bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da

General

Target

bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
Size

1.1MB
MD5

df42c439132933e840bb989440b0db6d
SHA1

80e66df85a64d4b88083fcfcd6a280a07ddbaa41
SHA256

bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da
SHA512

15a80ca61db62f5c2c24ad1c87d1baae3a8ec247f66df64b03fe8ca3c154d5fd9fdc11db57675bfc56f3d194b16e75c5af1bd5d54b189e87605808d969bc3f6e

Score

10^/10

collection

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
bhavnatutor.com
Port:
587
Username:
[email protected]
Password:
Onyeoba111

Signatures

Accesses Microsoft Outlook profiles 1 TTPs 15 IoCs

collection

Email Collection

T1114

Processes:

MSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

31 ifconfig.me

flow	ioc
31	ifconfig.me

Suspicious use of SetThreadContext 5 IoCs

Processes:

bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe

description	pid	process	target process
PID 2272 set thread context of 4932	2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe	MSBuild.exe
PID 2272 set thread context of 2160	2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe	MSBuild.exe
PID 2272 set thread context of 5016	2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe	MSBuild.exe
PID 2272 set thread context of 4560	2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe	MSBuild.exe
PID 2272 set thread context of 760	2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe	MSBuild.exe

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1824	4932	WerFault.exe	MSBuild.exe
3384	2160	WerFault.exe	MSBuild.exe
3720	5016	WerFault.exe	MSBuild.exe
3084	4560	WerFault.exe	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe

pid	process
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

MSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exe

description	pid	process
Token: SeDebugPrivilege	4932	MSBuild.exe
Token: SeDebugPrivilege	2160	MSBuild.exe
Token: SeDebugPrivilege	5016	MSBuild.exe
Token: SeDebugPrivilege	4560	MSBuild.exe
Token: SeDebugPrivilege	760	MSBuild.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe

pid	process
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe

pid	process
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe

description	pid	process	target process
PID 2272 wrote to memory of 4932	2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe	MSBuild.exe
PID 2272 wrote to memory of 4932	2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe	MSBuild.exe
PID 2272 wrote to memory of 4932	2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe	MSBuild.exe
PID 2272 wrote to memory of 4932	2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe	MSBuild.exe
PID 2272 wrote to memory of 4932	2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe	MSBuild.exe
PID 2272 wrote to memory of 2160	2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe	MSBuild.exe
PID 2272 wrote to memory of 2160	2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe	MSBuild.exe
PID 2272 wrote to memory of 2160	2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe	MSBuild.exe
PID 2272 wrote to memory of 2160	2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe	MSBuild.exe
PID 2272 wrote to memory of 2160	2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe	MSBuild.exe
PID 2272 wrote to memory of 5016	2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe	MSBuild.exe
PID 2272 wrote to memory of 5016	2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe	MSBuild.exe
PID 2272 wrote to memory of 5016	2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe	MSBuild.exe
PID 2272 wrote to memory of 5016	2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe	MSBuild.exe
PID 2272 wrote to memory of 5016	2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe	MSBuild.exe
PID 2272 wrote to memory of 4560	2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe	MSBuild.exe
PID 2272 wrote to memory of 4560	2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe	MSBuild.exe
PID 2272 wrote to memory of 4560	2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe	MSBuild.exe
PID 2272 wrote to memory of 4560	2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe	MSBuild.exe
PID 2272 wrote to memory of 4560	2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe	MSBuild.exe
PID 2272 wrote to memory of 760	2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe	MSBuild.exe
PID 2272 wrote to memory of 760	2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe	MSBuild.exe
PID 2272 wrote to memory of 760	2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe	MSBuild.exe
PID 2272 wrote to memory of 760	2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe	MSBuild.exe
PID 2272 wrote to memory of 760	2272	bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe	MSBuild.exe

outlook_office_path 1 IoCs

Processes:

MSBuild.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

outlook_win_path 1 IoCs

Processes:

MSBuild.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe
"C:\Users\Admin\AppData\Local\Temp\bcb6b071f96c578d2262fc1559b8ee534fecfb47e9cee3096b3cde7576de99da.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  PID:4932
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 1480
    3⤵
    - Program crash
    PID:1824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  PID:2160
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 1480
    3⤵
    - Program crash
    PID:3384
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  PID:5016
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 1484
    3⤵
    - Program crash
    PID:3720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  PID:4560
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 1480
    3⤵
    - Program crash
    PID:3084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4932 -ip 4932
1⤵
PID:4948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2160 -ip 2160
1⤵
PID:3648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5016 -ip 5016
1⤵
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4560 -ip 4560
1⤵
PID:4088

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/760-154-0x0000000000000000-mapping.dmp

Download
memory/760-161-0x0000000007040000-0x000000000704A000-memory.dmp

Filesize
40KB

Download
memory/760-160-0x0000000007060000-0x00000000070F2000-memory.dmp

Filesize
584KB

Download
memory/760-159-0x0000000006770000-0x00000000067D6000-memory.dmp

Filesize
408KB

Download
memory/2160-142-0x0000000000420000-0x0000000000444000-memory.dmp

Filesize
144KB

Download
memory/2160-139-0x0000000000000000-mapping.dmp

Download
memory/2160-141-0x0000000000422000-0x0000000000441000-memory.dmp

Filesize
124KB

Download
memory/2272-130-0x0000000002660000-0x0000000002680000-memory.dmp

Filesize
128KB

Download
memory/4560-149-0x0000000000000000-mapping.dmp

Download
memory/4932-138-0x0000000006290000-0x0000000006452000-memory.dmp

Filesize
1.8MB

Download
memory/4932-137-0x0000000005640000-0x00000000056DC000-memory.dmp

Filesize
624KB

Download
memory/4932-136-0x0000000005B10000-0x00000000060B4000-memory.dmp

Filesize
5.6MB

Download
memory/4932-132-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4932-131-0x0000000000000000-mapping.dmp

Download
memory/5016-145-0x00000000003A0000-0x00000000003C4000-memory.dmp

Filesize
144KB

Download
memory/5016-144-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads