
Token: SeManageVolumePrivilege	4280	WMIC.exe
Token: 33	4280	WMIC.exe
Token: 34	4280	WMIC.exe
Token: 35	4280	WMIC.exe
Token: 36	4280	WMIC.exe
Token: SeBackupPrivilege	1256	vssvc.exe
Token: SeRestorePrivilege	1256	vssvc.exe
Token: SeAuditPrivilege	1256	vssvc.exe
Token: SeBackupPrivilege	2312	rudZqlH.exe
Token: SeIncreaseQuotaPrivilege	4388	WMIC.exe
Token: SeSecurityPrivilege	4388	WMIC.exe
Token: SeTakeOwnershipPrivilege	4388	WMIC.exe
Token: SeLoadDriverPrivilege	4388	WMIC.exe
Token: SeSystemProfilePrivilege	4388	WMIC.exe
Token: SeSystemtimePrivilege	4388	WMIC.exe
Token: SeProfSingleProcessPrivilege	4388	WMIC.exe
Token: SeIncBasePriorityPrivilege	4388	WMIC.exe
Token: SeCreatePagefilePrivilege	4388	WMIC.exe
Token: SeBackupPrivilege	4388	WMIC.exe
Token: SeRestorePrivilege	4388	WMIC.exe
Token: SeShutdownPrivilege	4388	WMIC.exe
Token: SeDebugPrivilege	4388	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4388	WMIC.exe
Token: SeRemoteShutdownPrivilege	4388	WMIC.exe
Token: SeUndockPrivilege	4388	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 5060	2312	rudZqlH.exe	96
PID 2312 wrote to memory of 5060	2312	rudZqlH.exe	96
PID 2312 wrote to memory of 5060	2312	rudZqlH.exe	96
PID 2312 wrote to memory of 2460	2312	rudZqlH.exe	42
PID 2312 wrote to memory of 2472	2312	rudZqlH.exe	43
PID 2312 wrote to memory of 2656	2312	rudZqlH.exe	47
PID 2312 wrote to memory of 2968	2312	rudZqlH.exe	101
PID 2312 wrote to memory of 2968	2312	rudZqlH.exe	101
PID 2312 wrote to memory of 2968	2312	rudZqlH.exe	101
PID 2968 wrote to memory of 4040	2968	net.exe	105
PID 2968 wrote to memory of 4040	2968	net.exe	105
PID 2968 wrote to memory of 4040	2968	net.exe	105
PID 2312 wrote to memory of 3648	2312	rudZqlH.exe	57
PID 2312 wrote to memory of 3844	2312	rudZqlH.exe	58
PID 2312 wrote to memory of 4836	2312	rudZqlH.exe	108
PID 2312 wrote to memory of 4836	2312	rudZqlH.exe	108
PID 2312 wrote to memory of 4836	2312	rudZqlH.exe	108
PID 4836 wrote to memory of 2152	4836	net.exe	112
PID 4836 wrote to memory of 2152	4836	net.exe	112
PID 4836 wrote to memory of 2152	4836	net.exe	112
PID 2312 wrote to memory of 3940	2312	rudZqlH.exe	59
PID 2312 wrote to memory of 4048	2312	rudZqlH.exe	60
PID 2312 wrote to memory of 2896	2312	rudZqlH.exe	61
PID 2312 wrote to memory of 3968	2312	rudZqlH.exe	62
PID 2312 wrote to memory of 4180	2312	rudZqlH.exe	64
PID 2312 wrote to memory of 2440	2312	rudZqlH.exe	76
PID 5060 wrote to memory of 368	5060	bUnodPu.exe	113
PID 5060 wrote to memory of 368	5060	bUnodPu.exe	113
PID 5060 wrote to memory of 368	5060	bUnodPu.exe	113
PID 5060 wrote to memory of 744	5060	bUnodPu.exe	114
PID 5060 wrote to memory of 744	5060	bUnodPu.exe	114
PID 5060 wrote to memory of 744	5060	bUnodPu.exe	114
PID 5060 wrote to memory of 3160	5060	bUnodPu.exe	115
PID 5060 wrote to memory of 3160	5060	bUnodPu.exe	115
PID 5060 wrote to memory of 3160	5060	bUnodPu.exe	115
PID 5060 wrote to memory of 1308	5060	bUnodPu.exe	117
PID 5060 wrote to memory of 1308	5060	bUnodPu.exe	117
PID 5060 wrote to memory of 1308	5060	bUnodPu.exe	117
PID 1308 wrote to memory of 4280	1308	cmd.exe	123
PID 1308 wrote to memory of 4280	1308	cmd.exe	123
PID 1308 wrote to memory of 4280	1308	cmd.exe	123
PID 2312 wrote to memory of 220	2312	rudZqlH.exe	139
PID 2312 wrote to memory of 220	2312	rudZqlH.exe	139
PID 2312 wrote to memory of 220	2312	rudZqlH.exe	139
PID 2312 wrote to memory of 3720	2312	rudZqlH.exe	140
PID 2312 wrote to memory of 3720	2312	rudZqlH.exe	140
PID 2312 wrote to memory of 3720	2312	rudZqlH.exe	140
PID 2312 wrote to memory of 2796	2312	rudZqlH.exe	141
PID 2312 wrote to memory of 2796	2312	rudZqlH.exe	141
PID 2312 wrote to memory of 2796	2312	rudZqlH.exe	141
PID 2312 wrote to memory of 4512	2312	rudZqlH.exe	142
PID 2312 wrote to memory of 4512	2312	rudZqlH.exe	142
PID 2312 wrote to memory of 4512	2312	rudZqlH.exe	142
PID 2312 wrote to memory of 2548	2312	rudZqlH.exe	143
PID 2312 wrote to memory of 2548	2312	rudZqlH.exe	143
PID 2312 wrote to memory of 2548	2312	rudZqlH.exe	143
PID 4512 wrote to memory of 4388	4512	cmd.exe	153
PID 4512 wrote to memory of 4388	4512	cmd.exe	153
PID 4512 wrote to memory of 4388	4512	cmd.exe	153
PID 2548 wrote to memory of 4400	2548	cmd.exe	154
PID 2548 wrote to memory of 4400	2548	cmd.exe	154
PID 2548 wrote to memory of 4400	2548	cmd.exe	154
PID 5060 wrote to memory of 4908	5060	bUnodPu.exe	171
PID 5060 wrote to memory of 4908	5060	bUnodPu.exe	171

