Malware Analysis Report

2024-10-10 12:10

Sample ID 240410-nxlhqaee46
Target 6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79
SHA256 6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79
Tags
outsteel spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79

Threat Level: Known bad

The file 6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79 was found to be: Known bad.

Malicious Activity Summary

outsteel spyware stealer

OutSteel

OutSteel batch script

Deletes itself

Reads user/profile data of web browsers

Enumerates connected drives

AutoIT Executable

Suspicious use of SetThreadContext

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-10 11:46

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-10 11:46

Reported

2024-04-10 11:49

Platform

win7-20240221-en

Max time kernel

136s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe"

Signatures

OutSteel

stealer outsteel

OutSteel batch script

Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe N/A
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe N/A
File opened (read-only) \??\a: C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2440 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe
PID 2440 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe
PID 2440 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe
PID 2440 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe
PID 2440 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe
PID 2440 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe
PID 2440 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe
PID 2440 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe
PID 2440 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe
PID 2440 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe
PID 2440 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe
PID 2716 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe

"C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe"

C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe

C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.doc" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pdf" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xl" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.mdb" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.accdb" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pot" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pps" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppa" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rar" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.zip" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.tar" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.7z" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.txt" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "f:\*.doc" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "f:\*.pdf" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "f:\*.ppt" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "f:\*.dot" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "f:\*.xl" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "f:\*.csv" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "f:\*.rtf" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "f:\*.dot" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "f:\*.mdb" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "f:\*.accdb" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "f:\*.pot" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "f:\*.pps" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "f:\*.ppa" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "f:\*.rar" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "f:\*.zip" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "f:\*.tar" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "f:\*.7z" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "f:\*.txt" /S /B /A

C:\Windows\SysWOW64\cmd.exe

cmd /c start /min r.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K r.bat

C:\Windows\SysWOW64\cmd.exe

cmd /min /c del "C:\Users\Admin\AppData\Local\Temp\r.bat"

C:\Windows\SysWOW64\taskkill.exe

Taskkill /IM cmd.exe /F

Network

Country Destination Domain Proto
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp

Files

memory/2440-0-0x0000000000F90000-0x000000000101E000-memory.dmp

memory/2440-1-0x0000000074610000-0x0000000074CFE000-memory.dmp

memory/2440-2-0x0000000000680000-0x00000000006C0000-memory.dmp

memory/2440-3-0x0000000000450000-0x000000000045E000-memory.dmp

memory/2716-4-0x0000000000400000-0x00000000004E2000-memory.dmp

memory/2440-6-0x0000000074610000-0x0000000074CFE000-memory.dmp

memory/2716-7-0x0000000000400000-0x00000000004E2000-memory.dmp

memory/2716-8-0x0000000000400000-0x00000000004E2000-memory.dmp

memory/2716-9-0x0000000000400000-0x00000000004E2000-memory.dmp

memory/2716-11-0x0000000000400000-0x00000000004E2000-memory.dmp

memory/2716-15-0x0000000000400000-0x00000000004E2000-memory.dmp

memory/2716-27-0x0000000000400000-0x00000000004E2000-memory.dmp

memory/2716-31-0x0000000000400000-0x00000000004E2000-memory.dmp

memory/2716-43-0x0000000000400000-0x00000000004E2000-memory.dmp

memory/2716-47-0x0000000000400000-0x00000000004E2000-memory.dmp

memory/2716-59-0x0000000000400000-0x00000000004E2000-memory.dmp

memory/2716-63-0x0000000000400000-0x00000000004E2000-memory.dmp

memory/2716-81-0x0000000000400000-0x00000000004E2000-memory.dmp

memory/2716-157-0x0000000000400000-0x00000000004E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\r.bat

MD5 481767783ae1eb9829e034b7450c4f97
SHA1 f80589536789db32b90772f5f51aa5636cc832b9
SHA256 502ef9223631bf62206bfc9082d74e0a0c27a8f04b126416f449acad5c0727c4
SHA512 9bf3a50818029083314a423be509551e98384797c44074854a96aa3815712b7de1a101ea2f121539038f9ad41a26eaff6835a82e38126275c2ca269221ce26af

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-10 11:46

Reported

2024-04-10 11:49

Platform

win10v2004-20231215-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe"

Signatures

OutSteel

stealer outsteel

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe N/A
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe N/A
File opened (read-only) \??\a: C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1580 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe
PID 1580 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe
PID 1580 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe
PID 1580 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe
PID 1580 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe
PID 1580 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe
PID 1580 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe
PID 1580 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe
PID 1580 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe
PID 1580 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe
PID 4560 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe

"C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe"

C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe

C:\Users\Admin\AppData\Local\Temp\6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.doc" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pdf" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xl" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.mdb" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.accdb" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pot" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pps" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppa" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rar" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.zip" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.tar" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.7z" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.txt" /S /B /A

Network

Country Destination Domain Proto
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
GB 23.44.234.16:80 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
RU 45.146.164.37:8080 tcp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
RU 45.146.164.37:8080 tcp
US 8.8.8.8:53 25.14.97.104.in-addr.arpa udp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp
US 8.8.8.8:53 58.189.79.40.in-addr.arpa udp
RU 45.146.164.37:8080 tcp
RU 45.146.164.37:8080 tcp

Files

memory/1580-1-0x0000000074920000-0x00000000750D0000-memory.dmp

memory/1580-0-0x0000000000910000-0x000000000099E000-memory.dmp

memory/1580-2-0x00000000059E0000-0x0000000005F84000-memory.dmp

memory/1580-3-0x0000000005380000-0x0000000005412000-memory.dmp

memory/1580-4-0x00000000054E0000-0x00000000054F0000-memory.dmp

memory/1580-5-0x00000000054F0000-0x0000000005566000-memory.dmp

memory/1580-6-0x0000000005450000-0x000000000545A000-memory.dmp

memory/1580-7-0x0000000005660000-0x000000000567E000-memory.dmp

memory/1580-8-0x00000000056A0000-0x00000000056AE000-memory.dmp

memory/4560-9-0x0000000000400000-0x00000000004E2000-memory.dmp

memory/4560-10-0x0000000000400000-0x00000000004E2000-memory.dmp

memory/1580-13-0x0000000074920000-0x00000000750D0000-memory.dmp

memory/4560-12-0x0000000000400000-0x00000000004E2000-memory.dmp

memory/4560-14-0x0000000000400000-0x00000000004E2000-memory.dmp

memory/4560-15-0x0000000000400000-0x00000000004E2000-memory.dmp

memory/4560-21-0x0000000000400000-0x00000000004E2000-memory.dmp

memory/4560-25-0x0000000000400000-0x00000000004E2000-memory.dmp

memory/4560-29-0x0000000000400000-0x00000000004E2000-memory.dmp

memory/4560-34-0x0000000000400000-0x00000000004E2000-memory.dmp

memory/4560-33-0x0000000000400000-0x00000000004E2000-memory.dmp

memory/4560-45-0x0000000000400000-0x00000000004E2000-memory.dmp

memory/4560-49-0x0000000000400000-0x00000000004E2000-memory.dmp

memory/4560-53-0x0000000000400000-0x00000000004E2000-memory.dmp

memory/4560-55-0x0000000000400000-0x00000000004E2000-memory.dmp

memory/4560-57-0x0000000000400000-0x00000000004E2000-memory.dmp

memory/4560-61-0x0000000000400000-0x00000000004E2000-memory.dmp

memory/4560-65-0x0000000000400000-0x00000000004E2000-memory.dmp

memory/4560-66-0x0000000000400000-0x00000000004E2000-memory.dmp

memory/4560-69-0x0000000000400000-0x00000000004E2000-memory.dmp

memory/4560-73-0x0000000000400000-0x00000000004E2000-memory.dmp

memory/4560-87-0x0000000000400000-0x00000000004E2000-memory.dmp