djvu | 882d21caaa936533ad9de2efcbb7ad5a1bac01af755eb88c2e50d8c4a522eb06

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	EE8D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	EE8D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	EE8D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	EE8D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	EE8D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	EE8D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	568E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	build2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	EE8D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	EE8D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	568E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	EE8D.exe

Loads dropped DLL 22 IoCs

pid	Process
4376	regsvr32.exe
4020	build2.exe
4020	build2.exe
4020	build2.exe
2344	rundll32.exe
2344	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
4904	rundll32.exe
4904	rundll32.exe
2996	rundll32.exe
2996	rundll32.exe
4516	rundll32.exe
4516	rundll32.exe
3568	rundll32.exe
3568	rundll32.exe
3404	rundll32.exe
3404	rundll32.exe
4000	rundll32.exe
4000	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1736	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\8bfa3274-892a-4722-bc8e-ff6b4ada4182\\568E.exe\" --AutoStart"	568E.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
26	api.2ip.ua
27	api.2ip.ua
43	api.2ip.ua

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4992 set thread context of 3556	4992	5E12.exe	90
PID 1332 set thread context of 1916	1332	568E.exe	96
PID 4312 set thread context of 4060	4312	568E.exe	106
PID 4744 set thread context of 4020	4744	build2.exe	110

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 64 IoCs

pid	pid_target	Process	procid_target
2240	3264	WerFault.exe	91
116	1084	WerFault.exe	84
4392	4448	WerFault.exe	121
5104	4448	WerFault.exe	121
2712	4448	WerFault.exe	121
3504	4448	WerFault.exe	121
4388	4448	WerFault.exe	121
3520	4448	WerFault.exe	121
3584	4448	WerFault.exe	121
4036	4448	WerFault.exe	121
2008	4280	WerFault.exe	136
3248	4280	WerFault.exe	136
424	4280	WerFault.exe	136
3540	4280	WerFault.exe	136
4000	4280	WerFault.exe	136
1464	4280	WerFault.exe	136
4836	4280	WerFault.exe	136
1904	4280	WerFault.exe	136
5096	4280	WerFault.exe	136
1928	4360	WerFault.exe	155
2948	4360	WerFault.exe	155
3628	4360	WerFault.exe	155
1080	4360	WerFault.exe	155
5092	4360	WerFault.exe	155
4108	4360	WerFault.exe	155
4412	4360	WerFault.exe	155
1780	4360	WerFault.exe	155
1832	4448	WerFault.exe	121
952	4360	WerFault.exe	155
4388	4360	WerFault.exe	155
3512	3060	WerFault.exe	181
3928	3060	WerFault.exe	181
4080	3060	WerFault.exe	181
804	3060	WerFault.exe	181
1688	3060	WerFault.exe	181
3132	3060	WerFault.exe	181
1968	3060	WerFault.exe	181
1084	4280	WerFault.exe	136
896	3060	WerFault.exe	181
2952	3060	WerFault.exe	181
4512	3060	WerFault.exe	181
4944	5056	WerFault.exe	205
4456	5056	WerFault.exe	205
2524	5056	WerFault.exe	205
1868	5056	WerFault.exe	205
4120	5056	WerFault.exe	205
2032	5056	WerFault.exe	205
636	5056	WerFault.exe	205
1236	5056	WerFault.exe	205
4360	5056	WerFault.exe	205
2260	5056	WerFault.exe	205
4292	548	WerFault.exe	227
3996	548	WerFault.exe	227
3220	548	WerFault.exe	227
2312	548	WerFault.exe	227
4000	548	WerFault.exe	227
3048	548	WerFault.exe	227
3636	548	WerFault.exe	227
3932	548	WerFault.exe	227
4568	548	WerFault.exe	227
1792	4952	WerFault.exe	247
1096	4952	WerFault.exe	247
3840	4952	WerFault.exe	247
1472	4952	WerFault.exe	247

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	61FB.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	61FB.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	61FB.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build2.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
3540	schtasks.exe
4192	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2208	timeout.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	5A29.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	5A29.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	5A29.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3704	file.exe
3704	file.exe
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2440	Process not Found

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
3704	file.exe
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
3512	61FB.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeDebugPrivilege	1084	5555.exe
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeDebugPrivilege	3556	vbc.exe
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 3508	2440	Process not Found	82
PID 2440 wrote to memory of 3508	2440	Process not Found	82
PID 3508 wrote to memory of 4376	3508	regsvr32.exe	83
PID 3508 wrote to memory of 4376	3508	regsvr32.exe	83
PID 3508 wrote to memory of 4376	3508	regsvr32.exe	83
PID 2440 wrote to memory of 1084	2440	Process not Found	84
PID 2440 wrote to memory of 1084	2440	Process not Found	84
PID 2440 wrote to memory of 1084	2440	Process not Found	84
PID 2440 wrote to memory of 1332	2440	Process not Found	85
PID 2440 wrote to memory of 1332	2440	Process not Found	85
PID 2440 wrote to memory of 1332	2440	Process not Found	85
PID 2440 wrote to memory of 4568	2440	Process not Found	86
PID 2440 wrote to memory of 4568	2440	Process not Found	86
PID 2440 wrote to memory of 4992	2440	Process not Found	87
PID 2440 wrote to memory of 4992	2440	Process not Found	87
PID 2440 wrote to memory of 4992	2440	Process not Found	87
PID 2440 wrote to memory of 3512	2440	Process not Found	89
PID 2440 wrote to memory of 3512	2440	Process not Found	89
PID 2440 wrote to memory of 3512	2440	Process not Found	89
PID 4992 wrote to memory of 3556	4992	5E12.exe	90
PID 4992 wrote to memory of 3556	4992	5E12.exe	90
PID 4992 wrote to memory of 3556	4992	5E12.exe	90
PID 4992 wrote to memory of 3556	4992	5E12.exe	90
PID 2440 wrote to memory of 3264	2440	Process not Found	91
PID 2440 wrote to memory of 3264	2440	Process not Found	91
PID 2440 wrote to memory of 3264	2440	Process not Found	91
PID 2440 wrote to memory of 2964	2440	Process not Found	98
PID 2440 wrote to memory of 2964	2440	Process not Found	98
PID 2440 wrote to memory of 2964	2440	Process not Found	98
PID 2440 wrote to memory of 2964	2440	Process not Found	98
PID 4992 wrote to memory of 3556	4992	5E12.exe	90
PID 1332 wrote to memory of 1916	1332	568E.exe	96
PID 1332 wrote to memory of 1916	1332	568E.exe	96
PID 1332 wrote to memory of 1916	1332	568E.exe	96
PID 1332 wrote to memory of 1916	1332	568E.exe	96
PID 1332 wrote to memory of 1916	1332	568E.exe	96
PID 1332 wrote to memory of 1916	1332	568E.exe	96
PID 1332 wrote to memory of 1916	1332	568E.exe	96
PID 1332 wrote to memory of 1916	1332	568E.exe	96
PID 1332 wrote to memory of 1916	1332	568E.exe	96
PID 1332 wrote to memory of 1916	1332	568E.exe	96
PID 4568 wrote to memory of 2524	4568	5A29.exe	92
PID 4568 wrote to memory of 2524	4568	5A29.exe	92
PID 2440 wrote to memory of 3444	2440	Process not Found	93
PID 2440 wrote to memory of 3444	2440	Process not Found	93
PID 2440 wrote to memory of 3444	2440	Process not Found	93
PID 1916 wrote to memory of 1736	1916	568E.exe	101
PID 1916 wrote to memory of 1736	1916	568E.exe	101
PID 1916 wrote to memory of 1736	1916	568E.exe	101
PID 1916 wrote to memory of 4312	1916	568E.exe	104
PID 1916 wrote to memory of 4312	1916	568E.exe	104
PID 1916 wrote to memory of 4312	1916	568E.exe	104
PID 4312 wrote to memory of 4060	4312	568E.exe	106
PID 4312 wrote to memory of 4060	4312	568E.exe	106
PID 4312 wrote to memory of 4060	4312	568E.exe	106
PID 4312 wrote to memory of 4060	4312	568E.exe	106
PID 4312 wrote to memory of 4060	4312	568E.exe	106
PID 4312 wrote to memory of 4060	4312	568E.exe	106
PID 4312 wrote to memory of 4060	4312	568E.exe	106
PID 4312 wrote to memory of 4060	4312	568E.exe	106
PID 4312 wrote to memory of 4060	4312	568E.exe	106
PID 4312 wrote to memory of 4060	4312	568E.exe	106
PID 4060 wrote to memory of 4744	4060	568E.exe	108
PID 4060 wrote to memory of 4744	4060	568E.exe	108

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3704

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\5488.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:3508
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\5488.dll
  2⤵
  - Loads dropped DLL
  PID:4376

C:\Users\Admin\AppData\Local\Temp\5555.exe
C:\Users\Admin\AppData\Local\Temp\5555.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1084
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1084 -s 1260
  2⤵
  - Program crash
  PID:116

