9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
24-07-2022 15:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
Size

1.1MB
MD5

bf19b9d83c35f2a6a03365c3fcf4135d
SHA1

e6ae36b4bde0d51215d33a4432a95fc3c2465a70
SHA256

9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102
SHA512

2cac488eb6359fc050b3a486b1052ed98bfb38d4e0d66e8c842600299e51c6602c2855e9732e7f5948ba6347ab41cd41510b0f84554321eb5db774ec4fe0160f

Score

6^/10

collection

Malware Config

Signatures

Accesses Microsoft Outlook profiles 1 TTPs 64 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ifconfig.me

Suspicious use of SetThreadContext 34 IoCs

description	pid	Process	procid_target
PID 2036 set thread context of 4380	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	80
PID 2036 set thread context of 644	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	84
PID 2036 set thread context of 1560	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	87
PID 2036 set thread context of 2332	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	91
PID 2036 set thread context of 2324	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	95
PID 2036 set thread context of 4688	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	99
PID 2036 set thread context of 1360	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	105
PID 2036 set thread context of 2328	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	108
PID 2036 set thread context of 312	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	111
PID 2036 set thread context of 4432	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	116
PID 2036 set thread context of 2240	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	119
PID 2036 set thread context of 4892	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	122
PID 2036 set thread context of 752	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	125
PID 2036 set thread context of 1456	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	130
PID 2036 set thread context of 2616	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	133
PID 2036 set thread context of 912	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	136
PID 2036 set thread context of 2088	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	140
PID 2036 set thread context of 1860	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	143
PID 2036 set thread context of 4696	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	146
PID 2036 set thread context of 2820	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	149
PID 2036 set thread context of 1828	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	152
PID 2036 set thread context of 1396	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	155
PID 2036 set thread context of 1304	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	158
PID 2036 set thread context of 2264	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	161
PID 2036 set thread context of 1408	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	164
PID 2036 set thread context of 1264	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	167
PID 2036 set thread context of 4884	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	170
PID 2036 set thread context of 4864	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	175
PID 2036 set thread context of 916	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	178
PID 2036 set thread context of 4092	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	181
PID 2036 set thread context of 3908	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	185
PID 2036 set thread context of 2268	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	188
PID 2036 set thread context of 4292	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	193
PID 2036 set thread context of 896	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	196

Program crash 34 IoCs

pid	pid_target	Process	procid_target
2052	4380	WerFault.exe	80
3304	644	WerFault.exe	84
684	1560	WerFault.exe	87
3004	2332	WerFault.exe	91
4280	2324	WerFault.exe	95
4664	4688	WerFault.exe	99
2524	1360	WerFault.exe	105
4624	2328	WerFault.exe	108
4508	312	WerFault.exe	111
3448	4432	WerFault.exe	116
3524	2240	WerFault.exe	119
3960	4892	WerFault.exe	122
4088	752	WerFault.exe	125
1164	1456	WerFault.exe	130
2932	2616	WerFault.exe	133
212	912	WerFault.exe	136
2956	2088	WerFault.exe	140
484	1860	WerFault.exe	143
2408	4696	WerFault.exe	146
4800	2820	WerFault.exe	149
4748	1828	WerFault.exe	152
1684	1396	WerFault.exe	155
4944	1304	WerFault.exe	158
1764	2264	WerFault.exe	161
1696	1408	WerFault.exe	164
3692	1264	WerFault.exe	167
948	4884	WerFault.exe	170
3056	4864	WerFault.exe	175
4064	916	WerFault.exe	178
4852	4092	WerFault.exe	181
4264	3908	WerFault.exe	185
3808	2268	WerFault.exe	188
4440	4292	WerFault.exe	193
4800	896	WerFault.exe	196