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2472

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3648

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3844

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3940

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4048

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2896

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3968

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4180

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:2440

C:\Users\Admin\AppData\Local\Temp\rudZqlH.exe
"C:\Users\Admin\AppData\Local\Temp\rudZqlH.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 896
  2⤵
  - Program crash
  PID:1664
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 952
  2⤵
  - Program crash
  PID:60
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1076
  2⤵
  - Program crash
  PID:228
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1100
  2⤵
  - Program crash
  PID:2108
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1100
  2⤵
  - Program crash
  PID:4628
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1124
  2⤵
  - Program crash
  PID:1056
- C:\Users\Admin\AppData\Local\Temp\bUnodPu.exe
  "C:\Users\Admin\AppData\Local\Temp\bUnodPu.exe" 8 LAN
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5060
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:368
- - C:\Windows\SysWOW64\icacls.exe
    icacls "D:\*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:744
- - C:\Windows\SysWOW64\icacls.exe
    icacls "F:\*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:3160
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "WMIC.exe shadowcopy delet"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1308
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC.exe shadowcopy delet
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4280
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 644
    3⤵
    - Program crash
    PID:3572
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 652
    3⤵
    - Program crash
    PID:2224
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 800
    3⤵
    - Program crash
    PID:4372
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 952
    3⤵
    - Program crash
    PID:548
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 1044
    3⤵
    - Program crash
    PID:3676
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 1172
    3⤵
    - Program crash
    PID:3556
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 700
    3⤵
    - Program crash
    PID:3164
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 1152
    3⤵
    - Program crash
    PID:4648
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 976
    3⤵
    - Program crash
    PID:1580
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 548
    3⤵
    - Program crash
    PID:3252
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4908
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      System Location Discovery: System Language Discovery
      PID:2740
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 1132
    3⤵
    - Program crash
    PID:3360
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\bUnodPu.exe" /f /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:968
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\bUnodPu.exe" /f /reg:64
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:1568
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 3180
    3⤵
    - Program crash
    PID:10208
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 6888
    3⤵
    - Program crash
    PID:10024
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 7400
    3⤵
    PID:10236
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 916
  2⤵
  - Program crash
  PID:4028
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 916
  2⤵
  - Program crash
  PID:2608
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4040
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1448
  2⤵
  - Program crash
  PID:1304
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1420
  2⤵
  - Program crash
  PID:2352
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4836
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2152
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1540
  2⤵
  - Program crash
  PID:3752
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:220
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:3720
- C:\Windows\SysWOW64\icacls.exe
  icacls "F:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:2796
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "WMIC.exe shadowcopy delet"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4512
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC.exe shadowcopy delet
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4388
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\rudZqlH.exe" /f /reg:64
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\rudZqlH.exe" /f /reg:64
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:4400
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1608
  2⤵
  - Program crash
  PID:1316
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1616
  2⤵
  - Program crash
  PID:1576
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1912
  2⤵
  - Program crash
  PID:1520
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1920
  2⤵
  - Program crash
  PID:4872
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1956
  2⤵
  - Program crash
  PID:1264
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1620
  2⤵
  - Program crash
  PID:3160
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1608
  2⤵
  - Program crash
  PID:1664
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1964
  2⤵
  - Program crash
  PID:5008
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1940
  2⤵
  - Program crash
  PID:5028
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1956
  2⤵
  - Program crash
  PID:3596
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1972
  2⤵
  - Program crash
  PID:4532
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1916
  2⤵
  - Program crash
  PID:5100
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1620
  2⤵
  - Program crash
  PID:3276
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1956
  2⤵
  - Program crash
  PID:412
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1924
  2⤵
  - Program crash
  PID:3804
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1928
  2⤵
  - Program crash
  PID:3048
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1984
  2⤵
  - Program crash
  PID:3492
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1976
  2⤵
  - Program crash
  PID:3996
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1988
  2⤵
  - Program crash
  PID:4712
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1928
  2⤵
  - Program crash
  PID:224
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1608
  2⤵
  - Program crash
  PID:10036
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1960
  2⤵
  - Program crash
  PID:10180
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1940
  2⤵
  - Program crash
  PID:9992
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1924
  2⤵
  - Program crash
  PID:10048
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1960
  2⤵
  - Program crash
  PID:2532
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1924
  2⤵
  - Program crash
  PID:10144
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1960
  2⤵
  - Program crash
  PID:10172
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1132
  2⤵
  - Program crash
  PID:10016
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1988
  2⤵
  - Program crash
  PID:3908
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 2004
  2⤵
  - Program crash
  PID:10076
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1152
  2⤵
  - Program crash
  PID:4636
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1168
  2⤵
  - Program crash
  PID:3352
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1152
  2⤵
  - Program crash
  PID:9996
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 2032
  2⤵
  - Program crash
  PID:10032
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 2024
  2⤵
  - Program crash
  PID:10088
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1620
  2⤵
  - Program crash
  PID:2680
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 2028
  2⤵
  - Program crash
  PID:10164
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1216
  2⤵
  - Program crash
  PID:10072
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1152
  2⤵
  - Program crash
  PID:10188
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1620
  2⤵
  - Program crash
  PID:10224
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 2028
  2⤵
  PID:10112
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1040
  2⤵
  PID:10100
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1132
  2⤵
  PID:10172
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1152
  2⤵
  PID:10096
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1228
  2⤵
  PID:1548
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1040
  2⤵
  PID:10188
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1256
  2⤵
  PID:1644
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1132
  2⤵
  PID:10228
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1252
  2⤵
  PID:2736
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1940
  2⤵
  PID:10232
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1244
  2⤵
  PID:10216
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1256
  2⤵
  PID:10112
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 2000
  2⤵
  PID:636
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1244
  2⤵
  PID:4648
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1032
  2⤵
  PID:3340
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1256
  2⤵
  PID:4560
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 676
  2⤵
  PID:1132
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 668
  2⤵
  PID:2740
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1108
  2⤵
  PID:3128
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1928
  2⤵
  PID:4576
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1032
  2⤵
  PID:2136
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1960
  2⤵
  PID:2820
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1916
  2⤵
  PID:4424
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1620
  2⤵
  PID:4308
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1956
  2⤵
  PID:4408
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1040
  2⤵
  PID:3900
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 952
  2⤵
  PID:5176
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 668
  2⤵
  PID:5244
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1256
  2⤵
  PID:5300
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 676
  2⤵
  PID:5348
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 2032
  2⤵
  PID:5408
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1228
  2⤵
  PID:5472
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 676
  2⤵
  PID:5524
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1164
  2⤵
  PID:5580
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1132
  2⤵
  PID:5632
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1240
  2⤵
  PID:5688
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1248
  2⤵
  PID:5732
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 668
  2⤵
  PID:5788
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1228
  2⤵
  PID:5844
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1152
  2⤵
  PID:5896
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1240
  2⤵
  PID:5948
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1960
  2⤵
  PID:6000
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1620
  2⤵
  PID:6056
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1960
  2⤵
  PID:6108
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 676
  2⤵
  PID:6172
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1152
  2⤵
  PID:6228
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1960
  2⤵
  PID:6280
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1928
  2⤵
  PID:6360
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 2012
  2⤵
  PID:6416
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1988
  2⤵
  PID:6468
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 2012
  2⤵
  PID:6560
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1996
  2⤵
  PID:6616
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1988
  2⤵
  PID:6676
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1144
  2⤵
  PID:6728
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 676
  2⤵
  PID:6820
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1088
  2⤵
  PID:6868
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 2016
  2⤵
  PID:6932
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1620
  2⤵
  PID:6988
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1988
  2⤵
  PID:7036
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1168
  2⤵
  PID:7120
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1620
  2⤵
  PID:7184
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1236
  2⤵
  PID:7264
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 2012
  2⤵
  PID:7320
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1112
  2⤵
  PID:7376
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 2012
  2⤵
  PID:7432
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1236
  2⤵
  PID:7492
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1988
  2⤵
  PID:7552
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 2016
  2⤵
  PID:7604
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 880
  2⤵
  PID:7652
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1236
  2⤵
  PID:7712
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1112
  2⤵
  PID:7768
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 2052
  2⤵
  PID:7820
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 2056
  2⤵
  PID:7872
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 2060
  2⤵
  PID:7924
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1112
  2⤵
  PID:7980
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 2088
  2⤵
  PID:8032
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 2096
  2⤵
  PID:8108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2312 -ip 2312
1⤵
PID:3900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2312 -ip 2312
1⤵
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2312 -ip 2312
1⤵
PID:800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2312 -ip 2312
1⤵
PID:1464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2312 -ip 2312
1⤵
PID:232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2312 -ip 2312
1⤵
PID:4736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2312 -ip 2312
1⤵
PID:468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2312 -ip 2312
1⤵
PID:1532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2312 -ip 2312
1⤵
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2312 -ip 2312
1⤵
PID:4888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2312 -ip 2312
1⤵
PID:4228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 5060 -ip 5060
1⤵
PID:2888

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5060 -ip 5060
1⤵
PID:3860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 5060 -ip 5060
1⤵
PID:3736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5060 -ip 5060
1⤵
PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5060 -ip 5060
1⤵
PID:464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5060 -ip 5060
1⤵
PID:1164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2312 -ip 2312
1⤵
PID:3836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5060 -ip 5060
1⤵
PID:4896

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2312 -ip 2312
1⤵
PID:464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5060 -ip 5060
1⤵
PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2312 -ip 2312
1⤵
PID:2652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5060 -ip 5060
1⤵
PID:2536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5060 -ip 5060
1⤵
PID:4948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2312 -ip 2312
1⤵
PID:1656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5060 -ip 5060
1⤵
PID:1516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2312 -ip 2312
1⤵
PID:3356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2312 -ip 2312
1⤵
PID:4176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2312 -ip 2312
1⤵
PID:4808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2312 -ip 2312
1⤵
PID:1016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2312 -ip 2312
1⤵
PID:3996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2312 -ip 2312
1⤵
PID:3716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2312 -ip 2312
1⤵
PID:540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2312 -ip 2312
1⤵
PID:840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2312 -ip 2312
1⤵
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2312 -ip 2312
1⤵
PID:1948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2312 -ip 2312
1⤵
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2312 -ip 2312
1⤵
PID:1760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 2312 -ip 2312
1⤵
PID:908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2312 -ip 2312
1⤵
PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2312 -ip 2312
1⤵
PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2312 -ip 2312
1⤵
PID:3900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 5060 -ip 5060
1⤵
PID:8464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2312 -ip 2312
1⤵
PID:10120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2312 -ip 2312
1⤵
PID:8464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2312 -ip 2312
1⤵
PID:10224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2312 -ip 2312
1⤵
PID:10020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 2312 -ip 2312
1⤵
PID:10072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2312 -ip 2312
1⤵
PID:10024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2312 -ip 2312
1⤵
PID:10160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2312 -ip 2312
1⤵
PID:10224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5060 -ip 5060
1⤵
PID:10216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 2312 -ip 2312
1⤵
PID:10224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 2312 -ip 2312
1⤵
PID:10064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2312 -ip 2312
1⤵
PID:10132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2312 -ip 2312
1⤵
PID:10144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 2312 -ip 2312
1⤵
PID:10228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2312 -ip 2312
1⤵
PID:10120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2312 -ip 2312
1⤵
PID:10056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2312 -ip 2312
1⤵
PID:10036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 2312 -ip 2312
1⤵
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2312 -ip 2312
1⤵
PID:10028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2312 -ip 2312
1⤵
PID:10128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2312 -ip 2312
1⤵
PID:10088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5060 -ip 5060
1⤵
PID:10028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2312 -ip 2312
1⤵
PID:3224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2312 -ip 2312
1⤵
PID:10128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2312 -ip 2312
1⤵
PID:10136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2312 -ip 2312
1⤵
PID:10116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2312 -ip 2312
1⤵
PID:10056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2312 -ip 2312
1⤵
PID:3352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2312 -ip 2312
1⤵
PID:10108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2312 -ip 2312
1⤵
PID:10212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2312 -ip 2312
1⤵
PID:1776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2312 -ip 2312
1⤵
PID:10216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5060 -ip 5060
1⤵
PID:10220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5060 -ip 5060
1⤵
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 5060 -ip 5060
1⤵
PID:2792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 5060 -ip 5060
1⤵
PID:1428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 5060 -ip 5060
1⤵
PID:10176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 5060 -ip 5060
1⤵
PID:2532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 5060 -ip 5060
1⤵
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 5060 -ip 5060
1⤵
PID:10032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 2312 -ip 2312
1⤵
PID:9996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2312 -ip 2312
1⤵
PID:10024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2312 -ip 2312
1⤵
PID:2280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2312 -ip 2312
1⤵
PID:3704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2312 -ip 2312
1⤵
PID:840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2312 -ip 2312
1⤵
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 2312 -ip 2312
1⤵
PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2312 -ip 2312
1⤵
PID:2564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2312 -ip 2312
1⤵
PID:2000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2312 -ip 2312
1⤵
PID:3804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2312 -ip 2312
1⤵
PID:1636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2312 -ip 2312
1⤵
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2312 -ip 2312
1⤵
PID:3720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2312 -ip 2312
1⤵
PID:1424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 2312 -ip 2312
1⤵
PID:1136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2312 -ip 2312
1⤵
PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 2312 -ip 2312
1⤵
PID:5156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 2312 -ip 2312
1⤵
PID:5224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2312 -ip 2312
1⤵
PID:5280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 2312 -ip 2312
1⤵
PID:5332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2312 -ip 2312
1⤵
PID:5388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 2312 -ip 2312
1⤵
PID:5448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 2312 -ip 2312
1⤵
PID:5504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2312 -ip 2312
1⤵
PID:5556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2312 -ip 2312
1⤵
PID:5612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 2312 -ip 2312
1⤵
PID:5664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 2312 -ip 2312
1⤵
PID:5716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 2312 -ip 2312
1⤵
PID:5764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 2312 -ip 2312
1⤵
PID:5820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2312 -ip 2312
1⤵
PID:5876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 2312 -ip 2312
1⤵
PID:5928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 2312 -ip 2312
1⤵
PID:5984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2312 -ip 2312
1⤵
PID:6036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 2312 -ip 2312
1⤵
PID:6088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 2312 -ip 2312
1⤵
PID:6152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2312 -ip 2312
1⤵
PID:6208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 2312 -ip 2312
1⤵
PID:6256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 2312 -ip 2312
1⤵
PID:6340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2312 -ip 2312
1⤵
PID:6396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 2312 -ip 2312
1⤵
PID:6452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 2312 -ip 2312
1⤵
PID:6540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2312 -ip 2312
1⤵
PID:6592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2312 -ip 2312
1⤵
PID:6648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 2312 -ip 2312
1⤵
PID:6704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 2312 -ip 2312
1⤵
PID:6796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 2312 -ip 2312
1⤵
PID:6848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 2312 -ip 2312
1⤵
PID:6908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 2312 -ip 2312
1⤵
PID:6964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 2312 -ip 2312
1⤵
PID:7020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 772 -p 2312 -ip 2312
1⤵
PID:7100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 2312 -ip 2312
1⤵
PID:7160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 2312 -ip 2312
1⤵
PID:7240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2312 -ip 2312
1⤵
PID:7296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2312 -ip 2312
1⤵
PID:7352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2312 -ip 2312
1⤵
PID:7412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 2312 -ip 2312
1⤵
PID:7468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2312 -ip 2312
1⤵
PID:7532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 2312 -ip 2312
1⤵
PID:7580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2312 -ip 2312
1⤵
PID:7632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 2312 -ip 2312
1⤵
PID:7692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 2312 -ip 2312
1⤵
PID:7748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 2312 -ip 2312
1⤵
PID:7800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 2312 -ip 2312
1⤵
PID:7852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 2312 -ip 2312
1⤵
PID:7904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 2312 -ip 2312
1⤵
PID:7960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2312 -ip 2312
1⤵
PID:8012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 2312 -ip 2312
1⤵
PID:8084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Windows Credential Manager

T1555.004

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_dd2803c7-d377-4f06-bdfe-aea230fc7b0e

Filesize
52B

MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\Users\Admin\3D Objects\RyukReadMe.html

Filesize
627B

MD5
51ccaf45dd2155a2296bec3361978d84

SHA1
6ad677cc4fcde5a5301437a2ac066beb793bd012

SHA256
3f70ea0be9a7aef9052469651363d0dbca090b235e47f7af4451efbe7769e222

SHA512
8aadb4d164f9a180ee7d794bae4ac5af9a95e53ecb04c89f0da15d8d3d80a0894570e164f6664e77e26ad04600edde715a035b774b625f542507ec697139558b

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt19.lst.RYK

Filesize
1KB

MD5
e9291a0335809686165dfe5c9262a63a

SHA1
bcedc65c07c55e96ed3e1df0a45e2b2d73a8253a

SHA256
54530379ea2c221955a3fa654d0aa47b5b5b5d447bc16d188990c57e14f6ec95

SHA512
2bc97826376b5824b394af2eb25e9214bcdc156e2efd4f71e9c65709b2e6aa0e0c48903fe62b306db172069c3f6a2360932bcc1b99be2cd2f37ad0530e6105c2

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt19.lst.RYK

Filesize
80KB

MD5
b45522ef9d372321cf244071a8b1b7ee

SHA1
d025dd5274d09a991bdd54ddec3b03f9325d1552

SHA256
e8cbda36cb3b4e151ebcf2e571c2ec27998eb8bfa387132e59ed51160bce9aec

SHA512
8b4711a22a47567c8e2b3751af887b4103f5f8b00b84366a175d9399ef5128dbc6c498795d5b0da64f3aec3c80d3eb3d034faef24bddc5c6194e5d1c19655c23

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt19.lst.RYK

Filesize
9KB

MD5
81edca1fb277164692c7904b4f079db0

SHA1
ecf7ea31b506125fc84b05f00f91e04d032eea3d

SHA256
7ca4a484d2e4d6123ed8f22c21d91ec5c0993913e49875d08262bce97869ed19

SHA512
2ffbe6b97b7df804670f77167373e656ede32655fe20abe8b93c4cc248b63f53d67e7ff76f55db825e705d28273685a515b80c1c5746621cddce1d95fac98ce4

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat.RYK

Filesize
68KB

MD5
790d23811d9962b71b0d1fdaa1605969

SHA1
6757d6fce097f417acd27538a015e7744bd47fef

SHA256
3f0f98021c1f843fe043cd63c10645f873dcc843d9ad2aa985f19efc8da5d9aa

SHA512
8e40e48fc58383264e66b12e4fded4a92eb3579345b215cf484282d3e398ce0a70c20bcaededa4c249a22833fb033729877becfe33b3384600f06d08b7eb79dc

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents.RYK

Filesize
12KB

MD5
095a388efbe439fc74c36f18fdf357a4

SHA1
b5b791fd4b459b4f3fca84870991d35c20a5b71b

SHA256
2c925c61f3eee3d8f8a59506ce371db5e4e8bd2bef5839c6b23354ac49ba2694

SHA512
6e2c3e23792afd64793682aa1f5deb9b66bef5614f93b0c25248eba25ae5d3d06aa4e9f49fe8a35cb85324723be786ee479e878f74f789a0ce3171ca988488cd

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\UserCache.bin.RYK

Filesize
32KB

MD5
8b10959f3974f512090691fa5af65404

SHA1
c6edb7b9ecb9ad9fe623c6759c5359f8e8e1c301

SHA256
961182d07d4ea1577a26a900d96e37e8b40923ca103156ab96c8b23cdc8bed85

SHA512
144baada3fbfeb5ed54ab9910c6bf2b762d9bcabd962e5bb1c21f08657263fd00aa8af7b7addc2d8f18e13b0ee2104259fd3545eb1f8e14c65a8dd61b59ac86a

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\ACECache11.lst.RYK

Filesize
1KB

MD5
11d36d79633d6651a72b380d7ed69657

SHA1
c10d9ec1a5c9fe692c36fd87a14329cc721f1958

SHA256
8e71087a3946e481c383f3ee1a9f24541529895d94e61383062164c24a84e6b6

SHA512
bc61c9a3a639fa16a2f5d988ed462af3691d6fb18527f62532a02b1441e744cb2b1bac93e35fa46627db57fbc6d70963a208d1c14b1634147cb556234512682d

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK

Filesize
2KB

MD5
e0a4bb219597a11889027e8af4aa9f34

SHA1
6351ce7aae47d0ec4279af31e7b8e6c06f37919c

SHA256
53a58fc488660fb64c403c22a5d0a8d28204ab548d59f6bd4ee44b9e4080ad9b

SHA512
5dff08420a2f6105d6abb52c7c0709c3f8eb4e5cdb477e011be3f6cf769af97e102048735e5102b1c1df2f7cd5446a6acc4e104808238b03b4c6285b6d9f7bdd

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK

Filesize
64KB

MD5
f14ba8c6a95afa35b6f067393216c4c8

SHA1
7443e9eab5279cccfb7d2d2a162d87c7a3b15d9c

SHA256
bff2b6eecd7e35fc92d2d39a1e7259e71ffcedc296cfa35ab1bb7532556c0ed8

SHA512
95d83c5d8d5c68cd15f7aeefc365f69d0ccff1060367c3b35cf38bc9d5550ae5d043c845f6dc15e194ee3b478b47fb37c3100998737297fca2c40a5cb058bcfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\bUnodPu.exe

Filesize
254KB

MD5
4540720d38ed99bceeb97161ca1ff401

SHA1
5714dfd839db561ebcb3cccfcb6f0e39ef644f7b

SHA256
4a87552c4238cdcf1b8611da467164e609da339ff897c50ad4d04aa105ec55bb

SHA512
2be902451da4262ed9899ecd570e12f31516f4d937909ee8e99f2c5dfcdbd7a218cc4eda494357678067ccc58a674944d08150248707a96e7d64ff01b83f0dbf

Download Submit
memory/2312-202-0x0000000030000000-0x0000000030785000-memory.dmp

Filesize
7.5MB

Download
memory/2312-218-0x0000000030000000-0x0000000030785000-memory.dmp

Filesize
7.5MB

Download
memory/2312-191-0x0000000030000000-0x0000000030785000-memory.dmp

Filesize
7.5MB

Download
memory/2312-2-0x00000000009A0000-0x00000000009D2000-memory.dmp

Filesize
200KB

Download
memory/2312-18-0x0000000030000000-0x0000000030785000-memory.dmp

Filesize
7.5MB

Download
memory/2312-214-0x0000000030000000-0x0000000030785000-memory.dmp

Filesize
7.5MB

Download
memory/2312-17-0x0000000030000000-0x0000000030170000-memory.dmp

Filesize
1.4MB

Download
memory/2312-216-0x0000000030000000-0x0000000030785000-memory.dmp

Filesize
7.5MB

Download
memory/2312-16-0x00000000009A0000-0x00000000009D2000-memory.dmp

Filesize
200KB

Download
memory/2312-237-0x0000000030000000-0x0000000030785000-memory.dmp

Filesize
7.5MB

Download
memory/2312-15-0x0000000000480000-0x0000000000580000-memory.dmp

Filesize
1024KB

Download
memory/2312-238-0x0000000030000000-0x0000000030785000-memory.dmp

Filesize
7.5MB

Download
memory/2312-221-0x0000000030000000-0x0000000030785000-memory.dmp

Filesize
7.5MB

Download
memory/2312-239-0x0000000030000000-0x0000000030785000-memory.dmp

Filesize
7.5MB

Download
memory/2312-225-0x0000000030000000-0x0000000030785000-memory.dmp

Filesize
7.5MB

Download
memory/2312-226-0x0000000030000000-0x0000000030785000-memory.dmp

Filesize
7.5MB

Download
memory/2312-227-0x0000000030000000-0x0000000030785000-memory.dmp

Filesize
7.5MB

Download
memory/2312-228-0x0000000030000000-0x0000000030785000-memory.dmp

Filesize
7.5MB

Download
memory/2312-3-0x0000000030000000-0x0000000030170000-memory.dmp

Filesize
1.4MB

Download
memory/2312-1-0x0000000000480000-0x0000000000580000-memory.dmp

Filesize
1024KB

Download
memory/5060-20-0x0000000030000000-0x0000000030785000-memory.dmp

Filesize
7.5MB

Download
memory/5060-224-0x0000000030000000-0x0000000030785000-memory.dmp

Filesize
7.5MB

Download
memory/5060-219-0x0000000030000000-0x0000000030785000-memory.dmp

Filesize
7.5MB

Download
memory/5060-220-0x000000001AFF0000-0x000000001AFF8000-memory.dmp

Filesize
32KB

Download
memory/5060-217-0x0000000030000000-0x0000000030785000-memory.dmp

Filesize
7.5MB

Download
memory/5060-215-0x0000000030000000-0x0000000030785000-memory.dmp

Filesize
7.5MB

Download
memory/5060-21-0x0000000030000000-0x0000000030785000-memory.dmp

Filesize
7.5MB

Download
memory/5060-14-0x0000000030000000-0x0000000030785000-memory.dmp

Filesize
7.5MB

Download
memory/5060-13-0x0000000030000000-0x0000000030785000-memory.dmp

Filesize
7.5MB

Download