Overview

overview

10

Static

static

5

0bec6fa8f9...18.exe

windows7-x64

10

0bec6fa8f9...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-05-2024 13:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0bec6fa8f995272581d8663786efb3b8_JaffaCakes118.exe

  • Size

    1.2MB

  • MD5

    0bec6fa8f995272581d8663786efb3b8

  • SHA1

    605b6865d43ac4c32f4b3f3f4534d832509819f5

  • SHA256

    46ff34ff0185ef7fa03e8e3578623ddac35e6c622fdc30f0c6501ce0467e8de0

  • SHA512

    e539b510a8e62ee632dddeaa1303317185377ec8ecd269201d9999b4f02f1700b3084c3d7bce0548da1030b99dfdf26ec05c5b5f0c9086cdc0e4b960f4672a8b

  • SSDEEP

    24576:qu6J33O0c+JY5UZ+XC0kGso6Fai/om/oG7a88P5r1YWY:cu0c++OCvkGs9Fai/X/BW8YlY

Score
10/10
404keyloggercollectionkeyloggerstealer

Malware Config

Signatures

  • 404 Keylogger

    Information stealer and keylogger first seen in 2019.

    stealerkeylogger404keylogger
  • 404 Keylogger Main Executable 1 IoCs
  • Drops startup file 34 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 64 IoCs
    collection
  • Looks up external IP address via web service 10 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 33 IoCs
  • Program crash 32 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 44 IoCs
  • Suspicious use of AdjustPrivilegeToken 33 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0bec6fa8f995272581d8663786efb3b8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0bec6fa8f995272581d8663786efb3b8_JaffaCakes118.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3056
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
      2⤵
      • Drops startup file
      • Accesses Microsoft Outlook profiles
      • Suspicious use of AdjustPrivilegeToken
      PID:1992
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 1424
        3⤵
        • Program crash
        PID:5092
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
      2⤵
      • Drops startup file
      • Accesses Microsoft Outlook profiles
      • Suspicious use of AdjustPrivilegeToken
      PID:3412
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3412 -s 1416
        3⤵
        • Program crash
        PID:772
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
      2⤵
      • Drops startup file
      • Accesses Microsoft Outlook profiles
      • Suspicious use of AdjustPrivilegeToken
      PID:748
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 1416
        3⤵
        • Program crash
        PID:3052
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
      2⤵
      • Drops startup file
      • Suspicious use of AdjustPrivilegeToken
      PID:2004
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 1424
        3⤵
        • Program crash
        PID:4312
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
      2⤵
      • Drops startup file
      • Accesses Microsoft Outlook profiles
      • Suspicious use of AdjustPrivilegeToken
      PID:4488
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 1416
        3⤵
        • Program crash
        PID:2852
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
      2⤵
      • Drops startup file
      • Accesses Microsoft Outlook profiles
      • Suspicious use of AdjustPrivilegeToken
      PID:436
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 1416
        3⤵
        • Program crash
        PID:2712
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
      2⤵
        PID:3876
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
        2⤵
          PID:3028
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
          2⤵
          • Drops startup file
          • Accesses Microsoft Outlook profiles
          • Suspicious use of AdjustPrivilegeToken
          PID:4852
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 1416
            3⤵
            • Program crash
            PID:4316
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
          2⤵
            PID:4844
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
            "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
            2⤵
            • Drops startup file
            • Accesses Microsoft Outlook profiles
            • Suspicious use of AdjustPrivilegeToken
            PID:116
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 1416
              3⤵
              • Program crash
              PID:4908
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
            "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
            2⤵
            • Drops startup file
            • Accesses Microsoft Outlook profiles
            • Suspicious use of AdjustPrivilegeToken
            PID:2272
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 1416
              3⤵
              • Program crash
              PID:692
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
            "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
            2⤵
              PID:4352
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
              "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
              2⤵
                PID:4588
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
                2⤵
                • Drops startup file
                • Accesses Microsoft Outlook profiles
                • Suspicious use of AdjustPrivilegeToken
                PID:3780
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 3780 -s 1416
                  3⤵
                  • Program crash
                  PID:3740
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
                2⤵
                • Drops startup file
                • Accesses Microsoft Outlook profiles
                • Suspicious use of AdjustPrivilegeToken
                PID:456
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 456 -s 1416
                  3⤵
                  • Program crash
                  PID:2296
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
                2⤵
                • Drops startup file
                • Accesses Microsoft Outlook profiles
                • Suspicious use of AdjustPrivilegeToken
                PID:4412
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 1416
                  3⤵
                  • Program crash
                  PID:2376
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
                2⤵
                • Drops startup file
                • Accesses Microsoft Outlook profiles
                • Suspicious use of AdjustPrivilegeToken
                PID:224
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 1416
                  3⤵
                  • Program crash
                  PID:60
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
                2⤵
                  PID:1796
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
                  2⤵
                  • Drops startup file
                  • Accesses Microsoft Outlook profiles
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3516
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 3516 -s 1416
                    3⤵
                    • Program crash
                    PID:4468
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
                  2⤵
                    PID:3708
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                    "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
                    2⤵
                    • Drops startup file
                    • Accesses Microsoft Outlook profiles
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1108
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 1416
                      3⤵
                      • Program crash
                      PID:760
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                    "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
                    2⤵
                    • Drops startup file
                    • Accesses Microsoft Outlook profiles
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3996
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 1416
                      3⤵
                      • Program crash
                      PID:4772
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                    "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
                    2⤵
                    • Drops startup file
                    • Accesses Microsoft Outlook profiles
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1016
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 1016 -s 1416
                      3⤵
                      • Program crash
                      PID:3064
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                    "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
                    2⤵
                    • Drops startup file
                    • Accesses Microsoft Outlook profiles
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4776
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 1420
                      3⤵
                      • Program crash
                      PID:4148
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                    "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
                    2⤵
                    • Drops startup file
                    • Accesses Microsoft Outlook profiles
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1208
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 1208 -s 1416
                      3⤵
                      • Program crash
                      PID:4924
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                    "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
                    2⤵
                      PID:2772
                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                      "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
                      2⤵
                        PID:4680
                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                        "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
                        2⤵
                        • Drops startup file
                        • Accesses Microsoft Outlook profiles
                        • Suspicious use of AdjustPrivilegeToken
                        PID:5092
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 1424
                          3⤵
                          • Program crash
                          PID:2596
                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                        "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
                        2⤵
                        • Drops startup file
                        • Accesses Microsoft Outlook profiles
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3012
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 1416
                          3⤵
                          • Program crash
                          PID:556
                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                        "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
                        2⤵
                          PID:4584
                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                          "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
                          2⤵
                          • Drops startup file
                          • Accesses Microsoft Outlook profiles
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4172
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 1416
                            3⤵
                            • Program crash
                            PID:4928
                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                          "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
                          2⤵
                          • Drops startup file
                          • Accesses Microsoft Outlook profiles
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1496
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 1416
                            3⤵
                            • Program crash
                            PID:2432
                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                          "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
                          2⤵
                          • Drops startup file
                          • Accesses Microsoft Outlook profiles
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3732
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 1416
                            3⤵
                            • Program crash
                            PID:4468
                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                          "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
                          2⤵
                          • Drops startup file
                          • Accesses Microsoft Outlook profiles
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1568
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 1416
                            3⤵
                            • Program crash
                            PID:4968
                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                          "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
                          2⤵
                          • Drops startup file
                          • Accesses Microsoft Outlook profiles
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4068
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 1408
                            3⤵
                            • Program crash
                            PID:4368
                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                          "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
                          2⤵
                          • Drops startup file
                          • Accesses Microsoft Outlook profiles
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2068
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 1416
                            3⤵
                            • Program crash
                            PID:5068
                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                          "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
                          2⤵
                          • Drops startup file
                          • Accesses Microsoft Outlook profiles
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3596
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 3596 -s 1424
                            3⤵
                            • Program crash
                            PID:4908
                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                          "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
                          2⤵
                          • Drops startup file
                          • Accesses Microsoft Outlook profiles
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1284
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 1416
                            3⤵
                            • Program crash
                            PID:4840
                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                          "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
                          2⤵
                          • Drops startup file
                          • Accesses Microsoft Outlook profiles
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2796
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 1416
                            3⤵
                            • Program crash
                            PID:3500
                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                          "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
                          2⤵
                          • Drops startup file
                          • Accesses Microsoft Outlook profiles
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2308
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 1420
                            3⤵
                            • Program crash
                            PID:2824
                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                          "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
                          2⤵
                          • Drops startup file
                          • Accesses Microsoft Outlook profiles
                          • Suspicious use of AdjustPrivilegeToken
                          • outlook_office_path
                          • outlook_win_path
                          PID:2296
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 1424
                            3⤵
                            • Program crash
                            PID:1760
                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                          "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
                          2⤵
                            PID:556
                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                            "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
                            2⤵
                            • Drops startup file
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1156
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1992 -ip 1992
                          1⤵
                            PID:1340
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 3412 -ip 3412
                            1⤵
                              PID:3600
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 748 -ip 748
                              1⤵
                                PID:1252
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2004 -ip 2004
                                1⤵
                                  PID:2244
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4488 -ip 4488
                                  1⤵
                                    PID:3124
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 436 -ip 436
                                    1⤵
                                      PID:448
                                    • C:\Windows\SysWOW64\WerFault.exe
                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 4852 -ip 4852
                                      1⤵
                                        PID:4356
                                      • C:\Windows\SysWOW64\WerFault.exe
                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 116 -ip 116
                                        1⤵
                                          PID:3064
                                        • C:\Windows\SysWOW64\WerFault.exe
                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2272 -ip 2272
                                          1⤵
                                            PID:4052
                                          • C:\Windows\SysWOW64\WerFault.exe
                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 3780 -ip 3780
                                            1⤵
                                              PID:2804
                                            • C:\Windows\SysWOW64\WerFault.exe
                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 456 -ip 456
                                              1⤵
                                                PID:2596
                                              • C:\Windows\SysWOW64\WerFault.exe
                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4412 -ip 4412
                                                1⤵
                                                  PID:2032
                                                • C:\Windows\SysWOW64\WerFault.exe
                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 224 -ip 224
                                                  1⤵
                                                    PID:432
                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 3516 -ip 3516
                                                    1⤵
                                                      PID:1436
                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1108 -ip 1108
                                                      1⤵
                                                        PID:1880
                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3996 -ip 3996
                                                        1⤵
                                                          PID:3568
                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1016 -ip 1016
                                                          1⤵
                                                            PID:4400
                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 4776 -ip 4776
                                                            1⤵
                                                              PID:5000
                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 1208 -ip 1208
                                                              1⤵
                                                                PID:2232
                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5092 -ip 5092
                                                                1⤵
                                                                  PID:4076
                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3012 -ip 3012
                                                                  1⤵
                                                                    PID:3492
                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 4172 -ip 4172
                                                                    1⤵
                                                                      PID:220
                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 1496 -ip 1496
                                                                      1⤵
                                                                        PID:1256
                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3732 -ip 3732
                                                                        1⤵
                                                                          PID:1996
                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1568 -ip 1568
                                                                          1⤵
                                                                            PID:3336
                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4068 -ip 4068
                                                                            1⤵
                                                                              PID:4044
                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 2068 -ip 2068
                                                                              1⤵
                                                                                PID:4004
                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3596 -ip 3596
                                                                                1⤵
                                                                                  PID:4032
                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1284 -ip 1284
                                                                                  1⤵
                                                                                    PID:3216
                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 2796 -ip 2796
                                                                                    1⤵
                                                                                      PID:2900
                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 2308 -ip 2308
                                                                                      1⤵
                                                                                        PID:1876
                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 2296 -ip 2296
                                                                                        1⤵
                                                                                          PID:2328

                                                                                        Network

                                                                                        MITRE ATT&CK Enterprise v15

                                                                                        Replay Monitor

                                                                                        Loading Replay Monitor...

                                                                                        Downloads

                                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.js
                                                                                          Filesize

                                                                                          163B

                                                                                          MD5

                                                                                          eb5d98f3ff8e6388f17c6d130a4516e1

                                                                                          SHA1

                                                                                          7427850e1901604cd29888832393b49348d03c67

                                                                                          SHA256

                                                                                          14e9d3734116572a231452c88759f4ced25a0278aaa4bc4c8a1caa30e6568277

                                                                                          SHA512

                                                                                          16f5e064a2e67db5a28345b1f7c4c762c9265a7c1170a7ef5973f23f98223c45bc5e58253a1e94100b742d145fba50e7238992be480af6599cc7b5c76d128eca

                                                                                          Download Submit

                                                                                        • memory/1992-10-0x00000000030F0000-0x0000000003100000-memory.dmp

                                                                                          Filesize

                                                                                          64KB

                                                                                          Download

                                                                                        • memory/1992-5-0x0000000000400000-0x0000000000422000-memory.dmp

                                                                                          Filesize

                                                                                          136KB

                                                                                          Download

                                                                                        • memory/1992-6-0x00000000740E0000-0x0000000074890000-memory.dmp

                                                                                          Filesize

                                                                                          7.7MB

                                                                                          Download

                                                                                        • memory/1992-7-0x0000000005D00000-0x00000000062A4000-memory.dmp

                                                                                          Filesize

                                                                                          5.6MB

                                                                                          Download

                                                                                        • memory/1992-8-0x0000000005690000-0x000000000572C000-memory.dmp

                                                                                          Filesize

                                                                                          624KB

                                                                                          Download

                                                                                        • memory/1992-11-0x0000000006780000-0x0000000006942000-memory.dmp

                                                                                          Filesize

                                                                                          1.8MB

                                                                                          Download

                                                                                        • memory/1992-12-0x00000000740E0000-0x0000000074890000-memory.dmp

                                                                                          Filesize

                                                                                          7.7MB

                                                                                          Download

                                                                                        • memory/3056-3-0x0000000000DD0000-0x0000000000E09000-memory.dmp

                                                                                          Filesize

                                                                                          228KB

                                                                                          Download

                                                                                        • memory/3056-4-0x0000000000E10000-0x0000000000E49000-memory.dmp

                                                                                          Filesize

                                                                                          228KB

                                                                                          Download

                                                                                        • memory/3412-14-0x00000000740E0000-0x0000000074890000-memory.dmp

                                                                                          Filesize

                                                                                          7.7MB

                                                                                          Download

                                                                                        • memory/3412-17-0x00000000050A0000-0x00000000050B0000-memory.dmp

                                                                                          Filesize

                                                                                          64KB

                                                                                          Download

                                                                                        • memory/3412-18-0x00000000740E0000-0x0000000074890000-memory.dmp

                                                                                          Filesize

                                                                                          7.7MB

                                                                                          Download