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe

Suspicious behavior: MapViewOfSection 48 IoCs

pid	Process
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeDebugPrivilege	4380	MSBuild.exe
Token: SeDebugPrivilege	644	MSBuild.exe
Token: SeDebugPrivilege	1560	MSBuild.exe
Token: SeDebugPrivilege	2332	MSBuild.exe
Token: SeDebugPrivilege	2324	MSBuild.exe
Token: SeDebugPrivilege	4688	MSBuild.exe
Token: SeDebugPrivilege	1360	MSBuild.exe
Token: SeDebugPrivilege	2328	MSBuild.exe
Token: SeDebugPrivilege	312	MSBuild.exe
Token: SeDebugPrivilege	4432	MSBuild.exe
Token: SeDebugPrivilege	2240	MSBuild.exe
Token: SeDebugPrivilege	4892	MSBuild.exe
Token: SeDebugPrivilege	752	MSBuild.exe
Token: SeDebugPrivilege	1456	MSBuild.exe
Token: SeDebugPrivilege	2616	MSBuild.exe
Token: SeDebugPrivilege	912	MSBuild.exe
Token: SeDebugPrivilege	2088	MSBuild.exe
Token: SeDebugPrivilege	1860	MSBuild.exe
Token: SeDebugPrivilege	4696	MSBuild.exe
Token: SeDebugPrivilege	2820	MSBuild.exe
Token: SeDebugPrivilege	1828	MSBuild.exe
Token: SeDebugPrivilege	1396	MSBuild.exe
Token: SeDebugPrivilege	1304	MSBuild.exe
Token: SeDebugPrivilege	2264	MSBuild.exe
Token: SeDebugPrivilege	1408	MSBuild.exe
Token: SeDebugPrivilege	1264	MSBuild.exe
Token: SeDebugPrivilege	4884	MSBuild.exe
Token: SeDebugPrivilege	4864	MSBuild.exe
Token: SeDebugPrivilege	916	MSBuild.exe
Token: SeDebugPrivilege	4092	MSBuild.exe
Token: SeDebugPrivilege	3908	MSBuild.exe
Token: SeDebugPrivilege	2268	MSBuild.exe
Token: SeDebugPrivilege	4292	MSBuild.exe
Token: SeDebugPrivilege	896	MSBuild.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 4380	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	80
PID 2036 wrote to memory of 4380	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	80
PID 2036 wrote to memory of 4380	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	80
PID 2036 wrote to memory of 4380	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	80
PID 2036 wrote to memory of 644	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	84
PID 2036 wrote to memory of 644	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	84
PID 2036 wrote to memory of 644	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	84
PID 2036 wrote to memory of 644	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	84
PID 2036 wrote to memory of 1560	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	87
PID 2036 wrote to memory of 1560	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	87
PID 2036 wrote to memory of 1560	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	87
PID 2036 wrote to memory of 1560	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	87
PID 2036 wrote to memory of 4516	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	90
PID 2036 wrote to memory of 4516	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	90
PID 2036 wrote to memory of 4516	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	90
PID 2036 wrote to memory of 2332	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	91
PID 2036 wrote to memory of 2332	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	91
PID 2036 wrote to memory of 2332	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	91
PID 2036 wrote to memory of 2332	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	91
PID 2036 wrote to memory of 3712	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	94
PID 2036 wrote to memory of 3712	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	94
PID 2036 wrote to memory of 3712	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	94
PID 2036 wrote to memory of 2324	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	95
PID 2036 wrote to memory of 2324	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	95
PID 2036 wrote to memory of 2324	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	95
PID 2036 wrote to memory of 2324	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	95
PID 2036 wrote to memory of 4256	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	98
PID 2036 wrote to memory of 4256	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	98
PID 2036 wrote to memory of 4256	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	98
PID 2036 wrote to memory of 4688	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	99
PID 2036 wrote to memory of 4688	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	99
PID 2036 wrote to memory of 4688	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	99
PID 2036 wrote to memory of 4688	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	99
PID 2036 wrote to memory of 1788	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	102
PID 2036 wrote to memory of 1788	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	102
PID 2036 wrote to memory of 1788	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	102
PID 2036 wrote to memory of 2732	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	103
PID 2036 wrote to memory of 2732	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	103
PID 2036 wrote to memory of 2732	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	103
PID 2036 wrote to memory of 444	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	104
PID 2036 wrote to memory of 444	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	104
PID 2036 wrote to memory of 444	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	104
PID 2036 wrote to memory of 1360	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	105
PID 2036 wrote to memory of 1360	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	105
PID 2036 wrote to memory of 1360	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	105
PID 2036 wrote to memory of 1360	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	105
PID 2036 wrote to memory of 2328	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	108
PID 2036 wrote to memory of 2328	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	108
PID 2036 wrote to memory of 2328	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	108
PID 2036 wrote to memory of 2328	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	108
PID 2036 wrote to memory of 312	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	111
PID 2036 wrote to memory of 312	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	111
PID 2036 wrote to memory of 312	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	111
PID 2036 wrote to memory of 312	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	111
PID 2036 wrote to memory of 4432	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	116
PID 2036 wrote to memory of 4432	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	116
PID 2036 wrote to memory of 4432	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	116
PID 2036 wrote to memory of 4432	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	116
PID 2036 wrote to memory of 2240	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	119
PID 2036 wrote to memory of 2240	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	119
PID 2036 wrote to memory of 2240	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	119
PID 2036 wrote to memory of 2240	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	119
PID 2036 wrote to memory of 4892	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	122
PID 2036 wrote to memory of 4892	2036	9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe	122