C:\Users\Admin\AppData\Local\Temp\568E.exe
C:\Users\Admin\AppData\Local\Temp\568E.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1332
- C:\Users\Admin\AppData\Local\Temp\568E.exe
  C:\Users\Admin\AppData\Local\Temp\568E.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\8bfa3274-892a-4722-bc8e-ff6b4ada4182" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:1736
- - C:\Users\Admin\AppData\Local\Temp\568E.exe
    "C:\Users\Admin\AppData\Local\Temp\568E.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4312
  - - C:\Users\Admin\AppData\Local\Temp\568E.exe
      "C:\Users\Admin\AppData\Local\Temp\568E.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:4060
    - - C:\Users\Admin\AppData\Local\60d5d471-a43d-48a0-b1fd-c8639449ca75\build2.exe
        
        "C:\Users\Admin\AppData\Local\60d5d471-a43d-48a0-b1fd-c8639449ca75\build2.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4744
      - C:\Users\Admin\AppData\Local\60d5d471-a43d-48a0-b1fd-c8639449ca75\build2.exe
        
        "C:\Users\Admin\AppData\Local\60d5d471-a43d-48a0-b1fd-c8639449ca75\build2.exe"
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Loads dropped DLL
        Checks processor information in registry
        
        PID:4020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\60d5d471-a43d-48a0-b1fd-c8639449ca75\build2.exe" & exit
        7⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        8⤵
        Delays execution with timeout.exe
        
        PID:2208
    - - C:\Users\Admin\AppData\Local\60d5d471-a43d-48a0-b1fd-c8639449ca75\build3.exe
        
        "C:\Users\Admin\AppData\Local\60d5d471-a43d-48a0-b1fd-c8639449ca75\build3.exe"
        5⤵
        Executes dropped EXE
        
        PID:484
      - C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:3540

C:\Users\Admin\AppData\Local\Temp\5A29.exe
C:\Users\Admin\AppData\Local\Temp\5A29.exe
1⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4568
- C:\Windows\system32\cmd.exe
  cmd.exe /c "del C:\Users\Admin\AppData\Local\Temp\5A29.exe"
  2⤵
  PID:2524

C:\Users\Admin\AppData\Local\Temp\5E12.exe
C:\Users\Admin\AppData\Local\Temp\5E12.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3556

C:\Users\Admin\AppData\Local\Temp\61FB.exe
C:\Users\Admin\AppData\Local\Temp\61FB.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3512

C:\Users\Admin\AppData\Local\Temp\64DA.exe
C:\Users\Admin\AppData\Local\Temp\64DA.exe
1⤵
- Executes dropped EXE
PID:3264
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 340
  2⤵
  - Program crash
  PID:2240

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3444

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:2964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3264 -ip 3264
1⤵
PID:2120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1084 -ip 1084
1⤵
PID:1968

C:\Users\Admin\AppData\Local\Temp\EE8D.exe
C:\Users\Admin\AppData\Local\Temp\EE8D.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
PID:4448
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 636
  2⤵
  - Program crash
  PID:4392
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 932
  2⤵
  - Program crash
  PID:5104
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 932
  2⤵
  - Program crash
  PID:2712
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 940
  2⤵
  - Program crash
  PID:3504
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 940
  2⤵
  - Program crash
  PID:4388
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 940
  2⤵
  - Program crash
  PID:3520
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 1132
  2⤵
  - Program crash
  PID:3584
- C:\Users\Admin\AppData\Local\Temp\EE8D.exe
  "C:\Users\Admin\AppData\Local\Temp\EE8D.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  PID:4280
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 600
    3⤵
    - Program crash
    PID:2008
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 996
    3⤵
    - Program crash
    PID:3248
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 1004
    3⤵
    - Program crash
    PID:424
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 1004
    3⤵
    - Program crash
    PID:3540
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 1004
    3⤵
    - Program crash
    PID:4000
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 1120
    3⤵
    - Program crash
    PID:1464
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 1100
    3⤵
    - Program crash
    PID:4836
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 1124
    3⤵
    - Program crash
    PID:1904
- - C:\Users\Admin\AppData\Local\Temp\EE8D.exe
    "C:\Users\Admin\AppData\Local\Temp\EE8D.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    PID:4360
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 600
      4⤵
      Program crash
      PID:1928
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 996
      4⤵
      Program crash
      PID:2948
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 1004
      4⤵
      Program crash
      PID:3628
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 1004
      4⤵
      Program crash
      PID:1080
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 1088
      4⤵
      Program crash
      PID:5092
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 1072
      4⤵
      Program crash
      PID:4108
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 1132
      4⤵
      Program crash
      PID:4412
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 1008
      4⤵
      Program crash
      PID:1780
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      PID:3440
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 984
      4⤵
      Program crash
      PID:952
  - - C:\Users\Admin\AppData\Local\Temp\EE8D.exe
      "C:\Users\Admin\AppData\Local\Temp\EE8D.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      PID:3060
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 600
        5⤵
        Program crash
        
        PID:3512
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 996
        5⤵
        Program crash
        
        PID:3928
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 1004
        5⤵
        Program crash
        
        PID:4080
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 1068
        5⤵
        Program crash
        
        PID:804
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 1076
        5⤵
        Program crash
        
        PID:1688
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 1104
        5⤵
        Program crash
        
        PID:3132
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 1072
        5⤵
        Program crash
        
        PID:1968
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 1100
        5⤵
        Program crash
        
        PID:896
    - - C:\Users\Admin\AppData\Local\Temp\EE8D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EE8D.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:5056
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 600
        6⤵
        Program crash
        
        PID:4944
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 760
        6⤵
        Program crash
        
        PID:4456
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 756
        6⤵
        Program crash
        
        PID:2524
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 756
        6⤵
        Program crash
        
        PID:1868
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 1088
        6⤵
        Program crash
        
        PID:4120
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 1104
        6⤵
        Program crash
        
        PID:2032
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 1132
        6⤵
        Program crash
        
        PID:636
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 1176
        6⤵
        Program crash
        
        PID:1236
      - C:\Users\Admin\AppData\Local\Temp\EE8D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EE8D.exe"
        6⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 600
        7⤵
        Program crash
        
        PID:4292
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 996
        7⤵
        Program crash
        
        PID:3996
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 1064
        7⤵
        Program crash
        
        PID:3220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 992
        7⤵
        Program crash
        
        PID:2312
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 1088
        7⤵
        Program crash
        
        PID:4000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 1096
        7⤵
        Program crash
        
        PID:3048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 1108
        7⤵
        Program crash
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\EE8D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EE8D.exe"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:4952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 600
        8⤵
        Program crash
        
        PID:1792
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 888
        8⤵
        Program crash
        
        PID:1096
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 880
        8⤵
        Program crash
        
        PID:3840
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 1080
        8⤵
        Program crash
        
        PID:1472
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 916
        8⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 916
        8⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 1148
        8⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\EE8D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EE8D.exe"
        8⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:4916
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 600
        9⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 996
        9⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 1064
        9⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 1096
        9⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 1096
        9⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 1132
        9⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 1164
        9⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 1172
        9⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\EE8D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EE8D.exe"
        9⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:340
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 340 -s 600
        10⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 340 -s 996
        10⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 340 -s 1064
        10⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 340 -s 1064
        10⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 340 -s 1088
        10⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 340 -s 1100
        10⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 340 -s 1064
        10⤵
        
        PID:400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 340 -s 992
        10⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
        10⤵
        Loads dropped DLL
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\EE8D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EE8D.exe"
        10⤵
        Executes dropped EXE
        
        PID:3012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 600
        11⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 940
        11⤵
        
        PID:636
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 936
        11⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 936
        11⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 1096
        11⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 1072
        11⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 340 -s 984
        10⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 340 -s 1088
        10⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
        9⤵
        Loads dropped DLL
        
        PID:4000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 984
        9⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 1216
        9⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
        8⤵
        Blocklisted process makes network request
        Loads dropped DLL
        
        PID:3404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 1016
        8⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 1176
        8⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
        7⤵
        Loads dropped DLL
        
        PID:3568
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 984
        7⤵
        Program crash
        
        PID:3932
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 996
        7⤵
        Program crash
        
        PID:4568
      - C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
        6⤵
        Blocklisted process makes network request
        Loads dropped DLL
        
        PID:4516
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 1004
        6⤵
        Program crash
        
        PID:4360
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 1076
        6⤵
        Program crash
        
        PID:2260
    - - C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
        5⤵
        Loads dropped DLL
        
        PID:2996
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 984
        5⤵
        Program crash
        
        PID:2952
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 1152
        5⤵
        Program crash
        
        PID:4512
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 1128
      4⤵
      Program crash
      PID:4388
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 984
    3⤵
    - Program crash
    PID:5096
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:4904
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 1144
    3⤵
    - Program crash
    PID:1084
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 1048
  2⤵
  - Program crash
  PID:4036
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:2344
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 1180
  2⤵
  - Program crash
  PID:1832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4448 -ip 4448
1⤵
PID:3860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4448 -ip 4448
1⤵
PID:2120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4448 -ip 4448
1⤵
PID:4244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4448 -ip 4448
1⤵
PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4448 -ip 4448
1⤵
PID:808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4448 -ip 4448
1⤵
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4448 -ip 4448
1⤵
PID:3512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4448 -ip 4448
1⤵
PID:2976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4280 -ip 4280
1⤵
PID:3928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4280 -ip 4280
1⤵
PID:2836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4280 -ip 4280
1⤵
PID:3536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4280 -ip 4280
1⤵
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4280 -ip 4280
1⤵
PID:1580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4280 -ip 4280
1⤵
PID:3772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4280 -ip 4280
1⤵
PID:340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4280 -ip 4280
1⤵
PID:3048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4280 -ip 4280
1⤵
PID:1644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4360 -ip 4360
1⤵
PID:4948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4360 -ip 4360
1⤵
PID:3304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4360 -ip 4360
1⤵
PID:664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4360 -ip 4360
1⤵
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4360 -ip 4360
1⤵
PID:3488

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
PID:1048
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
  2⤵
  - Creates scheduled task(s)
  PID:4192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4360 -ip 4360
1⤵
PID:2208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4360 -ip 4360
1⤵
PID:2480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4360 -ip 4360
1⤵
PID:2524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4448 -ip 4448
1⤵
PID:3076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4360 -ip 4360
1⤵
PID:2736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4360 -ip 4360
1⤵
PID:4208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3060 -ip 3060
1⤵
PID:4436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3060 -ip 3060
1⤵
PID:4376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3060 -ip 3060
1⤵
PID:4048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3060 -ip 3060
1⤵
PID:3536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3060 -ip 3060
1⤵
PID:3704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3060 -ip 3060
1⤵
PID:3988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3060 -ip 3060
1⤵
PID:2244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4280 -ip 4280
1⤵
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3060 -ip 3060
1⤵
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3060 -ip 3060
1⤵
PID:1928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3060 -ip 3060
1⤵
PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5056 -ip 5056
1⤵
PID:3488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5056 -ip 5056
1⤵
PID:4304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5056 -ip 5056
1⤵
PID:1648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5056 -ip 5056
1⤵
PID:1780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5056 -ip 5056
1⤵
PID:3776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5056 -ip 5056
1⤵
PID:1168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5056 -ip 5056
1⤵
PID:1736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 5056 -ip 5056
1⤵
PID:2316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 5056 -ip 5056
1⤵
PID:1684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5056 -ip 5056
1⤵
PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 548 -ip 548
1⤵
PID:4048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 548 -ip 548
1⤵
PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 548 -ip 548
1⤵
PID:2976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 548 -ip 548
1⤵
PID:1808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 548 -ip 548
1⤵
PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 548 -ip 548
1⤵
PID:4648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 548 -ip 548
1⤵
PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 548 -ip 548
1⤵
PID:4812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 548 -ip 548
1⤵
PID:1912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4952 -ip 4952
1⤵
PID:1300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4952 -ip 4952
1⤵
PID:2136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4952 -ip 4952
1⤵
PID:2116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4952 -ip 4952
1⤵
PID:552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4952 -ip 4952
1⤵
PID:2856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 4952 -ip 4952
1⤵
PID:3968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4952 -ip 4952
1⤵
PID:3776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4952 -ip 4952
1⤵
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 4952 -ip 4952
1⤵
PID:3068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 4916 -ip 4916
1⤵
PID:4700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 4916 -ip 4916
1⤵
PID:3336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4916 -ip 4916
1⤵
PID:1568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 4916 -ip 4916
1⤵
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4916 -ip 4916
1⤵
PID:4852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4916 -ip 4916
1⤵
PID:2148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4916 -ip 4916
1⤵
PID:5064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4916 -ip 4916
1⤵
PID:2504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 4916 -ip 4916
1⤵
PID:2500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 4916 -ip 4916
1⤵
PID:1904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 340 -ip 340
1⤵
PID:2428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 340 -ip 340
1⤵
PID:2888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 340 -ip 340
1⤵
PID:2164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 340 -ip 340
1⤵
PID:2680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 340 -ip 340
1⤵
PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 340 -ip 340
1⤵
PID:2064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 340 -ip 340
1⤵
PID:3868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 772 -p 340 -ip 340
1⤵
PID:4884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 340 -ip 340
1⤵
PID:2856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 340 -ip 340
1⤵
PID:2684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 3012 -ip 3012
1⤵
PID:2588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 3012 -ip 3012
1⤵
PID:4180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 3012 -ip 3012
1⤵
PID:2316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 3012 -ip 3012
1⤵
PID:2376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 3012 -ip 3012
1⤵
PID:3336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 3012 -ip 3012
1⤵
PID:1568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

File and Directory Permissions Modification

T1222

Install Root Certificate

T1130

Modify Registry

T1112

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery