9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102

General

Target

9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
Size

1.1MB
MD5

bf19b9d83c35f2a6a03365c3fcf4135d
SHA1

e6ae36b4bde0d51215d33a4432a95fc3c2465a70
SHA256

9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102
SHA512

2cac488eb6359fc050b3a486b1052ed98bfb38d4e0d66e8c842600299e51c6602c2855e9732e7f5948ba6347ab41cd41510b0f84554321eb5db774ec4fe0160f

Score

6^/10

collection

Malware Config

Signatures

Accesses Microsoft Outlook profiles 1 TTPs 64 IoCs

collection

Email Collection

T1114

Processes:

MSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 ifconfig.me

flow	ioc
5	ifconfig.me

Suspicious use of SetThreadContext 34 IoCs

Processes:

9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe

description	pid	process	target process
PID 2036 set thread context of 4380	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 set thread context of 644	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 set thread context of 1560	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 set thread context of 2332	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 set thread context of 2324	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 set thread context of 4688	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 set thread context of 1360	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 set thread context of 2328	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 set thread context of 312	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 set thread context of 4432	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 set thread context of 2240	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 set thread context of 4892	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 set thread context of 752	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 set thread context of 1456	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 set thread context of 2616	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 set thread context of 912	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 set thread context of 2088	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 set thread context of 1860	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 set thread context of 4696	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 set thread context of 2820	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 set thread context of 1828	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 set thread context of 1396	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 set thread context of 1304	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 set thread context of 2264	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 set thread context of 1408	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 set thread context of 1264	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 set thread context of 4884	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 set thread context of 4864	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 set thread context of 916	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 set thread context of 4092	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 set thread context of 3908	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 set thread context of 2268	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 set thread context of 4292	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 set thread context of 896	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe

Program crash 34 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2052	4380	WerFault.exe	MSBuild.exe
3304	644	WerFault.exe	MSBuild.exe
684	1560	WerFault.exe	MSBuild.exe
3004	2332	WerFault.exe	MSBuild.exe
4280	2324	WerFault.exe	MSBuild.exe
4664	4688	WerFault.exe	MSBuild.exe
2524	1360	WerFault.exe	MSBuild.exe
4624	2328	WerFault.exe	MSBuild.exe
4508	312	WerFault.exe	MSBuild.exe
3448	4432	WerFault.exe	MSBuild.exe
3524	2240	WerFault.exe	MSBuild.exe
3960	4892	WerFault.exe	MSBuild.exe
4088	752	WerFault.exe	MSBuild.exe
1164	1456	WerFault.exe	MSBuild.exe
2932	2616	WerFault.exe	MSBuild.exe
212	912	WerFault.exe	MSBuild.exe
2956	2088	WerFault.exe	MSBuild.exe
484	1860	WerFault.exe	MSBuild.exe
2408	4696	WerFault.exe	MSBuild.exe
4800	2820	WerFault.exe	MSBuild.exe
4748	1828	WerFault.exe	MSBuild.exe
1684	1396	WerFault.exe	MSBuild.exe
4944	1304	WerFault.exe	MSBuild.exe
1764	2264	WerFault.exe	MSBuild.exe
1696	1408	WerFault.exe	MSBuild.exe
3692	1264	WerFault.exe	MSBuild.exe
948	4884	WerFault.exe	MSBuild.exe
3056	4864	WerFault.exe	MSBuild.exe
4064	916	WerFault.exe	MSBuild.exe
4852	4092	WerFault.exe	MSBuild.exe
4264	3908	WerFault.exe	MSBuild.exe
3808	2268	WerFault.exe	MSBuild.exe
4440	4292	WerFault.exe	MSBuild.exe
4800	896	WerFault.exe	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe

pid	process
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe

Suspicious behavior: MapViewOfSection 48 IoCs

Processes:

9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe

pid	process
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

Processes:

MSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exe

description	pid	process
Token: SeDebugPrivilege	4380	MSBuild.exe
Token: SeDebugPrivilege	644	MSBuild.exe
Token: SeDebugPrivilege	1560	MSBuild.exe
Token: SeDebugPrivilege	2332	MSBuild.exe
Token: SeDebugPrivilege	2324	MSBuild.exe
Token: SeDebugPrivilege	4688	MSBuild.exe
Token: SeDebugPrivilege	1360	MSBuild.exe
Token: SeDebugPrivilege	2328	MSBuild.exe
Token: SeDebugPrivilege	312	MSBuild.exe
Token: SeDebugPrivilege	4432	MSBuild.exe
Token: SeDebugPrivilege	2240	MSBuild.exe
Token: SeDebugPrivilege	4892	MSBuild.exe
Token: SeDebugPrivilege	752	MSBuild.exe
Token: SeDebugPrivilege	1456	MSBuild.exe
Token: SeDebugPrivilege	2616	MSBuild.exe
Token: SeDebugPrivilege	912	MSBuild.exe
Token: SeDebugPrivilege	2088	MSBuild.exe
Token: SeDebugPrivilege	1860	MSBuild.exe
Token: SeDebugPrivilege	4696	MSBuild.exe
Token: SeDebugPrivilege	2820	MSBuild.exe
Token: SeDebugPrivilege	1828	MSBuild.exe
Token: SeDebugPrivilege	1396	MSBuild.exe
Token: SeDebugPrivilege	1304	MSBuild.exe
Token: SeDebugPrivilege	2264	MSBuild.exe
Token: SeDebugPrivilege	1408	MSBuild.exe
Token: SeDebugPrivilege	1264	MSBuild.exe
Token: SeDebugPrivilege	4884	MSBuild.exe
Token: SeDebugPrivilege	4864	MSBuild.exe
Token: SeDebugPrivilege	916	MSBuild.exe
Token: SeDebugPrivilege	4092	MSBuild.exe
Token: SeDebugPrivilege	3908	MSBuild.exe
Token: SeDebugPrivilege	2268	MSBuild.exe
Token: SeDebugPrivilege	4292	MSBuild.exe
Token: SeDebugPrivilege	896	MSBuild.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe

pid	process
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe

pid	process
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe

description	pid	process	target process
PID 2036 wrote to memory of 4380	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 4380	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 4380	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 4380	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 644	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 644	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 644	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 644	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 1560	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 1560	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 1560	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 1560	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 4516	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 4516	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 4516	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 2332	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 2332	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 2332	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 2332	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 3712	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 3712	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 3712	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 2324	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 2324	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 2324	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 2324	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 4256	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 4256	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 4256	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 4688	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 4688	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 4688	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 4688	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 1788	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 1788	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 1788	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 2732	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 2732	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 2732	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 444	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 444	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 444	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 1360	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 1360	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 1360	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 1360	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 2328	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 2328	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 2328	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 2328	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 312	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 312	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 312	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 312	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 4432	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 4432	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 4432	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 4432	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 2240	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 2240	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 2240	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 2240	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 4892	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe
PID 2036 wrote to memory of 4892	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	MSBuild.exe

outlook_office_path 1 IoCs

Processes:

MSBuild.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

outlook_win_path 1 IoCs

Processes:

MSBuild.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
"C:\Users\Admin\AppData\Local\Temp\9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1752
3⤵
- Program crash
PID:2052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
PID:644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 1744
3⤵
- Program crash
PID:3304

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
PID:1560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 1728
3⤵
- Program crash
PID:684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
2⤵
PID:4516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
PID:2332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 1772
3⤵
- Program crash
PID:3004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
2⤵
PID:3712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
PID:2324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 1740
3⤵
- Program crash
PID:4280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
2⤵
PID:4256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
PID:4688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 1764
3⤵
- Program crash
PID:4664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
2⤵
PID:1788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
2⤵
PID:2732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
2⤵
PID:444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
PID:1360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 1724
3⤵
- Program crash
PID:2524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
PID:2328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 1772
3⤵
- Program crash
PID:4624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
PID:312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 312 -s 1776
3⤵
- Program crash
PID:4508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 1772
3⤵
- Program crash
PID:3448

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
PID:2240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 1768
3⤵
- Program crash
PID:3524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 1768
3⤵
- Program crash
PID:3960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
PID:752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 1744
3⤵
- Program crash
PID:4088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
2⤵
PID:1300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
2⤵
PID:3888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
PID:1456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 1768
3⤵
- Program crash
PID:1164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
PID:2616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 1764
3⤵
- Program crash
PID:2932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
PID:912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 1772
3⤵
- Program crash
PID:212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
2⤵
PID:2100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
PID:2088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 1768
3⤵
- Program crash
PID:2956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
PID:1860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 1720
3⤵
- Program crash
PID:484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 1780
3⤵
- Program crash
PID:2408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
PID:2820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 1772
3⤵
- Program crash
PID:4800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
PID:1828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 1768
3⤵
- Program crash
PID:4748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
PID:1396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 1724
3⤵
- Program crash
PID:1684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
PID:1304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 1768
3⤵
- Program crash
PID:4944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
PID:2264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 1772
3⤵
- Program crash
PID:1764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
PID:1408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 1724
3⤵
- Program crash
PID:1696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1264 -s 1720
3⤵
- Program crash
PID:3692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
PID:4884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 1764
3⤵
- Program crash
PID:948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
2⤵
PID:4088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
2⤵
PID:1976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 1768
3⤵
- Program crash
PID:3056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
PID:916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 1724
3⤵
- Program crash
PID:4064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
PID:4092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 1728
3⤵
- Program crash
PID:4852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
2⤵
PID:3252

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 1724
3⤵
- Program crash
PID:4264

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
PID:2268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 1780
3⤵
- Program crash
PID:3808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
2⤵
PID:3148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
2⤵
PID:3048

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
PID:4292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 1764
3⤵
- Program crash
PID:4440

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 1768
3⤵
- Program crash
PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4380 -ip 4380
1⤵
PID:3332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 644 -ip 644
1⤵
PID:2424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 1560 -ip 1560
1⤵
PID:912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2332 -ip 2332
1⤵
PID:3252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2324 -ip 2324
1⤵
PID:3048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4688 -ip 4688
1⤵
PID:3756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1360 -ip 1360
1⤵
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2328 -ip 2328
1⤵
PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 312 -ip 312
1⤵
PID:2604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4432 -ip 4432
1⤵
PID:1988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2240 -ip 2240
1⤵
PID:1028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4892 -ip 4892
1⤵
PID:3472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 752 -ip 752
1⤵
PID:3332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1456 -ip 1456
1⤵
PID:3056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2616 -ip 2616
1⤵
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 912 -ip 912
1⤵
PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2088 -ip 2088
1⤵
PID:4264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1860 -ip 1860
1⤵
PID:3760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4696 -ip 4696
1⤵
PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2820 -ip 2820
1⤵
PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 1828 -ip 1828
1⤵
PID:4620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1396 -ip 1396
1⤵
PID:2692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1304 -ip 1304
1⤵
PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 2264 -ip 2264
1⤵
PID:560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1408 -ip 1408
1⤵
PID:384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1264 -ip 1264
1⤵
PID:3472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4884 -ip 4884
1⤵
PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4864 -ip 4864
1⤵
PID:4200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 916 -ip 916
1⤵
PID:4040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4092 -ip 4092
1⤵
PID:1140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3908 -ip 3908
1⤵
PID:3672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2268 -ip 2268
1⤵
PID:1916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4292 -ip 4292
1⤵
PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 896 -ip 896
1⤵
PID:4572

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/312-156-0x0000000000000000-mapping.dmp