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe
"C:\Users\Admin\AppData\Local\Temp\9cfbfeea1c8769897ea1b35e658efa43e78a79e13828b54523b7e21d7a273102.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  PID:4380
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1752
    3⤵
    - Program crash
    PID:2052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  PID:644
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 1744
    3⤵
    - Program crash
    PID:3304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  PID:1560
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 1728
    3⤵
    - Program crash
    PID:684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  PID:4516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  PID:2332
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 1772
    3⤵
    - Program crash
    PID:3004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  PID:3712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  PID:2324
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 1740
    3⤵
    - Program crash
    PID:4280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  PID:4256
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  PID:4688
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 1764
    3⤵
    - Program crash
    PID:4664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  PID:1788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  PID:2732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  PID:444
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  PID:1360
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 1724
    3⤵
    - Program crash
    PID:2524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  PID:2328
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 1772
    3⤵
    - Program crash
    PID:4624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  PID:312
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 312 -s 1776
    3⤵
    - Program crash
    PID:4508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  PID:4432
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 1772
    3⤵
    - Program crash
    PID:3448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  PID:2240
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 1768
    3⤵
    - Program crash
    PID:3524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  PID:4892
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 1768
    3⤵
    - Program crash
    PID:3960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  PID:752
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 1744
    3⤵
    - Program crash
    PID:4088
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  PID:1300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  PID:3888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  PID:1456
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 1768
    3⤵
    - Program crash
    PID:1164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  PID:2616
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 1764
    3⤵
    - Program crash
    PID:2932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  PID:912
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 1772
    3⤵
    - Program crash
    PID:212
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  PID:2100
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  PID:2088
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 1768
    3⤵
    - Program crash
    PID:2956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  PID:1860
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 1720
    3⤵
    - Program crash
    PID:484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4696
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 1780
    3⤵
    - Program crash
    PID:2408
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  PID:2820
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 1772
    3⤵
    - Program crash
    PID:4800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  PID:1828
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 1768
    3⤵
    - Program crash
    PID:4748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  PID:1396
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 1724
    3⤵
    - Program crash
    PID:1684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  PID:1304
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 1768
    3⤵
    - Program crash
    PID:4944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  PID:2264
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 1772
    3⤵
    - Program crash
    PID:1764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  PID:1408
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 1724
    3⤵
    - Program crash
    PID:1696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1264
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1264 -s 1720
    3⤵
    - Program crash
    PID:3692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  PID:4884
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 1764
    3⤵
    - Program crash
    PID:948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  PID:4088
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  PID:1976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  PID:4864
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 1768
    3⤵
    - Program crash
    PID:3056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  PID:916
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 1724
    3⤵
    - Program crash
    PID:4064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  PID:4092
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 1728
    3⤵
    - Program crash
    PID:4852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  PID:3252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  PID:3908
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 1724
    3⤵
    - Program crash
    PID:4264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  PID:2268
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 1780
    3⤵
    - Program crash
    PID:3808
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  PID:3148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  PID:3048
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  PID:4292
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 1764
    3⤵
    - Program crash
    PID:4440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:896
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 1768
    3⤵
    - Program crash
    PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4380 -ip 4380
1⤵
PID:3332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 644 -ip 644
1⤵
PID:2424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 1560 -ip 1560
1⤵
PID:912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2332 -ip 2332
1⤵
PID:3252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2324 -ip 2324
1⤵
PID:3048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4688 -ip 4688
1⤵
PID:3756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1360 -ip 1360
1⤵
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2328 -ip 2328
1⤵
PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 312 -ip 312
1⤵
PID:2604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4432 -ip 4432
1⤵
PID:1988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2240 -ip 2240
1⤵
PID:1028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4892 -ip 4892
1⤵
PID:3472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 752 -ip 752
1⤵
PID:3332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1456 -ip 1456
1⤵
PID:3056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2616 -ip 2616
1⤵
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 912 -ip 912
1⤵
PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2088 -ip 2088
1⤵
PID:4264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1860 -ip 1860
1⤵
PID:3760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4696 -ip 4696
1⤵
PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2820 -ip 2820
1⤵
PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 1828 -ip 1828
1⤵
PID:4620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1396 -ip 1396
1⤵
PID:2692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1304 -ip 1304
1⤵
PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 2264 -ip 2264
1⤵
PID:560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1408 -ip 1408
1⤵
PID:384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1264 -ip 1264
1⤵
PID:3472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4884 -ip 4884
1⤵
PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4864 -ip 4864
1⤵
PID:4200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 916 -ip 916
1⤵
PID:4040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4092 -ip 4092
1⤵
PID:1140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3908 -ip 3908
1⤵
PID:3672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2268 -ip 2268
1⤵
PID:1916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4292 -ip 4292
1⤵
PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 896 -ip 896
1⤵
PID:4572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2036-165-0x0000000001910000-0x0000000001913000-memory.dmp

Filesize
12KB

Download
memory/2036-142-0x0000000001910000-0x0000000001913000-memory.dmp

Filesize
12KB

Download
memory/2036-147-0x0000000001910000-0x0000000001913000-memory.dmp

Filesize
12KB

Download
memory/2036-148-0x0000000001910000-0x0000000001913000-memory.dmp

Filesize
12KB

Download
memory/2036-198-0x0000000001120000-0x0000000001123000-memory.dmp

Filesize
12KB

Download
memory/2036-150-0x0000000001910000-0x0000000001913000-memory.dmp

Filesize
12KB

Download
memory/2036-145-0x0000000001910000-0x0000000001913000-memory.dmp

Filesize
12KB

Download
memory/2036-152-0x0000000001910000-0x0000000001913000-memory.dmp

Filesize
12KB

Download
memory/2036-133-0x0000000001910000-0x0000000001913000-memory.dmp

Filesize
12KB

Download
memory/2036-154-0x0000000001910000-0x0000000001913000-memory.dmp

Filesize
12KB

Download
memory/2036-155-0x0000000001910000-0x0000000001913000-memory.dmp

Filesize
12KB

Download
memory/2036-144-0x0000000001910000-0x0000000001913000-memory.dmp

Filesize
12KB

Download
memory/2036-196-0x0000000001120000-0x0000000001123000-memory.dmp

Filesize
12KB

Download
memory/2036-184-0x0000000001120000-0x0000000001123000-memory.dmp

Filesize
12KB

Download
memory/2036-159-0x0000000001910000-0x0000000001913000-memory.dmp

Filesize
12KB

Download
memory/2036-194-0x0000000001120000-0x0000000001123000-memory.dmp

Filesize
12KB

Download
memory/2036-181-0x0000000001120000-0x0000000001123000-memory.dmp

Filesize
12KB

Download
memory/2036-179-0x0000000001120000-0x0000000001123000-memory.dmp

Filesize
12KB

Download
memory/2036-163-0x0000000001120000-0x0000000001123000-memory.dmp

Filesize
12KB

Download
memory/2036-132-0x00000000018F0000-0x000000000190F000-memory.dmp

Filesize
124KB

Download
memory/2036-176-0x0000000001120000-0x0000000001123000-memory.dmp

Filesize
12KB

Download
memory/2036-166-0x0000000001120000-0x0000000001123000-memory.dmp

Filesize
12KB

Download
memory/2036-141-0x0000000001910000-0x0000000001913000-memory.dmp

Filesize
12KB

Download
memory/2036-168-0x0000000001120000-0x0000000001123000-memory.dmp

Filesize
12KB

Download
memory/2036-175-0x0000000001120000-0x0000000001123000-memory.dmp

Filesize
12KB

Download
memory/2036-170-0x0000000001120000-0x0000000001123000-memory.dmp

Filesize
12KB

Download
memory/2036-139-0x0000000001910000-0x0000000001913000-memory.dmp

Filesize
12KB

Download
memory/2036-192-0x0000000001120000-0x0000000001123000-memory.dmp

Filesize
12KB

Download
memory/2036-183-0x0000000001120000-0x0000000001123000-memory.dmp

Filesize
12KB

Download
memory/2036-190-0x0000000001120000-0x0000000001123000-memory.dmp

Filesize
12KB

Download
memory/4380-136-0x0000000006490000-0x00000000064F6000-memory.dmp

Filesize
408KB

Download
memory/4380-137-0x0000000006B40000-0x0000000006D02000-memory.dmp

Filesize
1.8MB

Download
memory/4380-135-0x00000000058D0000-0x000000000596C000-memory.dmp

Filesize
624KB

Download
memory/4380-134-0x0000000005DE0000-0x0000000006384000-memory.dmp

Filesize
5.6MB

Download
memory/4380-131-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download