Malware Analysis Report

2024-10-10 12:10

Sample ID 240410-pdb1lsfb77
Target 7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871
SHA256 7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871
Tags
outsteel spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871

Threat Level: Known bad

The file 7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871 was found to be: Known bad.

Malicious Activity Summary

outsteel spyware stealer

OutSteel

Reads user/profile data of web browsers

Enumerates connected drives

AutoIT Executable

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-10 12:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-10 12:12

Reported

2024-04-10 12:15

Platform

win7-20240221-en

Max time kernel

144s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe"

Signatures

OutSteel

stealer outsteel

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe N/A
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe N/A
File opened (read-only) \??\a: C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2184 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe

"C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.doc" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pdf" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xl" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.mdb" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.accdb" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pot" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pps" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppa" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rar" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.zip" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.tar" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.7z" /S /B /A

Network

Country Destination Domain Proto
IR 194.147.142.232:8080 tcp
IR 194.147.142.232:8080 tcp
IR 194.147.142.232:8080 tcp
IR 194.147.142.232:8080 tcp
IR 194.147.142.232:8080 tcp
IR 194.147.142.232:8080 tcp
IR 194.147.142.232:8080 tcp

Files

memory/2184-1-0x0000000000630000-0x0000000000730000-memory.dmp

memory/2184-2-0x00000000004F0000-0x00000000005CD000-memory.dmp

memory/2184-3-0x0000000000400000-0x00000000004E2000-memory.dmp

memory/2184-4-0x0000000000400000-0x00000000004E2000-memory.dmp

memory/2184-6-0x0000000000630000-0x0000000000730000-memory.dmp

memory/2184-7-0x00000000004F0000-0x00000000005CD000-memory.dmp

memory/2184-8-0x0000000000400000-0x00000000004E2000-memory.dmp

memory/2184-11-0x0000000000400000-0x00000000004E2000-memory.dmp

memory/2184-13-0x0000000000400000-0x00000000004E2000-memory.dmp

memory/2184-15-0x0000000000400000-0x00000000004E2000-memory.dmp

memory/2184-17-0x0000000000400000-0x00000000004E2000-memory.dmp

memory/2184-19-0x0000000000400000-0x00000000004E2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-10 12:12

Reported

2024-04-10 12:15

Platform

win10v2004-20240226-en

Max time kernel

154s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe"

Signatures

OutSteel

stealer outsteel

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe N/A
File opened (read-only) \??\a: C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe N/A
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2600 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe

"C:\Users\Admin\AppData\Local\Temp\7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.doc" /S /B /A

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 652

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 2600 -ip 2600

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pdf" /S /B /A

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 692

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 732

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 740

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 748

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 732

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 712

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 720

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 708

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xl" /S /B /A

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 672

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 724

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 720

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 616

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 652

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 732

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2600 -ip 2600

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 616

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 700

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 780

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2600 -ip 2600

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1412 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 856

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.mdb" /S /B /A

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2600 -ip 2600

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.accdb" /S /B /A

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 960

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 980

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pot" /S /B /A

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 1000

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 1008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 952

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pps" /S /B /A

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 1004

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 1000

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 984

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 1020

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppa" /S /B /A

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 960

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 980

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rar" /S /B /A

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 1012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 992

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.zip" /S /B /A

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 1008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 1016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2600 -ip 2600

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.tar" /S /B /A

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 908

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 1008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 944

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.7z" /S /B /A

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 944

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 1000

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 1008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 984

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 668

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 1040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 1164

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 1244

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
GB 172.217.169.74:443 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
IR 194.147.142.232:8080 tcp
IR 194.147.142.232:8080 tcp
IR 194.147.142.232:8080 tcp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp
IR 194.147.142.232:8080 tcp

Files

memory/2600-1-0x00000000005C0000-0x00000000006C0000-memory.dmp

memory/2600-2-0x0000000002270000-0x000000000234D000-memory.dmp

memory/2600-3-0x0000000000400000-0x00000000004E2000-memory.dmp

memory/2600-4-0x0000000000400000-0x00000000004E2000-memory.dmp

memory/2600-5-0x0000000000400000-0x00000000004E2000-memory.dmp

memory/2600-6-0x00000000005C0000-0x00000000006C0000-memory.dmp

memory/2600-7-0x0000000000400000-0x00000000004E2000-memory.dmp

memory/2600-8-0x0000000002270000-0x000000000234D000-memory.dmp

memory/2600-9-0x0000000000400000-0x00000000004E2000-memory.dmp

memory/2600-10-0x0000000000400000-0x00000000004E2000-memory.dmp

memory/2600-11-0x0000000000400000-0x00000000004E2000-memory.dmp

memory/2600-12-0x0000000000400000-0x00000000004E2000-memory.dmp

memory/2600-13-0x0000000000400000-0x00000000004E2000-memory.dmp

memory/2600-14-0x0000000000400000-0x00000000004E2000-memory.dmp

memory/2600-17-0x0000000000400000-0x00000000004E2000-memory.dmp

memory/2600-19-0x0000000000400000-0x00000000004E2000-memory.dmp

memory/2600-21-0x0000000000400000-0x00000000004E2000-memory.dmp