asyncrat | 12ce860b2726217e1ad462071f073e05b85dce749caaf4a2daa390b56a052208

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	3002.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	microsoft 2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	d7348622e8bddc8aeab8662e78d804b6.exe

Executes dropped EXE 13 IoCs

pid	Process
2324	3002.exe
4580	askinstall54.exe
3476	BearVpn 2.exe
2712	Chrome3 2.exe
4844	GLKbrow.exe
2620	3002.exe
784	jhuuee.exe
1264	microsoft 2.exe
2380	NGlorySetp.exe
2512	setup.exe
2028	updatenew.exe
536	GLKbrow.exe
1676	microsoft 2.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\colgdlijdieibnaccfdcdbpdffofkfeb\6.37.18_0\manifest.json	askinstall54.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
14	iplogger.org
16	iplogger.org
24	iplogger.org
27	iplogger.org
42	iplogger.org

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4844 set thread context of 536	4844	GLKbrow.exe	106

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 10 IoCs

pid	pid_target	Process	procid_target
4380	2512	WerFault.exe	104
2080	2512	WerFault.exe	104
436	2512	WerFault.exe	104
2072	2512	WerFault.exe	104
752	2512	WerFault.exe	104
3248	2512	WerFault.exe	104
4964	2512	WerFault.exe	104
4340	2512	WerFault.exe	104
1936	2512	WerFault.exe	104
444	1676	WerFault.exe	137

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
1876	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1172	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
5012	taskkill.exe

Modifies data under HKEY_USERS 26 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1264	microsoft 2.exe
1264	microsoft 2.exe
1264	microsoft 2.exe
1264	microsoft 2.exe
1264	microsoft 2.exe
1264	microsoft 2.exe
1264	microsoft 2.exe
1264	microsoft 2.exe
1264	microsoft 2.exe
1264	microsoft 2.exe
1264	microsoft 2.exe
1264	microsoft 2.exe
1264	microsoft 2.exe
1264	microsoft 2.exe
1264	microsoft 2.exe
1264	microsoft 2.exe
1264	microsoft 2.exe
1264	microsoft 2.exe
1264	microsoft 2.exe
1264	microsoft 2.exe
1264	microsoft 2.exe
1264	microsoft 2.exe
1264	microsoft 2.exe
1264	microsoft 2.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	4580	askinstall54.exe
Token: SeAssignPrimaryTokenPrivilege	4580	askinstall54.exe
Token: SeLockMemoryPrivilege	4580	askinstall54.exe
Token: SeIncreaseQuotaPrivilege	4580	askinstall54.exe
Token: SeMachineAccountPrivilege	4580	askinstall54.exe
Token: SeTcbPrivilege	4580	askinstall54.exe
Token: SeSecurityPrivilege	4580	askinstall54.exe
Token: SeTakeOwnershipPrivilege	4580	askinstall54.exe
Token: SeLoadDriverPrivilege	4580	askinstall54.exe
Token: SeSystemProfilePrivilege	4580	askinstall54.exe
Token: SeSystemtimePrivilege	4580	askinstall54.exe
Token: SeProfSingleProcessPrivilege	4580	askinstall54.exe
Token: SeIncBasePriorityPrivilege	4580	askinstall54.exe
Token: SeCreatePagefilePrivilege	4580	askinstall54.exe
Token: SeCreatePermanentPrivilege	4580	askinstall54.exe
Token: SeBackupPrivilege	4580	askinstall54.exe
Token: SeRestorePrivilege	4580	askinstall54.exe
Token: SeShutdownPrivilege	4580	askinstall54.exe
Token: SeDebugPrivilege	4580	askinstall54.exe
Token: SeAuditPrivilege	4580	askinstall54.exe
Token: SeSystemEnvironmentPrivilege	4580	askinstall54.exe
Token: SeChangeNotifyPrivilege	4580	askinstall54.exe
Token: SeRemoteShutdownPrivilege	4580	askinstall54.exe
Token: SeUndockPrivilege	4580	askinstall54.exe
Token: SeSyncAgentPrivilege	4580	askinstall54.exe
Token: SeEnableDelegationPrivilege	4580	askinstall54.exe
Token: SeManageVolumePrivilege	4580	askinstall54.exe
Token: SeImpersonatePrivilege	4580	askinstall54.exe
Token: SeCreateGlobalPrivilege	4580	askinstall54.exe
Token: 31	4580	askinstall54.exe
Token: 32	4580	askinstall54.exe
Token: 33	4580	askinstall54.exe
Token: 34	4580	askinstall54.exe
Token: 35	4580	askinstall54.exe
Token: SeDebugPrivilege	3476	BearVpn 2.exe
Token: SeDebugPrivilege	2380	NGlorySetp.exe
Token: SeDebugPrivilege	536	GLKbrow.exe
Token: SeDebugPrivilege	1264	microsoft 2.exe
Token: SeDebugPrivilege	5012	taskkill.exe
Token: SeCreateGlobalPrivilege	1272	dwm.exe
Token: SeChangeNotifyPrivilege	1272	dwm.exe
Token: 33	1272	dwm.exe
Token: SeIncBasePriorityPrivilege	1272	dwm.exe
Token: SeDebugPrivilege	2028	updatenew.exe
Token: SeShutdownPrivilege	1272	dwm.exe
Token: SeCreatePagefilePrivilege	1272	dwm.exe

Suspicious use of WriteProcessMemory 61 IoCs

description	pid	Process	procid_target
PID 4360 wrote to memory of 2324	4360	d7348622e8bddc8aeab8662e78d804b6.exe	92
PID 4360 wrote to memory of 2324	4360	d7348622e8bddc8aeab8662e78d804b6.exe	92
PID 4360 wrote to memory of 2324	4360	d7348622e8bddc8aeab8662e78d804b6.exe	92
PID 4360 wrote to memory of 4580	4360	d7348622e8bddc8aeab8662e78d804b6.exe	94
PID 4360 wrote to memory of 4580	4360	d7348622e8bddc8aeab8662e78d804b6.exe	94
PID 4360 wrote to memory of 4580	4360	d7348622e8bddc8aeab8662e78d804b6.exe	94
PID 4360 wrote to memory of 3476	4360	d7348622e8bddc8aeab8662e78d804b6.exe	95
PID 4360 wrote to memory of 3476	4360	d7348622e8bddc8aeab8662e78d804b6.exe	95
PID 4360 wrote to memory of 3476	4360	d7348622e8bddc8aeab8662e78d804b6.exe	95
PID 4360 wrote to memory of 2712	4360	d7348622e8bddc8aeab8662e78d804b6.exe	96
PID 4360 wrote to memory of 2712	4360	d7348622e8bddc8aeab8662e78d804b6.exe	96
PID 4360 wrote to memory of 4844	4360	d7348622e8bddc8aeab8662e78d804b6.exe	97
PID 4360 wrote to memory of 4844	4360	d7348622e8bddc8aeab8662e78d804b6.exe	97
PID 4360 wrote to memory of 4844	4360	d7348622e8bddc8aeab8662e78d804b6.exe	97
PID 2324 wrote to memory of 2620	2324	3002.exe	99
PID 2324 wrote to memory of 2620	2324	3002.exe	99
PID 2324 wrote to memory of 2620	2324	3002.exe	99
PID 4360 wrote to memory of 784	4360	d7348622e8bddc8aeab8662e78d804b6.exe	100
PID 4360 wrote to memory of 784	4360	d7348622e8bddc8aeab8662e78d804b6.exe	100
PID 4360 wrote to memory of 1264	4360	d7348622e8bddc8aeab8662e78d804b6.exe	102
PID 4360 wrote to memory of 1264	4360	d7348622e8bddc8aeab8662e78d804b6.exe	102
PID 4360 wrote to memory of 1264	4360	d7348622e8bddc8aeab8662e78d804b6.exe	102
PID 4360 wrote to memory of 2380	4360	d7348622e8bddc8aeab8662e78d804b6.exe	103
PID 4360 wrote to memory of 2380	4360	d7348622e8bddc8aeab8662e78d804b6.exe	103
PID 4360 wrote to memory of 2512	4360	d7348622e8bddc8aeab8662e78d804b6.exe	104
PID 4360 wrote to memory of 2512	4360	d7348622e8bddc8aeab8662e78d804b6.exe	104
PID 4360 wrote to memory of 2512	4360	d7348622e8bddc8aeab8662e78d804b6.exe	104
PID 4360 wrote to memory of 2028	4360	d7348622e8bddc8aeab8662e78d804b6.exe	105
PID 4360 wrote to memory of 2028	4360	d7348622e8bddc8aeab8662e78d804b6.exe	105
PID 4360 wrote to memory of 2028	4360	d7348622e8bddc8aeab8662e78d804b6.exe	105
PID 4844 wrote to memory of 536	4844	GLKbrow.exe	106
PID 4844 wrote to memory of 536	4844	GLKbrow.exe	106
PID 4844 wrote to memory of 536	4844	GLKbrow.exe	106
PID 4844 wrote to memory of 536	4844	GLKbrow.exe	106
PID 4844 wrote to memory of 536	4844	GLKbrow.exe	106
PID 4844 wrote to memory of 536	4844	GLKbrow.exe	106
PID 4844 wrote to memory of 536	4844	GLKbrow.exe	106
PID 4844 wrote to memory of 536	4844	GLKbrow.exe	106
PID 1264 wrote to memory of 4756	1264	microsoft 2.exe	112
PID 1264 wrote to memory of 4756	1264	microsoft 2.exe	112
PID 1264 wrote to memory of 4756	1264	microsoft 2.exe	112
PID 1264 wrote to memory of 1632	1264	microsoft 2.exe	114
PID 1264 wrote to memory of 1632	1264	microsoft 2.exe	114
PID 1264 wrote to memory of 1632	1264	microsoft 2.exe	114
PID 4756 wrote to memory of 1876	4756	cmd.exe	116
PID 4756 wrote to memory of 1876	4756	cmd.exe	116
PID 4756 wrote to memory of 1876	4756	cmd.exe	116
PID 1632 wrote to memory of 1172	1632	cmd.exe	118
PID 1632 wrote to memory of 1172	1632	cmd.exe	118
PID 1632 wrote to memory of 1172	1632	cmd.exe	118
PID 4580 wrote to memory of 1896	4580	askinstall54.exe	124
PID 4580 wrote to memory of 1896	4580	askinstall54.exe	124
PID 4580 wrote to memory of 1896	4580	askinstall54.exe	124
PID 1896 wrote to memory of 5012	1896	cmd.exe	126
PID 1896 wrote to memory of 5012	1896	cmd.exe	126
PID 1896 wrote to memory of 5012	1896	cmd.exe	126
PID 1632 wrote to memory of 1676	1632	cmd.exe	137
PID 1632 wrote to memory of 1676	1632	cmd.exe	137
PID 1632 wrote to memory of 1676	1632	cmd.exe	137
PID 4580 wrote to memory of 4384	4580	askinstall54.exe	139
PID 4580 wrote to memory of 4384	4580	askinstall54.exe	139

C:\Users\Admin\AppData\Local\Temp\d7348622e8bddc8aeab8662e78d804b6.exe
"C:\Users\Admin\AppData\Local\Temp\d7348622e8bddc8aeab8662e78d804b6.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4360
- C:\Users\Admin\AppData\Local\Temp\3002.exe
  "C:\Users\Admin\AppData\Local\Temp\3002.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Users\Admin\AppData\Local\Temp\3002.exe
    "C:\Users\Admin\AppData\Local\Temp\3002.exe" -a
    3⤵
    - Executes dropped EXE
    PID:2620
- C:\Users\Admin\AppData\Local\Temp\askinstall54.exe
  "C:\Users\Admin\AppData\Local\Temp\askinstall54.exe"
  2⤵
  - Executes dropped EXE
  - Drops Chrome extension
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4580
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c taskkill /f /im chrome.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1896
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5012
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
    3⤵
    PID:4384
- C:\Users\Admin\AppData\Local\Temp\BearVpn 2.exe
  "C:\Users\Admin\AppData\Local\Temp\BearVpn 2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3476
- C:\Users\Admin\AppData\Local\Temp\Chrome3 2.exe
  "C:\Users\Admin\AppData\Local\Temp\Chrome3 2.exe"
  2⤵
  - Executes dropped EXE
  PID:2712
- C:\Users\Admin\AppData\Local\Temp\GLKbrow.exe
  "C:\Users\Admin\AppData\Local\Temp\GLKbrow.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4844
- - C:\Users\Admin\AppData\Local\Temp\GLKbrow.exe
    C:\Users\Admin\AppData\Local\Temp\GLKbrow.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:536
- C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
  "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
  2⤵
  - Executes dropped EXE
  PID:784
- C:\Users\Admin\AppData\Local\Temp\microsoft 2.exe
  "C:\Users\Admin\AppData\Local\Temp\microsoft 2.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1264
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "microsoft 2" /tr '"C:\Users\Admin\AppData\Roaming\microsoft 2.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4756
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "microsoft 2" /tr '"C:\Users\Admin\AppData\Roaming\microsoft 2.exe"'
      4⤵
      Creates scheduled task(s)
      PID:1876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5DEF.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1632
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:1172
  - - C:\Users\Admin\AppData\Roaming\microsoft 2.exe
      "C:\Users\Admin\AppData\Roaming\microsoft 2.exe"
      4⤵
      Executes dropped EXE
      PID:1676
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 768
        5⤵
        Program crash
        
        PID:444
- C:\Users\Admin\AppData\Local\Temp\NGlorySetp.exe
  "C:\Users\Admin\AppData\Local\Temp\NGlorySetp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2380
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  PID:2512
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 792
    3⤵
    - Program crash
    PID:4380
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 800
    3⤵
    - Program crash
    PID:2080
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 824
    3⤵
    - Program crash
    PID:436
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 964
    3⤵
    - Program crash
    PID:2072
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 1012
    3⤵
    - Program crash
    PID:752
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 1164
    3⤵
    - Program crash
    PID:3248
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 1176
    3⤵
    - Program crash
    PID:4964
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 1296
    3⤵
    - Program crash
    PID:4340
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 1364
    3⤵
    - Program crash
    PID:1936
- C:\Users\Admin\AppData\Local\Temp\updatenew.exe
  "C:\Users\Admin\AppData\Local\Temp\updatenew.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2512 -ip 2512
1⤵
PID:3776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2512 -ip 2512
1⤵
PID:4700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2512 -ip 2512
1⤵
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2512 -ip 2512
1⤵
PID:1912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2512 -ip 2512
1⤵
PID:3444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2512 -ip 2512
1⤵
PID:2700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2512 -ip 2512
1⤵
PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2512 -ip 2512
1⤵
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2512 -ip 2512
1⤵
PID:3128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1676 -ip 1676
1⤵
PID:5116

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1272

C:\Windows\system32\WerFaultSecure.exe
"C:\Windows\system32\WerFaultSecure.exe" -protectedcrash -p 4676 -i 4676 -h 584 -j 436 -s 184 -d 3028
1⤵
PID:1148

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Modifies data under HKEY_USERS
PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery