phoenix | 3a7e74024c233663dc9b627117a4df291f5a413cc829b5282f090941254365ee

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2024 21:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
Size

1.1MB
MD5

f0a7a1ef68bf80596ec2048e4740cde2
SHA1

31ea4c2649c0f7d6ac86e277aee377a149df38b0
SHA256

3a7e74024c233663dc9b627117a4df291f5a413cc829b5282f090941254365ee
SHA512

324510cffabe2dc6a26dc7f52c645bff2946fe0de70c04204af1d7f575833562bc352a3a87b7c3048247c4e777c0b0c094d95b1843a6d31f02dcc415cd7f0eea
SSDEEP

24576:cCdxte/80jYLT3U1jfsWalLT5gu0aDzQ:dw80cTsjkWalLT6

Score

10^/10

phoenix collection credential_access discovery keylogger stealer

Malware Config

Signatures

Phoenix Keylogger
Phoenix is a keylogger and info stealer first seen in July 2019.
stealer keylogger phoenix

Phoenix Keylogger payload 1 IoCs

resource	yara_rule
behavioral2/memory/1492-4-0x0000000005300000-0x000000000533A000-memory.dmp	family_phoenix

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 64 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ifconfig.me
61	ifconfig.me

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 4296 set thread context of 1492	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	82
PID 4296 set thread context of 2924	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	89
PID 4296 set thread context of 4752	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	93
PID 4296 set thread context of 1436	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	96
PID 4296 set thread context of 1368	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	101
PID 4296 set thread context of 3724	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	106
PID 4296 set thread context of 1912	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	109
PID 4296 set thread context of 4448	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	112
PID 4296 set thread context of 4412	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	115
PID 4296 set thread context of 4776	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	118
PID 4296 set thread context of 2184	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	122
PID 4296 set thread context of 2872	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	125
PID 4296 set thread context of 2724	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	129
PID 4296 set thread context of 1552	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	133
PID 4296 set thread context of 4832	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	136
PID 4296 set thread context of 3480	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	141
PID 4296 set thread context of 1868	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	144
PID 4296 set thread context of 704	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	148
PID 4296 set thread context of 4608	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	151
PID 4296 set thread context of 2488	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	155
PID 4296 set thread context of 3728	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	158
PID 4296 set thread context of 1584	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	162
PID 4296 set thread context of 4232	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	166
PID 4296 set thread context of 4436	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	169
PID 4296 set thread context of 992	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	172
PID 4296 set thread context of 1320	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	175
PID 4296 set thread context of 3180	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	178
PID 4296 set thread context of 3500	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	181
PID 4296 set thread context of 2960	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	187
PID 4296 set thread context of 4352	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	190
PID 4296 set thread context of 4788	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	193
PID 4296 set thread context of 4820	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	196
PID 4296 set thread context of 1664	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	200
PID 4296 set thread context of 3484	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	203
PID 4296 set thread context of 1488	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	206
PID 4296 set thread context of 3036	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	211
PID 4296 set thread context of 1756	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	214
PID 4296 set thread context of 4244	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	217
PID 4296 set thread context of 2744	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	220
PID 4296 set thread context of 4368	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	223
PID 4296 set thread context of 872	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	226
PID 4296 set thread context of 3408	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	229
PID 4296 set thread context of 1924	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	233
PID 4296 set thread context of 2560	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	236
PID 4296 set thread context of 2592	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	239
PID 4296 set thread context of 748	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	242
PID 4296 set thread context of 940	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	245
PID 4296 set thread context of 5016	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	249
PID 4296 set thread context of 2328	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	252
PID 4296 set thread context of 4388	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	255
PID 4296 set thread context of 3556	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	258
PID 4296 set thread context of 2680	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	261
PID 4296 set thread context of 2448	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	264
PID 4296 set thread context of 3356	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	267
PID 4296 set thread context of 4344	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	270
PID 4296 set thread context of 3200	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	274
PID 4296 set thread context of 4004	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	277
PID 4296 set thread context of 464	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	280
PID 4296 set thread context of 2992	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	283
PID 4296 set thread context of 4620	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	287
PID 4296 set thread context of 60	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	290
PID 4296 set thread context of 4524	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	293
PID 4296 set thread context of 2064	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	296
PID 4296 set thread context of 3152	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	299

Program crash 64 IoCs

pid	pid_target	Process	procid_target
3680	1492	WerFault.exe	82
4944	2924	WerFault.exe	89
216	4752	WerFault.exe	93
3744	1436	WerFault.exe	96
4796	1368	WerFault.exe	101
372	3724	WerFault.exe	106
4652	1912	WerFault.exe	109
4476	4448	WerFault.exe	112
2360	4412	WerFault.exe	115
872	4776	WerFault.exe	118
5080	2184	WerFault.exe	122
1344	2872	WerFault.exe	125
4660	2724	WerFault.exe	129
4720	1552	WerFault.exe	133
5064	4832	WerFault.exe	136
4496	3480	WerFault.exe	141
1580	1868	WerFault.exe	144
4804	704	WerFault.exe	148
3400	4608	WerFault.exe	151
1264	2488	WerFault.exe	155
3516	3728	WerFault.exe	158
2796	1584	WerFault.exe	162
3908	4232	WerFault.exe	166
3416	4436	WerFault.exe	169
3520	992	WerFault.exe	172
2268	1320	WerFault.exe	175
4456	3180	WerFault.exe	178
4068	3500	WerFault.exe	181
1180	2960	WerFault.exe	187
1460	4352	WerFault.exe	190
3228	4788	WerFault.exe	193
2216	4820	WerFault.exe	196
3916	1664	WerFault.exe	200
3448	3484	WerFault.exe	203
3368	1488	WerFault.exe	206
4408	3036	WerFault.exe	211
4652	1756	WerFault.exe	214
2844	4244	WerFault.exe	217
5112	2744	WerFault.exe	220
1988	4368	WerFault.exe	223
4928	872	WerFault.exe	226
760	3408	WerFault.exe	229
4524	1924	WerFault.exe	233
3372	2560	WerFault.exe	236
4064	2592	WerFault.exe	239
4408	748	WerFault.exe	242
1684	940	WerFault.exe	245
1300	5016	WerFault.exe	249
1528	2328	WerFault.exe	252
2340	4388	WerFault.exe	255
4840	3556	WerFault.exe	258
2912	2680	WerFault.exe	261
1160	2448	WerFault.exe	264
4084	3356	WerFault.exe	267
1752	4344	WerFault.exe	270
2440	3200	WerFault.exe	274
4880	4004	WerFault.exe	277
3712	464	WerFault.exe	280
3076	2992	WerFault.exe	283
4948	4620	WerFault.exe	287
4492	60	WerFault.exe	290
3448	4524	WerFault.exe	293
2524	2064	WerFault.exe	296
2284	3152	WerFault.exe	299

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1492	MSBuild.exe
Token: SeDebugPrivilege	2924	MSBuild.exe
Token: SeDebugPrivilege	4752	MSBuild.exe
Token: SeDebugPrivilege	1436	MSBuild.exe
Token: SeDebugPrivilege	1368	MSBuild.exe
Token: SeDebugPrivilege	3724	MSBuild.exe
Token: SeDebugPrivilege	1912	MSBuild.exe
Token: SeDebugPrivilege	4448	MSBuild.exe
Token: SeDebugPrivilege	4412	MSBuild.exe
Token: SeDebugPrivilege	4776	MSBuild.exe
Token: SeDebugPrivilege	2184	MSBuild.exe
Token: SeDebugPrivilege	2872	MSBuild.exe
Token: SeDebugPrivilege	2724	MSBuild.exe
Token: SeDebugPrivilege	1552	MSBuild.exe
Token: SeDebugPrivilege	4832	MSBuild.exe
Token: SeDebugPrivilege	3480	MSBuild.exe
Token: SeDebugPrivilege	1868	MSBuild.exe
Token: SeDebugPrivilege	704	MSBuild.exe
Token: SeDebugPrivilege	4608	MSBuild.exe
Token: SeDebugPrivilege	2488	MSBuild.exe
Token: SeDebugPrivilege	3728	MSBuild.exe
Token: SeDebugPrivilege	1584	MSBuild.exe
Token: SeDebugPrivilege	4232	MSBuild.exe
Token: SeDebugPrivilege	4436	MSBuild.exe
Token: SeDebugPrivilege	992	MSBuild.exe
Token: SeDebugPrivilege	1320	MSBuild.exe
Token: SeDebugPrivilege	3180	MSBuild.exe
Token: SeDebugPrivilege	3500	MSBuild.exe
Token: SeDebugPrivilege	2960	MSBuild.exe
Token: SeDebugPrivilege	4352	MSBuild.exe
Token: SeDebugPrivilege	4788	MSBuild.exe
Token: SeDebugPrivilege	4820	MSBuild.exe
Token: SeDebugPrivilege	1664	MSBuild.exe
Token: SeDebugPrivilege	3484	MSBuild.exe
Token: SeDebugPrivilege	1488	MSBuild.exe
Token: SeDebugPrivilege	3036	MSBuild.exe
Token: SeDebugPrivilege	1756	MSBuild.exe
Token: SeDebugPrivilege	4244	MSBuild.exe
Token: SeDebugPrivilege	2744	MSBuild.exe
Token: SeDebugPrivilege	4368	MSBuild.exe
Token: SeDebugPrivilege	872	MSBuild.exe
Token: SeDebugPrivilege	3408	MSBuild.exe
Token: SeDebugPrivilege	1924	MSBuild.exe
Token: SeDebugPrivilege	2560	MSBuild.exe
Token: SeDebugPrivilege	2592	MSBuild.exe
Token: SeDebugPrivilege	748	MSBuild.exe
Token: SeDebugPrivilege	940	MSBuild.exe
Token: SeDebugPrivilege	5016	MSBuild.exe
Token: SeDebugPrivilege	2328	MSBuild.exe
Token: SeDebugPrivilege	4388	MSBuild.exe
Token: SeDebugPrivilege	3556	MSBuild.exe
Token: SeDebugPrivilege	2680	MSBuild.exe
Token: SeDebugPrivilege	2448	MSBuild.exe
Token: SeDebugPrivilege	3356	MSBuild.exe
Token: SeDebugPrivilege	4344	MSBuild.exe
Token: SeDebugPrivilege	3200	MSBuild.exe
Token: SeDebugPrivilege	4004	MSBuild.exe
Token: SeDebugPrivilege	464	MSBuild.exe
Token: SeDebugPrivilege	2992	MSBuild.exe
Token: SeDebugPrivilege	4620	MSBuild.exe
Token: SeDebugPrivilege	60	MSBuild.exe
Token: SeDebugPrivilege	4524	MSBuild.exe
Token: SeDebugPrivilege	2064	MSBuild.exe
Token: SeDebugPrivilege	3152	MSBuild.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4296 wrote to memory of 1492	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	82
PID 4296 wrote to memory of 1492	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	82
PID 4296 wrote to memory of 1492	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	82
PID 4296 wrote to memory of 1492	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	82
PID 4296 wrote to memory of 2924	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	89
PID 4296 wrote to memory of 2924	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	89
PID 4296 wrote to memory of 2924	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	89
PID 4296 wrote to memory of 2924	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	89
PID 4296 wrote to memory of 4752	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	93
PID 4296 wrote to memory of 4752	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	93
PID 4296 wrote to memory of 4752	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	93
PID 4296 wrote to memory of 4752	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	93
PID 4296 wrote to memory of 1436	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	96
PID 4296 wrote to memory of 1436	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	96
PID 4296 wrote to memory of 1436	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	96
PID 4296 wrote to memory of 1436	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	96
PID 4296 wrote to memory of 3716	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	100
PID 4296 wrote to memory of 3716	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	100
PID 4296 wrote to memory of 3716	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	100
PID 4296 wrote to memory of 1368	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	101
PID 4296 wrote to memory of 1368	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	101
PID 4296 wrote to memory of 1368	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	101
PID 4296 wrote to memory of 1368	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	101
PID 4296 wrote to memory of 3724	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	106
PID 4296 wrote to memory of 3724	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	106
PID 4296 wrote to memory of 3724	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	106
PID 4296 wrote to memory of 3724	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	106
PID 4296 wrote to memory of 1912	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	109
PID 4296 wrote to memory of 1912	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	109
PID 4296 wrote to memory of 1912	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	109
PID 4296 wrote to memory of 1912	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	109
PID 4296 wrote to memory of 4448	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	112
PID 4296 wrote to memory of 4448	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	112
PID 4296 wrote to memory of 4448	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	112
PID 4296 wrote to memory of 4448	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	112
PID 4296 wrote to memory of 4412	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	115
PID 4296 wrote to memory of 4412	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	115
PID 4296 wrote to memory of 4412	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	115
PID 4296 wrote to memory of 4412	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	115
PID 4296 wrote to memory of 4776	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	118
PID 4296 wrote to memory of 4776	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	118
PID 4296 wrote to memory of 4776	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	118
PID 4296 wrote to memory of 4776	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	118
PID 4296 wrote to memory of 920	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	121
PID 4296 wrote to memory of 920	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	121
PID 4296 wrote to memory of 920	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	121
PID 4296 wrote to memory of 2184	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	122
PID 4296 wrote to memory of 2184	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	122
PID 4296 wrote to memory of 2184	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	122
PID 4296 wrote to memory of 2184	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	122
PID 4296 wrote to memory of 2872	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	125
PID 4296 wrote to memory of 2872	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	125
PID 4296 wrote to memory of 2872	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	125
PID 4296 wrote to memory of 2872	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	125
PID 4296 wrote to memory of 612	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	128
PID 4296 wrote to memory of 612	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	128
PID 4296 wrote to memory of 612	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	128
PID 4296 wrote to memory of 2724	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	129
PID 4296 wrote to memory of 2724	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	129
PID 4296 wrote to memory of 2724	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	129
PID 4296 wrote to memory of 2724	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	129
PID 4296 wrote to memory of 1552	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	133
PID 4296 wrote to memory of 1552	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	133
PID 4296 wrote to memory of 1552	4296	f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe	133

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1492
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 1784
    3⤵
    - Program crash
    PID:3680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2924
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 1748
    3⤵
    - Program crash
    PID:4944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4752
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 1768
    3⤵
    - Program crash
    PID:216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1436
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 1756
    3⤵
    - Program crash
    PID:3744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  PID:3716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  PID:1368
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 1752
    3⤵
    - Program crash
    PID:4796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3724
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 1756
    3⤵
    - Program crash
    PID:372
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1912
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 1760
    3⤵
    - Program crash
    PID:4652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4448
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 1756
    3⤵
    - Program crash
    PID:4476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4412
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 1732
    3⤵
    - Program crash
    PID:2360
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4776
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 1752
    3⤵
    - Program crash
    PID:872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  PID:920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2184
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 1748
    3⤵
    - Program crash
    PID:5080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2872
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 1732
    3⤵
    - Program crash
    PID:1344
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  PID:612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2724
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 1732
    3⤵
    - Program crash
    PID:4660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1552
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 1732
    3⤵
    - Program crash
    PID:4720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4832
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 1752
    3⤵
    - Program crash
    PID:5064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  PID:2836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3480
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3480 -s 1736
    3⤵
    - Program crash
    PID:4496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1868
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 1784
    3⤵
    - Program crash
    PID:1580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  PID:5036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:704
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 704 -s 1772
    3⤵
    - Program crash
    PID:4804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4608
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 1704
    3⤵
    - Program crash
    PID:3400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  PID:624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2488
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 1736
    3⤵
    - Program crash
    PID:1264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3728
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3728 -s 1732
    3⤵
    - Program crash
    PID:3516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  PID:2688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  PID:1584
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1584 -s 1732
    3⤵
    - Program crash
    PID:2796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  PID:2056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4232
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 1736
    3⤵
    - Program crash
    PID:3908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4436
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 1744
    3⤵
    - Program crash
    PID:3416
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:992
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 1772
    3⤵
    - Program crash
    PID:3520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1320
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 1732
    3⤵
    - Program crash
    PID:2268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3180
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 1732
    3⤵
    - Program crash
    PID:4456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3500
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 1776
    3⤵
    - Program crash
    PID:4068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  PID:1540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  PID:3316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  PID:2908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2960
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 1780
    3⤵
    - Program crash
    PID:1180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4352
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 1740
    3⤵
    - Program crash
    PID:1460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4788
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 1732
    3⤵
    - Program crash
    PID:3228
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4820
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 1732
    3⤵
    - Program crash
    PID:2216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  PID:1468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1664
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 1736
    3⤵
    - Program crash
    PID:3916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3484
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 1732
    3⤵
    - Program crash
    PID:3448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1488
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 1736
    3⤵
    - Program crash
    PID:3368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  PID:3692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  PID:3120
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3036
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 1748
    3⤵
    - Program crash
    PID:4408
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1756
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 1732
    3⤵
    - Program crash
    PID:4652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4244
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 1732
    3⤵
    - Program crash
    PID:2844
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2744
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 1736
    3⤵
    - Program crash
    PID:5112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4368
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 1732
    3⤵
    - Program crash
    PID:1988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:872
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 872 -s 1732
    3⤵
    - Program crash
    PID:4928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3408
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 1732
    3⤵
    - Program crash
    PID:760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  PID:2792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1924
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 1732
    3⤵
    - Program crash
    PID:4524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2560
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 1728
    3⤵
    - Program crash
    PID:3372
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2592
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 1732
    3⤵
    - Program crash
    PID:4064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:748
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 1732
    3⤵
    - Program crash
    PID:4408
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:940
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 940 -s 1728
    3⤵
    - Program crash
    PID:1684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  PID:4456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5016
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 1732
    3⤵
    - Program crash
    PID:1300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2328
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 1728
    3⤵
    - Program crash
    PID:1528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4388
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 1728
    3⤵
    - Program crash
    PID:2340
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3556
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 1728
    3⤵
    - Program crash
    PID:4840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2680
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 1732
    3⤵
    - Program crash
    PID:2912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2448
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 1736
    3⤵
    - Program crash
    PID:1160
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3356
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 1732
    3⤵
    - Program crash
    PID:4084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4344
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 1732
    3⤵
    - Program crash
    PID:1752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  PID:4336
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  PID:3200
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 1756
    3⤵
    - Program crash
    PID:2440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4004
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 1752
    3⤵
    - Program crash
    PID:4880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:464
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 1732
    3⤵
    - Program crash
    PID:3712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2992
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 1732
    3⤵
    - Program crash
    PID:3076
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  PID:5080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4620
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 1732
    3⤵
    - Program crash
    PID:4948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:60
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 1728
    3⤵
    - Program crash
    PID:4492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  PID:4524
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 1732
    3⤵
    - Program crash
    PID:3448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2064
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 1732
    3⤵
    - Program crash
    PID:2524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3152
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 1728
    3⤵
    - Program crash
    PID:2284
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  PID:3708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4804
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 1732
    3⤵
    PID:2000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  PID:4764
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 1732
    3⤵
    PID:1116
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  PID:2996
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 1752
    3⤵
    PID:3228
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  PID:1940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  PID:4628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  PID:4928
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 1752
    3⤵
    PID:4080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - outlook_office_path
  - outlook_win_path
  PID:536
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 1732
    3⤵
    PID:1480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 1492 -ip 1492
1⤵
PID:3796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2924 -ip 2924
1⤵
PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4752 -ip 4752
1⤵
PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1436 -ip 1436
1⤵
PID:3272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1368 -ip 1368
1⤵
PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3724 -ip 3724
1⤵
PID:3968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1912 -ip 1912
1⤵
PID:2312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4448 -ip 4448
1⤵
PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4412 -ip 4412
1⤵
PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4776 -ip 4776
1⤵
PID:3184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 2184 -ip 2184
1⤵
PID:3796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2872 -ip 2872
1⤵
PID:2688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2724 -ip 2724
1⤵
PID:4852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1552 -ip 1552
1⤵
PID:1400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4832 -ip 4832
1⤵
PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 3480 -ip 3480
1⤵
PID:716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1868 -ip 1868
1⤵
PID:3308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 704 -ip 704
1⤵
PID:4052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4608 -ip 4608
1⤵
PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2488 -ip 2488
1⤵
PID:4352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3728 -ip 3728
1⤵
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1584 -ip 1584
1⤵
PID:3128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4232 -ip 4232
1⤵
PID:2752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4436 -ip 4436
1⤵
PID:536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 992 -ip 992
1⤵
PID:3968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1320 -ip 1320
1⤵
PID:3000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3180 -ip 3180
1⤵
PID:2456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 3500 -ip 3500
1⤵
PID:2328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 2960 -ip 2960
1⤵
PID:2360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4352 -ip 4352
1⤵
PID:2340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 4788 -ip 4788
1⤵
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4820 -ip 4820
1⤵
PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1664 -ip 1664
1⤵
PID:2912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3484 -ip 3484
1⤵
PID:3012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1488 -ip 1488
1⤵
PID:2064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3036 -ip 3036
1⤵
PID:716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1756 -ip 1756
1⤵
PID:1980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4244 -ip 4244
1⤵
PID:3412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2744 -ip 2744
1⤵
PID:2032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 4368 -ip 4368
1⤵
PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 872 -ip 872
1⤵
PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3408 -ip 3408
1⤵
PID:4216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1924 -ip 1924
1⤵
PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2560 -ip 2560
1⤵
PID:2372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2592 -ip 2592
1⤵
PID:4228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 748 -ip 748
1⤵
PID:3600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 940 -ip 940
1⤵
PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5016 -ip 5016
1⤵
PID:2844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2328 -ip 2328
1⤵
PID:2000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4388 -ip 4388
1⤵
PID:3268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3556 -ip 3556
1⤵
PID:4580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2680 -ip 2680
1⤵
PID:4092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2448 -ip 2448
1⤵
PID:880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3356 -ip 3356
1⤵
PID:2392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4344 -ip 4344
1⤵
PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3200 -ip 3200
1⤵
PID:3740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4004 -ip 4004
1⤵
PID:2000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 464 -ip 464
1⤵
PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2992 -ip 2992
1⤵
PID:1464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4620 -ip 4620
1⤵
PID:772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 60 -ip 60
1⤵
PID:3452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4524 -ip 4524
1⤵
PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2064 -ip 2064
1⤵
PID:1472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 3152 -ip 3152
1⤵
PID:1888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4804 -ip 4804
1⤵
PID:2644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4764 -ip 4764
1⤵
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2996 -ip 2996
1⤵
PID:4944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4928 -ip 4928
1⤵
PID:3204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 536 -ip 536
1⤵
PID:1108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1492-8-0x00000000063C0000-0x0000000006426000-memory.dmp

Filesize
408KB

Download
memory/1492-10-0x0000000073BB0000-0x0000000074360000-memory.dmp

Filesize
7.7MB

Download
memory/1492-2-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1492-3-0x0000000073BBE000-0x0000000073BBF000-memory.dmp

Filesize
4KB

Download
memory/1492-7-0x0000000005840000-0x00000000058DC000-memory.dmp

Filesize
624KB

Download
memory/1492-5-0x0000000005D10000-0x00000000062B4000-memory.dmp

Filesize
5.6MB

Download
memory/1492-9-0x0000000006BE0000-0x0000000006DA2000-memory.dmp

Filesize
1.8MB

Download
memory/1492-6-0x0000000073BB0000-0x0000000074360000-memory.dmp

Filesize
7.7MB

Download
memory/1492-4-0x0000000005300000-0x000000000533A000-memory.dmp

Filesize
232KB

Download
memory/2924-12-0x0000000073BBE000-0x0000000073BBF000-memory.dmp

Filesize
4KB

Download
memory/2924-13-0x0000000073BB0000-0x0000000074360000-memory.dmp

Filesize
7.7MB

Download
memory/2924-14-0x0000000073BB0000-0x0000000074360000-memory.dmp

Filesize
7.7MB

Download
memory/4296-1-0x00000000017A0000-0x00000000017A3000-memory.dmp

Filesize
12KB

Download
memory/4296-0-0x0000000001780000-0x000000000179F000-memory.dmp

Filesize
124KB

Download
memory/4296-19-0x00000000017A0000-0x00000000017A3000-memory.dmp

Filesize
12KB

Download
memory/4296-22-0x00000000017A0000-0x00000000017A3000-memory.dmp

Filesize
12KB

Download