outsteel | 0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c

Analysis

max time kernel
147s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 09:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe
Size

779KB
MD5

2d9702caab94b9c7788443c13b1b1ce1
SHA1

08cef1c0cc4942221a5304ad0a680324a2f0f39a
SHA256

0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c
SHA512

1c16210cfe63b3287788bd1a79874fb2cb15a953ce580c63c035b9b68fb142dd4e9bf0e57c2ac06816911419025bf3130b5991dc6209def0e5eebe5a5c003e12
SSDEEP

12288:VcNoqHSE4zK0KU7kev8uiq0Tv27uWkYUixp9HGi+gGubDVz4O/:VEoKFKVrwCdivT6NkvixbmHgVbDVzB/

Score

10^/10

outsteel spyware stealer

Malware Config

Signatures

OutSteel
OutSteel is a file uploader and document stealer written in AutoIT.
stealer outsteel
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe

description	ioc	Process
File opened (read-only)	\??\q:	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe
File opened (read-only)	\??\v:	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe
File opened (read-only)	\??\y:	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe
File opened (read-only)	\??\i:	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe
File opened (read-only)	\??\l:	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe
File opened (read-only)	\??\n:	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe
File opened (read-only)	\??\j:	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe
File opened (read-only)	\??\k:	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe
File opened (read-only)	\??\o:	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe
File opened (read-only)	\??\s:	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe
File opened (read-only)	\??\z:	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe
File opened (read-only)	\??\a:	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe
File opened (read-only)	\??\e:	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe
File opened (read-only)	\??\g:	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe
File opened (read-only)	\??\t:	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe
File opened (read-only)	\??\u:	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe
File opened (read-only)	\??\w:	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe
File opened (read-only)	\??\x:	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe
File opened (read-only)	\??\h:	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe
File opened (read-only)	\??\m:	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe
File opened (read-only)	\??\p:	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe
File opened (read-only)	\??\b:	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe
File opened (read-only)	\??\r:	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe

AutoIT Executable 14 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/memory/4128-2-0x0000000002240000-0x000000000231D000-memory.dmp	autoit_exe
behavioral2/memory/4128-3-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/4128-4-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/4128-5-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/4128-6-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/4128-8-0x0000000002240000-0x000000000231D000-memory.dmp	autoit_exe
behavioral2/memory/4128-9-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/4128-10-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/4128-11-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/4128-12-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/4128-13-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/4128-15-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/4128-17-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/4128-19-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe

Program crash 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
4512	4128	WerFault.exe	83
1704	4128	WerFault.exe	83
3452	4128	WerFault.exe	83
1144	4128	WerFault.exe	83
1352	4128	WerFault.exe	83
1396	4128	WerFault.exe	83
2732	4128	WerFault.exe	83
1840	4128	WerFault.exe	83
2936	4128	WerFault.exe	83
1524	4128	WerFault.exe	83
4432	4128	WerFault.exe	83
2880	4128	WerFault.exe	83
4292	4128	WerFault.exe	83
4796	4128	WerFault.exe	83
4968	4128	WerFault.exe	83
4612	4128	WerFault.exe	83
3156	4128	WerFault.exe	83
2352	4128	WerFault.exe	83
1532	4128	WerFault.exe	83
3316	4128	WerFault.exe	83
632	4128	WerFault.exe	83
3656	4128	WerFault.exe	83
2360	4128	WerFault.exe	83
644	4128	WerFault.exe	83
3028	4128	WerFault.exe	83
4208	4128	WerFault.exe	83
752	4128	WerFault.exe	83
3844	4128	WerFault.exe	83
3956	4128	WerFault.exe	83
2936	4128	WerFault.exe	83
556	4128	WerFault.exe	83
2264	4128	WerFault.exe	83
3548	4128	WerFault.exe	83
3084	4128	WerFault.exe	83
696	4128	WerFault.exe	83
3696	4128	WerFault.exe	83
4612	4128	WerFault.exe	83
3012	4128	WerFault.exe	83
4708	4128	WerFault.exe	83
2932	4128	WerFault.exe	83
1220	4128	WerFault.exe	83
3976	4128	WerFault.exe	83
2376	4128	WerFault.exe	83
972	4128	WerFault.exe	83
4936	4128	WerFault.exe	83
1308	4128	WerFault.exe	83
3028	4128	WerFault.exe	83
752	4128	WerFault.exe	83
1840	4128	WerFault.exe	83
960	4128	WerFault.exe	83
1864	4128	WerFault.exe	83
556	4128	WerFault.exe	83
3724	4128	WerFault.exe	83
3164	4128	WerFault.exe	83
3548	4128	WerFault.exe	83
3592	4128	WerFault.exe	83
3664	4128	WerFault.exe	83
1380	4128	WerFault.exe	83
4040	4128	WerFault.exe	83
1532	4128	WerFault.exe	83
3436	4128	WerFault.exe	83
1680	4128	WerFault.exe	83
3128	4128	WerFault.exe	83
1800	4128	WerFault.exe	83

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe

description	pid	Process	procid_target
PID 4128 wrote to memory of 1120	4128	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe	87
PID 4128 wrote to memory of 1120	4128	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe	87
PID 4128 wrote to memory of 1120	4128	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe	87
PID 4128 wrote to memory of 3436	4128	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe	92
PID 4128 wrote to memory of 3436	4128	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe	92
PID 4128 wrote to memory of 3436	4128	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe	92
PID 4128 wrote to memory of 4740	4128	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe	102
PID 4128 wrote to memory of 4740	4128	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe	102
PID 4128 wrote to memory of 4740	4128	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe	102
PID 4128 wrote to memory of 2524	4128	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe	118
PID 4128 wrote to memory of 2524	4128	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe	118
PID 4128 wrote to memory of 2524	4128	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe	118
PID 4128 wrote to memory of 228	4128	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe	127
PID 4128 wrote to memory of 228	4128	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe	127
PID 4128 wrote to memory of 228	4128	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe	127
PID 4128 wrote to memory of 1836	4128	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe	137
PID 4128 wrote to memory of 1836	4128	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe	137
PID 4128 wrote to memory of 1836	4128	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe	137
PID 4128 wrote to memory of 2944	4128	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe	147
PID 4128 wrote to memory of 2944	4128	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe	147
PID 4128 wrote to memory of 2944	4128	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe	147
PID 4128 wrote to memory of 4808	4128	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe	158
PID 4128 wrote to memory of 4808	4128	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe	158
PID 4128 wrote to memory of 4808	4128	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe	158
PID 4128 wrote to memory of 4440	4128	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe	168
PID 4128 wrote to memory of 4440	4128	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe	168
PID 4128 wrote to memory of 4440	4128	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe	168
PID 4128 wrote to memory of 1992	4128	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe	177
PID 4128 wrote to memory of 1992	4128	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe	177
PID 4128 wrote to memory of 1992	4128	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe	177
PID 4128 wrote to memory of 1100	4128	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe	188
PID 4128 wrote to memory of 1100	4128	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe	188
PID 4128 wrote to memory of 1100	4128	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe	188
PID 4128 wrote to memory of 3520	4128	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe	197
PID 4128 wrote to memory of 3520	4128	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe	197
PID 4128 wrote to memory of 3520	4128	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe	197
PID 4128 wrote to memory of 3924	4128	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe	207
PID 4128 wrote to memory of 3924	4128	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe	207
PID 4128 wrote to memory of 3924	4128	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe	207
PID 4128 wrote to memory of 3408	4128	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe	218
PID 4128 wrote to memory of 3408	4128	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe	218
PID 4128 wrote to memory of 3408	4128	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe	218
PID 4128 wrote to memory of 1956	4128	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe	228
PID 4128 wrote to memory of 1956	4128	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe	228
PID 4128 wrote to memory of 1956	4128	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe	228
PID 4128 wrote to memory of 1748	4128	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe	237
PID 4128 wrote to memory of 1748	4128	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe	237
PID 4128 wrote to memory of 1748	4128	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe	237
PID 4128 wrote to memory of 3008	4128	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe	247
PID 4128 wrote to memory of 3008	4128	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe	247
PID 4128 wrote to memory of 3008	4128	0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe	247

C:\Users\Admin\AppData\Local\Temp\0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe
"C:\Users\Admin\AppData\Local\Temp\0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c.exe"
1⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:4128
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.doc" /S /B /A
  2⤵
  PID:1120
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 652
  2⤵
  - Program crash
  PID:4512
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pdf" /S /B /A
  2⤵
  PID:3436
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 676
  2⤵
  - Program crash
  PID:1704
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 704
  2⤵
  - Program crash
  PID:3452
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A
  2⤵
  PID:4740
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 720
  2⤵
  - Program crash
  PID:1144
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 692
  2⤵
  - Program crash
  PID:1352
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 656
  2⤵
  - Program crash
  PID:1396
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 720
  2⤵
  - Program crash
  PID:2732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
  2⤵
  PID:2524
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 644
  2⤵
  - Program crash
  PID:1840
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 648
  2⤵
  - Program crash
  PID:2936
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 760
  2⤵
  - Program crash
  PID:1524
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 752
  2⤵
  - Program crash
  PID:4432
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xl" /S /B /A
  2⤵
  PID:228
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 656
  2⤵
  - Program crash
  PID:2880
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 784
  2⤵
  - Program crash
  PID:4292
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 704
  2⤵
  - Program crash
  PID:4796
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 752
  2⤵
  - Program crash
  PID:4968
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A
  2⤵
  PID:1836
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 672
  2⤵
  - Program crash
  PID:4612
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 808
  2⤵
  - Program crash
  PID:3156
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 844
  2⤵
  - Program crash
  PID:2352
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 852
  2⤵
  - Program crash
  PID:1532
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A
  2⤵
  PID:2944
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 856
  2⤵
  - Program crash
  PID:3316
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 888
  2⤵
  - Program crash
  PID:632
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 900
  2⤵
  - Program crash
  PID:3656
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 908
  2⤵
  - Program crash
  PID:2360
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
  2⤵
  PID:4808
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 932
  2⤵
  - Program crash
  PID:644
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 960
  2⤵
  - Program crash
  PID:3028
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 968
  2⤵
  - Program crash
  PID:4208
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 948
  2⤵
  - Program crash
  PID:752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.mdb" /S /B /A
  2⤵
  PID:4440
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 880
  2⤵
  - Program crash
  PID:3844
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 856
  2⤵
  - Program crash
  PID:3956
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 940
  2⤵
  - Program crash
  PID:2936
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 956
  2⤵
  - Program crash
  PID:556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.accdb" /S /B /A
  2⤵
  PID:1992
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 912
  2⤵
  - Program crash
  PID:2264
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 952
  2⤵
  - Program crash
  PID:3548
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 652
  2⤵
  - Program crash
  PID:3084
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 940
  2⤵
  - Program crash
  PID:696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pot" /S /B /A
  2⤵
  PID:1100
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 932
  2⤵
  - Program crash
  PID:3696
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 880
  2⤵
  - Program crash
  PID:4612
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 644
  2⤵
  - Program crash
  PID:3012
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 984
  2⤵
  - Program crash
  PID:4708
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pps" /S /B /A
  2⤵
  PID:3520
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 972
  2⤵
  - Program crash
  PID:2932
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 1000
  2⤵
  - Program crash
  PID:1220
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 656
  2⤵
  - Program crash
  PID:3976
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 952
  2⤵
  - Program crash
  PID:2376
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppa" /S /B /A
  2⤵
  PID:3924
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 1020
  2⤵
  - Program crash
  PID:972
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 912
  2⤵
  - Program crash
  PID:4936
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 920
  2⤵
  - Program crash
  PID:1308
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 992
  2⤵
  - Program crash
  PID:3028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rar" /S /B /A
  2⤵
  PID:3408
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 996
  2⤵
  - Program crash
  PID:752
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 1012
  2⤵
  - Program crash
  PID:1840
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 844
  2⤵
  - Program crash
  PID:960
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 860
  2⤵
  - Program crash
  PID:1864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.zip" /S /B /A
  2⤵
  PID:1956
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 1008
  2⤵
  - Program crash
  PID:556
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 992
  2⤵
  - Program crash
  PID:3724
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 844
  2⤵
  - Program crash
  PID:3164
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 920
  2⤵
  - Program crash
  PID:3548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.tar" /S /B /A
  2⤵
  PID:1748
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 980
  2⤵
  - Program crash
  PID:3592
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 992
  2⤵
  - Program crash
  PID:3664
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 644
  2⤵
  - Program crash
  PID:1380
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 1016
  2⤵
  - Program crash
  PID:4040
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.7z" /S /B /A
  2⤵
  PID:3008
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 1012
  2⤵
  - Program crash
  PID:1532
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 880
  2⤵
  - Program crash
  PID:3436
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 860
  2⤵
  - Program crash
  PID:1680
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 884
  2⤵
  - Program crash
  PID:3128
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 1012
  2⤵
  - Program crash
  PID:1800
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 920
  2⤵
  PID:4160
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 1008
  2⤵
  PID:2508
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 864
  2⤵
  PID:4580
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 776
  2⤵
  PID:4016
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 1044
  2⤵
  PID:4856
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 1140
  2⤵
  PID:1624
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 1248
  2⤵
  PID:1588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4128 -ip 4128
1⤵
PID:3880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4128 -ip 4128
1⤵
PID:4112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4128 -ip 4128
1⤵
PID:1848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4128 -ip 4128
1⤵
PID:4040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4128 -ip 4128
1⤵
PID:2944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4128 -ip 4128
1⤵
PID:1952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4128 -ip 4128
1⤵
PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4128 -ip 4128
1⤵
PID:4208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4128 -ip 4128
1⤵
PID:3488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4128 -ip 4128
1⤵
PID:3844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4128 -ip 4128
1⤵
PID:628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4128 -ip 4128
1⤵
PID:3868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4128 -ip 4128
1⤵
PID:2284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4128 -ip 4128
1⤵
PID:2776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4128 -ip 4128
1⤵
PID:2840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4128 -ip 4128
1⤵
PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4128 -ip 4128
1⤵
PID:3664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4128 -ip 4128
1⤵
PID:916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4128 -ip 4128
1⤵
PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4128 -ip 4128
1⤵
PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4128 -ip 4128
1⤵
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4128 -ip 4128
1⤵
PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4128 -ip 4128
1⤵
PID:1800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4128 -ip 4128
1⤵
PID:1708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4128 -ip 4128
1⤵
PID:2192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4128 -ip 4128
1⤵
PID:4016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4128 -ip 4128
1⤵
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4128 -ip 4128
1⤵
PID:3632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4128 -ip 4128
1⤵
PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4128 -ip 4128
1⤵
PID:960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4128 -ip 4128
1⤵
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4128 -ip 4128
1⤵
PID:1880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4128 -ip 4128
1⤵
PID:1948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4128 -ip 4128
1⤵
PID:368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4128 -ip 4128
1⤵
PID:1820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4128 -ip 4128
1⤵
PID:2840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4128 -ip 4128
1⤵
PID:2088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4128 -ip 4128
1⤵
PID:3800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4128 -ip 4128
1⤵
PID:4008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4128 -ip 4128
1⤵
PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4128 -ip 4128
1⤵
PID:1468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4128 -ip 4128
1⤵
PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4128 -ip 4128
1⤵
PID:1132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4128 -ip 4128
1⤵
PID:748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4128 -ip 4128
1⤵
PID:1708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4128 -ip 4128
1⤵
PID:3132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4128 -ip 4128
1⤵
PID:2100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4128 -ip 4128
1⤵
PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4128 -ip 4128
1⤵
PID:1128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4128 -ip 4128
1⤵
PID:4236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4128 -ip 4128
1⤵
PID:804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4128 -ip 4128
1⤵
PID:2140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4128 -ip 4128
1⤵
PID:2388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4128 -ip 4128
1⤵
PID:3068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4128 -ip 4128
1⤵
PID:1300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4128 -ip 4128
1⤵
PID:2776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4128 -ip 4128
1⤵
PID:4292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4128 -ip 4128
1⤵
PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4128 -ip 4128
1⤵
PID:4436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4128 -ip 4128
1⤵
PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4128 -ip 4128
1⤵
PID:3012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4128 -ip 4128
1⤵
PID:856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4128 -ip 4128
1⤵
PID:3860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4128 -ip 4128
1⤵
PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4128 -ip 4128
1⤵
PID:1144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4128 -ip 4128
1⤵
PID:2376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4128 -ip 4128
1⤵
PID:2360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4128 -ip 4128
1⤵
PID:1936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4128 -ip 4128
1⤵
PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4128 -ip 4128
1⤵
PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4128 -ip 4128
1⤵
PID:4384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4128 -ip 4128
1⤵
PID:3704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4128-1-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/4128-2-0x0000000002240000-0x000000000231D000-memory.dmp

Filesize
884KB

Download
memory/4128-3-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/4128-4-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/4128-5-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/4128-6-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/4128-7-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/4128-8-0x0000000002240000-0x000000000231D000-memory.dmp

Filesize
884KB

Download
memory/4128-9-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/4128-10-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/4128-11-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/4128-12-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/4128-13-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/4128-15-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/4128-17-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/4128-19-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download