Download
memory/644-138-0x0000000000000000-mapping.dmp

Download
memory/752-161-0x0000000000000000-mapping.dmp

Download
memory/896-197-0x0000000000000000-mapping.dmp

Download
memory/912-167-0x0000000000000000-mapping.dmp

Download
memory/916-188-0x0000000000000000-mapping.dmp

Download
memory/1264-185-0x0000000000000000-mapping.dmp

Download
memory/1304-178-0x0000000000000000-mapping.dmp

Download
memory/1360-151-0x0000000000000000-mapping.dmp

Download
memory/1396-177-0x0000000000000000-mapping.dmp

Download
memory/1408-182-0x0000000000000000-mapping.dmp

Download
memory/1456-162-0x0000000000000000-mapping.dmp

Download
memory/1560-140-0x0000000000000000-mapping.dmp

Download
memory/1828-174-0x0000000000000000-mapping.dmp

Download
memory/1860-171-0x0000000000000000-mapping.dmp

Download
memory/2036-165-0x0000000001910000-0x0000000001913000-memory.dmp

Filesize
12KB

Download
memory/2036-142-0x0000000001910000-0x0000000001913000-memory.dmp

Filesize
12KB

Download
memory/2036-147-0x0000000001910000-0x0000000001913000-memory.dmp

Filesize
12KB

Download
memory/2036-148-0x0000000001910000-0x0000000001913000-memory.dmp

Filesize
12KB

Download
memory/2036-198-0x0000000001120000-0x0000000001123000-memory.dmp

Filesize
12KB

Download
memory/2036-150-0x0000000001910000-0x0000000001913000-memory.dmp

Filesize
12KB

Download
memory/2036-145-0x0000000001910000-0x0000000001913000-memory.dmp

Filesize
12KB

Download
memory/2036-152-0x0000000001910000-0x0000000001913000-memory.dmp

Filesize
12KB

Download
memory/2036-133-0x0000000001910000-0x0000000001913000-memory.dmp

Filesize
12KB

Download
memory/2036-154-0x0000000001910000-0x0000000001913000-memory.dmp

Filesize
12KB

Download
memory/2036-155-0x0000000001910000-0x0000000001913000-memory.dmp

Filesize
12KB

Download
memory/2036-144-0x0000000001910000-0x0000000001913000-memory.dmp

Filesize
12KB

Download
memory/2036-196-0x0000000001120000-0x0000000001123000-memory.dmp

Filesize
12KB

Download
memory/2036-184-0x0000000001120000-0x0000000001123000-memory.dmp

Filesize
12KB

Download
memory/2036-159-0x0000000001910000-0x0000000001913000-memory.dmp

Filesize
12KB

Download
memory/2036-194-0x0000000001120000-0x0000000001123000-memory.dmp

Filesize
12KB

Download
memory/2036-181-0x0000000001120000-0x0000000001123000-memory.dmp

Filesize
12KB

Download
memory/2036-179-0x0000000001120000-0x0000000001123000-memory.dmp

Filesize
12KB

Download
memory/2036-163-0x0000000001120000-0x0000000001123000-memory.dmp

Filesize
12KB

Download
memory/2036-132-0x00000000018F0000-0x000000000190F000-memory.dmp

Filesize
124KB

Download
memory/2036-176-0x0000000001120000-0x0000000001123000-memory.dmp

Filesize
12KB

Download
memory/2036-166-0x0000000001120000-0x0000000001123000-memory.dmp

Filesize
12KB

Download
memory/2036-141-0x0000000001910000-0x0000000001913000-memory.dmp

Filesize
12KB

Download
memory/2036-168-0x0000000001120000-0x0000000001123000-memory.dmp

Filesize
12KB

Download
memory/2036-175-0x0000000001120000-0x0000000001123000-memory.dmp

Filesize
12KB

Download
memory/2036-170-0x0000000001120000-0x0000000001123000-memory.dmp

Filesize
12KB

Download
memory/2036-139-0x0000000001910000-0x0000000001913000-memory.dmp

Filesize
12KB

Download
memory/2036-192-0x0000000001120000-0x0000000001123000-memory.dmp

Filesize
12KB

Download
memory/2036-183-0x0000000001120000-0x0000000001123000-memory.dmp

Filesize
12KB

Download
memory/2036-190-0x0000000001120000-0x0000000001123000-memory.dmp

Filesize
12KB

Download
memory/2088-169-0x0000000000000000-mapping.dmp

Download
memory/2240-158-0x0000000000000000-mapping.dmp

Download
memory/2264-180-0x0000000000000000-mapping.dmp

Download
memory/2268-193-0x0000000000000000-mapping.dmp

Download
memory/2324-146-0x0000000000000000-mapping.dmp

Download
memory/2328-153-0x0000000000000000-mapping.dmp

Download
memory/2332-143-0x0000000000000000-mapping.dmp

Download
memory/2616-164-0x0000000000000000-mapping.dmp

Download
memory/2820-173-0x0000000000000000-mapping.dmp

Download
memory/3908-191-0x0000000000000000-mapping.dmp

Download
memory/4092-189-0x0000000000000000-mapping.dmp

Download
memory/4292-195-0x0000000000000000-mapping.dmp

Download
memory/4380-130-0x0000000000000000-mapping.dmp

Download
memory/4380-136-0x0000000006490000-0x00000000064F6000-memory.dmp

Filesize
408KB

Download
memory/4380-137-0x0000000006B40000-0x0000000006D02000-memory.dmp

Filesize
1.8MB

Download
memory/4380-135-0x00000000058D0000-0x000000000596C000-memory.dmp

Filesize
624KB

Download
memory/4380-134-0x0000000005DE0000-0x0000000006384000-memory.dmp

Filesize
5.6MB

Download
memory/4380-131-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4432-157-0x0000000000000000-mapping.dmp

Download
memory/4688-149-0x0000000000000000-mapping.dmp

Download
memory/4696-172-0x0000000000000000-mapping.dmp

Download
memory/4864-187-0x0000000000000000-mapping.dmp

Download
memory/4884-186-0x0000000000000000-mapping.dmp

Download
memory/4892-160-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads