outsteel | a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb

General

Target

a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe
Size

537KB
MD5

7327a3dd34b3a6c218d00ef9cfa2ef1b
SHA1

2b12fae645fce9c944e6035f6e69bdc67103f28d
SHA256

a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb
SHA512

e82f5027bff214293df7c390eeab6396e7a5dcb965bf0c57e6343c6c897f4a2804e37847b1b9790c2d5eee8f0adf551b93afadb7f5ff73556a6c552dd1c604f1
SSDEEP

12288:fTfkeaLvOAyAEEuqlHJRzw+XE2uQXBirHdhqo+HSk:PaSAyAg4pK+LuQXBirHuoUl

Score

10^/10

outsteel spyware stealer

Malware Config

Signatures

OutSteel
OutSteel is a file uploader and document stealer written in AutoIT.
stealer outsteel
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe

description	ioc	process
File opened (read-only)	\??\m:	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe
File opened (read-only)	\??\o:	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe
File opened (read-only)	\??\s:	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe
File opened (read-only)	\??\t:	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe
File opened (read-only)	\??\e:	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe
File opened (read-only)	\??\h:	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe
File opened (read-only)	\??\j:	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe
File opened (read-only)	\??\w:	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe
File opened (read-only)	\??\y:	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe
File opened (read-only)	\??\b:	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe
File opened (read-only)	\??\g:	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe
File opened (read-only)	\??\u:	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe
File opened (read-only)	\??\n:	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe
File opened (read-only)	\??\p:	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe
File opened (read-only)	\??\q:	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe
File opened (read-only)	\??\a:	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe
File opened (read-only)	\??\k:	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe
File opened (read-only)	\??\l:	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe
File opened (read-only)	\??\x:	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe
File opened (read-only)	\??\z:	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe
File opened (read-only)	\??\i:	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe
File opened (read-only)	\??\r:	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe
File opened (read-only)	\??\v:	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe

AutoIT Executable 24 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/memory/2708-10-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/2708-12-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/2708-13-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/2708-15-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/2708-16-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/2708-18-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/2708-22-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/2708-26-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/2708-34-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/2708-38-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/2708-42-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/2708-46-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/2708-50-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/2708-51-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/2708-55-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/2708-54-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/2708-58-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/2708-62-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/2708-66-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/2708-67-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/2708-70-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/2708-71-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/2708-74-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/2708-88-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe

description	pid	process	target process
PID 1824 set thread context of 2708	1824	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe

description pid process

Token: SeDebugPrivilege 1824 a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe

description	pid	process
Token: SeDebugPrivilege	1824	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exea9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe

description	pid	process	target process
PID 1824 wrote to memory of 2708	1824	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe
PID 1824 wrote to memory of 2708	1824	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe
PID 1824 wrote to memory of 2708	1824	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe
PID 1824 wrote to memory of 2708	1824	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe
PID 1824 wrote to memory of 2708	1824	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe
PID 1824 wrote to memory of 2708	1824	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe
PID 1824 wrote to memory of 2708	1824	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe
PID 1824 wrote to memory of 2708	1824	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe
PID 1824 wrote to memory of 2708	1824	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe
PID 1824 wrote to memory of 2708	1824	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe
PID 2708 wrote to memory of 3724	2708	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	cmd.exe
PID 2708 wrote to memory of 3724	2708	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	cmd.exe
PID 2708 wrote to memory of 3724	2708	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	cmd.exe
PID 2708 wrote to memory of 1076	2708	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	cmd.exe
PID 2708 wrote to memory of 1076	2708	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	cmd.exe
PID 2708 wrote to memory of 1076	2708	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	cmd.exe
PID 2708 wrote to memory of 3972	2708	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	cmd.exe
PID 2708 wrote to memory of 3972	2708	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	cmd.exe
PID 2708 wrote to memory of 3972	2708	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	cmd.exe
PID 2708 wrote to memory of 4744	2708	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	cmd.exe
PID 2708 wrote to memory of 4744	2708	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	cmd.exe
PID 2708 wrote to memory of 4744	2708	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	cmd.exe
PID 2708 wrote to memory of 4212	2708	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	cmd.exe
PID 2708 wrote to memory of 4212	2708	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	cmd.exe
PID 2708 wrote to memory of 4212	2708	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	cmd.exe
PID 2708 wrote to memory of 3564	2708	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	cmd.exe
PID 2708 wrote to memory of 3564	2708	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	cmd.exe
PID 2708 wrote to memory of 3564	2708	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	cmd.exe
PID 2708 wrote to memory of 4612	2708	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	cmd.exe
PID 2708 wrote to memory of 4612	2708	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	cmd.exe
PID 2708 wrote to memory of 4612	2708	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	cmd.exe
PID 2708 wrote to memory of 4228	2708	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	cmd.exe
PID 2708 wrote to memory of 4228	2708	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	cmd.exe
PID 2708 wrote to memory of 4228	2708	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	cmd.exe
PID 2708 wrote to memory of 3492	2708	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	cmd.exe
PID 2708 wrote to memory of 3492	2708	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	cmd.exe
PID 2708 wrote to memory of 3492	2708	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	cmd.exe
PID 2708 wrote to memory of 536	2708	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	cmd.exe
PID 2708 wrote to memory of 536	2708	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	cmd.exe
PID 2708 wrote to memory of 536	2708	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	cmd.exe
PID 2708 wrote to memory of 3004	2708	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	cmd.exe
PID 2708 wrote to memory of 3004	2708	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	cmd.exe
PID 2708 wrote to memory of 3004	2708	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	cmd.exe
PID 2708 wrote to memory of 3288	2708	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	cmd.exe
PID 2708 wrote to memory of 3288	2708	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	cmd.exe
PID 2708 wrote to memory of 3288	2708	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	cmd.exe
PID 2708 wrote to memory of 668	2708	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	cmd.exe
PID 2708 wrote to memory of 668	2708	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	cmd.exe
PID 2708 wrote to memory of 668	2708	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	cmd.exe
PID 2708 wrote to memory of 3568	2708	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	cmd.exe
PID 2708 wrote to memory of 3568	2708	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	cmd.exe
PID 2708 wrote to memory of 3568	2708	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	cmd.exe
PID 2708 wrote to memory of 4636	2708	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	cmd.exe
PID 2708 wrote to memory of 4636	2708	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	cmd.exe
PID 2708 wrote to memory of 4636	2708	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	cmd.exe
PID 2708 wrote to memory of 4940	2708	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	cmd.exe
PID 2708 wrote to memory of 4940	2708	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	cmd.exe
PID 2708 wrote to memory of 4940	2708	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	cmd.exe
PID 2708 wrote to memory of 2784	2708	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	cmd.exe
PID 2708 wrote to memory of 2784	2708	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	cmd.exe
PID 2708 wrote to memory of 2784	2708	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	cmd.exe
PID 2708 wrote to memory of 1060	2708	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	cmd.exe
PID 2708 wrote to memory of 1060	2708	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	cmd.exe
PID 2708 wrote to memory of 1060	2708	a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe
"C:\Users\Admin\AppData\Local\Temp\a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Users\Admin\AppData\Local\Temp\a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe
  C:\Users\Admin\AppData\Local\Temp\a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb.exe
  2⤵
  - Enumerates connected drives
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.doc" /S /B /A
    3⤵
    PID:3724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pdf" /S /B /A
    3⤵
    PID:1076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A
    3⤵
    PID:3972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
    3⤵
    PID:4744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xl" /S /B /A
    3⤵
    PID:4212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A
    3⤵
    PID:3564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A
    3⤵
    PID:4612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
    3⤵
    PID:4228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.mdb" /S /B /A
    3⤵
    PID:3492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.accdb" /S /B /A
    3⤵
    PID:536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pot" /S /B /A
    3⤵
    PID:3004
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pps" /S /B /A
    3⤵
    PID:3288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppa" /S /B /A
    3⤵
    PID:668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rar" /S /B /A
    3⤵
    PID:3568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.zip" /S /B /A
    3⤵
    PID:4636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.tar" /S /B /A
    3⤵
    PID:4940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.7z" /S /B /A
    3⤵
    PID:2784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.txt" /S /B /A
    3⤵
    PID:1060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1824-14-0x0000000074850000-0x0000000075000000-memory.dmp

Filesize
7.7MB

Download
memory/1824-1-0x0000000074850000-0x0000000075000000-memory.dmp

Filesize
7.7MB

Download
memory/1824-2-0x0000000005C30000-0x00000000061D4000-memory.dmp

Filesize
5.6MB

Download
memory/1824-3-0x0000000005760000-0x00000000057F2000-memory.dmp

Filesize
584KB

Download
memory/1824-4-0x0000000005800000-0x0000000005876000-memory.dmp

Filesize
472KB

Download
memory/1824-5-0x00000000058C0000-0x00000000058D0000-memory.dmp

Filesize
64KB

Download
memory/1824-6-0x0000000005750000-0x000000000575A000-memory.dmp

Filesize
40KB

Download
memory/1824-7-0x0000000005930000-0x000000000594E000-memory.dmp

Filesize
120KB

Download
memory/1824-8-0x00000000061E0000-0x000000000625A000-memory.dmp

Filesize
488KB

Download
memory/1824-9-0x0000000005910000-0x000000000591E000-memory.dmp

Filesize
56KB

Download
memory/1824-0-0x0000000000E00000-0x0000000000E8A000-memory.dmp

Filesize
552KB

Download
memory/2708-18-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2708-46-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2708-12-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2708-15-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2708-16-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2708-10-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2708-22-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2708-26-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2708-34-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2708-38-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2708-42-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2708-13-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2708-50-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2708-51-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2708-55-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2708-54-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2708-58-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2708-62-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2708-66-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2708-67-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2708-70-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2708-71-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2708-74-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2708-88-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads