outsteel | afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a

Analysis

max time kernel
148s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240319-en
resource tags

arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 13:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
Size

623KB
MD5

103118660a0abadc99831e23777979b5
SHA1

f69be5dcf16ef31a9aa66dce34f35fd84972f3e7
SHA256

afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a
SHA512

7bf46133dd6e8c17185ecd7b44ecb3ca03d21deeb8d008da60e4dd131a0bc31201ba9286a9106e52a62e845092ce605d9f79a712cf7481cbd5b85359dc332857
SSDEEP

12288:Klvu3c06Ss3jOgT2ZQWiypMCRmAAw0tNic8XuPtHmF9zvN9u:iusdptjCRmAAw0tNZ8XO1m3x9u

Score

10^/10

outsteel spyware stealer

Malware Config

Signatures

OutSteel
OutSteel is a file uploader and document stealer written in AutoIT.
stealer outsteel
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe

description	ioc	process
File opened (read-only)	\??\g:	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
File opened (read-only)	\??\i:	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
File opened (read-only)	\??\k:	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
File opened (read-only)	\??\m:	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
File opened (read-only)	\??\r:	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
File opened (read-only)	\??\s:	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
File opened (read-only)	\??\b:	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
File opened (read-only)	\??\t:	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
File opened (read-only)	\??\e:	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
File opened (read-only)	\??\j:	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
File opened (read-only)	\??\l:	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
File opened (read-only)	\??\n:	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
File opened (read-only)	\??\p:	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
File opened (read-only)	\??\h:	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
File opened (read-only)	\??\o:	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
File opened (read-only)	\??\q:	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
File opened (read-only)	\??\u:	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
File opened (read-only)	\??\v:	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
File opened (read-only)	\??\w:	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
File opened (read-only)	\??\x:	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
File opened (read-only)	\??\y:	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
File opened (read-only)	\??\a:	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
File opened (read-only)	\??\z:	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe

AutoIT Executable 13 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/memory/540-2-0x00000000023A0000-0x000000000247D000-memory.dmp	autoit_exe
behavioral2/memory/540-3-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/540-4-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/540-5-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/540-7-0x00000000023A0000-0x000000000247D000-memory.dmp	autoit_exe
behavioral2/memory/540-8-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/540-9-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/540-10-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/540-11-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/540-13-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/540-15-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/540-17-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/540-19-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe

Program crash 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4512	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
3972	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
4892	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
1188	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
864	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
2588	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
3816	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
3384	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
3372	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
3576	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
1800	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
4548	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
4844	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
3372	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
4532	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
1716	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
3668	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
4520	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
3384	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
1844	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
4404	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
2140	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
4548	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
2520	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
2888	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
4512	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
436	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
3916	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
3024	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
4356	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
1136	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
3116	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
1492	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
2072	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
4772	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
2628	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
452	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
2216	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
3116	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
4520	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
4548	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
3300	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
1340	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
3232	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
1416	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
2560	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
4088	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
864	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
2960	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
3732	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
116	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
4520	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
3200	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
4376	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
1768	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
4736	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
3516	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
624	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
4304	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
4872	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
1056	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
1384	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
2888	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
4296	540	WerFault.exe	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe

description	pid	process	target process
PID 540 wrote to memory of 2700	540	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	cmd.exe
PID 540 wrote to memory of 2700	540	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	cmd.exe
PID 540 wrote to memory of 2700	540	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	cmd.exe
PID 540 wrote to memory of 3480	540	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	cmd.exe
PID 540 wrote to memory of 3480	540	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	cmd.exe
PID 540 wrote to memory of 3480	540	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	cmd.exe
PID 540 wrote to memory of 1000	540	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	cmd.exe
PID 540 wrote to memory of 1000	540	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	cmd.exe
PID 540 wrote to memory of 1000	540	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	cmd.exe
PID 540 wrote to memory of 1564	540	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	cmd.exe
PID 540 wrote to memory of 1564	540	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	cmd.exe
PID 540 wrote to memory of 1564	540	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	cmd.exe
PID 540 wrote to memory of 3276	540	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	cmd.exe
PID 540 wrote to memory of 3276	540	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	cmd.exe
PID 540 wrote to memory of 3276	540	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	cmd.exe
PID 540 wrote to memory of 3704	540	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	cmd.exe
PID 540 wrote to memory of 3704	540	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	cmd.exe
PID 540 wrote to memory of 3704	540	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	cmd.exe
PID 540 wrote to memory of 4424	540	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	cmd.exe
PID 540 wrote to memory of 4424	540	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	cmd.exe
PID 540 wrote to memory of 4424	540	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	cmd.exe
PID 540 wrote to memory of 4292	540	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	cmd.exe
PID 540 wrote to memory of 4292	540	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	cmd.exe
PID 540 wrote to memory of 4292	540	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	cmd.exe
PID 540 wrote to memory of 1564	540	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	cmd.exe
PID 540 wrote to memory of 1564	540	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	cmd.exe
PID 540 wrote to memory of 1564	540	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	cmd.exe
PID 540 wrote to memory of 872	540	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	cmd.exe
PID 540 wrote to memory of 872	540	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	cmd.exe
PID 540 wrote to memory of 872	540	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	cmd.exe
PID 540 wrote to memory of 3456	540	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	cmd.exe
PID 540 wrote to memory of 3456	540	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	cmd.exe
PID 540 wrote to memory of 3456	540	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	cmd.exe
PID 540 wrote to memory of 1128	540	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	cmd.exe
PID 540 wrote to memory of 1128	540	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	cmd.exe
PID 540 wrote to memory of 1128	540	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	cmd.exe
PID 540 wrote to memory of 3332	540	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	cmd.exe
PID 540 wrote to memory of 3332	540	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	cmd.exe
PID 540 wrote to memory of 3332	540	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	cmd.exe
PID 540 wrote to memory of 4356	540	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	cmd.exe
PID 540 wrote to memory of 4356	540	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	cmd.exe
PID 540 wrote to memory of 4356	540	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	cmd.exe
PID 540 wrote to memory of 4528	540	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	cmd.exe
PID 540 wrote to memory of 4528	540	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	cmd.exe
PID 540 wrote to memory of 4528	540	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	cmd.exe
PID 540 wrote to memory of 2876	540	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	cmd.exe
PID 540 wrote to memory of 2876	540	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	cmd.exe
PID 540 wrote to memory of 2876	540	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	cmd.exe
PID 540 wrote to memory of 4404	540	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	cmd.exe
PID 540 wrote to memory of 4404	540	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	cmd.exe
PID 540 wrote to memory of 4404	540	afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe
"C:\Users\Admin\AppData\Local\Temp\afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a.exe"
1⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:540
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.doc" /S /B /A
  2⤵
  PID:2700
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 604
  2⤵
  - Program crash
  PID:4512
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pdf" /S /B /A
  2⤵
  PID:3480
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 576
  2⤵
  - Program crash
  PID:3972
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 628
  2⤵
  - Program crash
  PID:4892
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 700
  2⤵
  - Program crash
  PID:1188
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 732
  2⤵
  - Program crash
  PID:864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A
  2⤵
  PID:1000
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 740
  2⤵
  - Program crash
  PID:2588
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 704
  2⤵
  - Program crash
  PID:3816
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 700
  2⤵
  - Program crash
  PID:3384
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 672
  2⤵
  - Program crash
  PID:3372
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
  2⤵
  PID:1564
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 648
  2⤵
  - Program crash
  PID:3576
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 712
  2⤵
  - Program crash
  PID:1800
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 760
  2⤵
  - Program crash
  PID:4548
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 768
  2⤵
  - Program crash
  PID:4844
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xl" /S /B /A
  2⤵
  PID:3276
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 744
  2⤵
  - Program crash
  PID:3372
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 644
  2⤵
  - Program crash
  PID:4532
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 772
  2⤵
  - Program crash
  PID:1716
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 672
  2⤵
  - Program crash
  PID:3668
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A
  2⤵
  PID:3704
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 800
  2⤵
  - Program crash
  PID:4520
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 820
  2⤵
  - Program crash
  PID:3384
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 828
  2⤵
  - Program crash
  PID:1844
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 808
  2⤵
  - Program crash
  PID:4404
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A
  2⤵
  PID:4424
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 844
  2⤵
  - Program crash
  PID:2140
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 864
  2⤵
  - Program crash
  PID:4548
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 872
  2⤵
  - Program crash
  PID:2520
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 800
  2⤵
  - Program crash
  PID:2888
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
  2⤵
  PID:4292
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 916
  2⤵
  - Program crash
  PID:4512
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 876
  2⤵
  - Program crash
  PID:436
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 800
  2⤵
  - Program crash
  PID:3916
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 896
  2⤵
  - Program crash
  PID:3024
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.mdb" /S /B /A
  2⤵
  PID:1564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.accdb" /S /B /A
  2⤵
  PID:872
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 888
  2⤵
  - Program crash
  PID:4356
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 868
  2⤵
  - Program crash
  PID:1136
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 876
  2⤵
  - Program crash
  PID:3116
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 904
  2⤵
  - Program crash
  PID:1492
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 636
  2⤵
  - Program crash
  PID:2072
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 836
  2⤵
  - Program crash
  PID:4772
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 876
  2⤵
  - Program crash
  PID:2628
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 712
  2⤵
  - Program crash
  PID:452
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pot" /S /B /A
  2⤵
  PID:3456
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 828
  2⤵
  - Program crash
  PID:2216
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 716
  2⤵
  - Program crash
  PID:3116
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 816
  2⤵
  - Program crash
  PID:4520
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 908
  2⤵
  - Program crash
  PID:4548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pps" /S /B /A
  2⤵
  PID:1128
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 864
  2⤵
  - Program crash
  PID:3300
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 964
  2⤵
  - Program crash
  PID:1340
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 984
  2⤵
  - Program crash
  PID:3232
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 972
  2⤵
  - Program crash
  PID:1416
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppa" /S /B /A
  2⤵
  PID:3332
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 920
  2⤵
  - Program crash
  PID:2560
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 1012
  2⤵
  - Program crash
  PID:4088
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 1020
  2⤵
  - Program crash
  PID:864
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 984
  2⤵
  - Program crash
  PID:2960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rar" /S /B /A
  2⤵
  PID:4356
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 980
  2⤵
  - Program crash
  PID:3732
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 1020
  2⤵
  - Program crash
  PID:116
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 988
  2⤵
  - Program crash
  PID:4520
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 1000
  2⤵
  - Program crash
  PID:3200
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.zip" /S /B /A
  2⤵
  PID:4528
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 972
  2⤵
  - Program crash
  PID:4376
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 928
  2⤵
  - Program crash
  PID:1768
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 1000
  2⤵
  - Program crash
  PID:4736
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 1008
  2⤵
  - Program crash
  PID:3516
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.tar" /S /B /A
  2⤵
  PID:2876
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 928
  2⤵
  - Program crash
  PID:624
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 964
  2⤵
  - Program crash
  PID:4304
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 1004
  2⤵
  - Program crash
  PID:4872
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 980
  2⤵
  - Program crash
  PID:1056
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.7z" /S /B /A
  2⤵
  PID:4404
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 908
  2⤵
  - Program crash
  PID:1384
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 976
  2⤵
  - Program crash
  PID:2888
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 944
  2⤵
  - Program crash
  PID:4296
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 908
  2⤵
  PID:2368
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 1004
  2⤵
  PID:684
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 928
  2⤵
  PID:3184
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 944
  2⤵
  PID:2080
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 688
  2⤵
  PID:3472
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 676
  2⤵
  PID:3628
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 1140
  2⤵
  PID:1988
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 1208
  2⤵
  PID:1160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 540 -ip 540
1⤵
PID:1056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 540 -ip 540
1⤵
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 540 -ip 540
1⤵
PID:2364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 540 -ip 540
1⤵
PID:3328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 540 -ip 540
1⤵
PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 540 -ip 540
1⤵
PID:3512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 540 -ip 540
1⤵
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 540 -ip 540
1⤵
PID:1444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 540 -ip 540
1⤵
PID:4420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 540 -ip 540
1⤵
PID:2364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 540 -ip 540
1⤵
PID:2836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 540 -ip 540
1⤵
PID:3484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 540 -ip 540
1⤵
PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 540 -ip 540
1⤵
PID:796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 540 -ip 540
1⤵
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 540 -ip 540
1⤵
PID:3132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 540 -ip 540
1⤵
PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 540 -ip 540
1⤵
PID:3332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 540 -ip 540
1⤵
PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 540 -ip 540
1⤵
PID:2876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 540 -ip 540
1⤵
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 540 -ip 540
1⤵
PID:1144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 540 -ip 540
1⤵
PID:1492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 540 -ip 540
1⤵
PID:3212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 540 -ip 540
1⤵
PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 540 -ip 540
1⤵
PID:4420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 540 -ip 540
1⤵
PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 540 -ip 540
1⤵
PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 540 -ip 540
1⤵
PID:688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 540 -ip 540
1⤵
PID:1384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 540 -ip 540
1⤵
PID:452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 540 -ip 540
1⤵
PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 540 -ip 540
1⤵
PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 540 -ip 540
1⤵
PID:3804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 540 -ip 540
1⤵
PID:1360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 540 -ip 540
1⤵
PID:2012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 540 -ip 540
1⤵
PID:2364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 540 -ip 540
1⤵
PID:3732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 540 -ip 540
1⤵
PID:4436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 540 -ip 540
1⤵
PID:2260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 540 -ip 540
1⤵
PID:2028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 540 -ip 540
1⤵
PID:1900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 540 -ip 540
1⤵
PID:3672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 540 -ip 540
1⤵
PID:1844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 540 -ip 540
1⤵
PID:1872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 540 -ip 540
1⤵
PID:1800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 540 -ip 540
1⤵
PID:3484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 540 -ip 540
1⤵
PID:2080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 540 -ip 540
1⤵
PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 540 -ip 540
1⤵
PID:3868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 540 -ip 540
1⤵
PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 540 -ip 540
1⤵
PID:1484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 540 -ip 540
1⤵
PID:3592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 540 -ip 540
1⤵
PID:3456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 540 -ip 540
1⤵
PID:3000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 540 -ip 540
1⤵
PID:4124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 540 -ip 540
1⤵
PID:2888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 540 -ip 540
1⤵
PID:2620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 540 -ip 540
1⤵
PID:1444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 540 -ip 540
1⤵
PID:3148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 540 -ip 540
1⤵
PID:1900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1260 --field-trial-handle=2264,i,7994609493164365963,13212734413040148104,262144 --variations-seed-version /prefetch:8
1⤵
PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 540 -ip 540
1⤵
PID:920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 540 -ip 540
1⤵
PID:2172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 540 -ip 540
1⤵
PID:4192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 540 -ip 540
1⤵
PID:1800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 540 -ip 540
1⤵
PID:2028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 540 -ip 540
1⤵
PID:4292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 540 -ip 540
1⤵
PID:3024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 540 -ip 540
1⤵
PID:1160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 540 -ip 540
1⤵
PID:836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 540 -ip 540
1⤵
PID:536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 540 -ip 540
1⤵
PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/540-1-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/540-2-0x00000000023A0000-0x000000000247D000-memory.dmp

Filesize
884KB

Download
memory/540-3-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/540-4-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/540-5-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/540-6-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/540-7-0x00000000023A0000-0x000000000247D000-memory.dmp

Filesize
884KB

Download
memory/540-8-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/540-9-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/540-10-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/540-11-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/540-13-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/540-15-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/540-17-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/540-19-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download