outsteel | ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9

General

Target

ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
Size

1.4MB
MD5

41af4d9fbd0bc719212b78cd7a1b89ec
SHA1

ca93ffbbc38fbd3c62fb31290a198284ac13be0d
SHA256

ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9
SHA512

1461694f1281cad81d823ac85c246480a3281a30b7e1319521bf8f39a70954dcc8cfe76aebaa8069dad133fbb0b5f68600d972c6bb5b8a1442372231fb196bca
SSDEEP

24576:Hqk7E6r5Q7AaJBo3QXerYFnGTx5hJydkCPUhiOd:HqGNQ7AaJB9MQa5KdkC8hR

Score

10^/10

outsteel spyware stealer

Malware Config

Signatures

OutSteel
OutSteel is a file uploader and document stealer written in AutoIT.
stealer outsteel
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe

description	ioc	process
File opened (read-only)	\??\m:	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
File opened (read-only)	\??\t:	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
File opened (read-only)	\??\x:	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
File opened (read-only)	\??\a:	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
File opened (read-only)	\??\b:	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
File opened (read-only)	\??\h:	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
File opened (read-only)	\??\i:	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
File opened (read-only)	\??\j:	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
File opened (read-only)	\??\y:	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
File opened (read-only)	\??\e:	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
File opened (read-only)	\??\n:	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
File opened (read-only)	\??\o:	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
File opened (read-only)	\??\q:	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
File opened (read-only)	\??\u:	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
File opened (read-only)	\??\g:	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
File opened (read-only)	\??\l:	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
File opened (read-only)	\??\w:	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
File opened (read-only)	\??\z:	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
File opened (read-only)	\??\k:	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
File opened (read-only)	\??\p:	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
File opened (read-only)	\??\r:	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
File opened (read-only)	\??\s:	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
File opened (read-only)	\??\v:	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe

AutoIT Executable 19 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/memory/2728-12-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/2728-13-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/2728-15-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/2728-16-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/2728-18-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/2728-24-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/2728-28-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/2728-36-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/2728-40-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/2728-44-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/2728-48-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/2728-52-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/2728-53-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/2728-56-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/2728-57-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/2728-64-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/2728-68-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/2728-72-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/2728-76-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe

description	pid	process	target process
PID 3304 set thread context of 2728	3304	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe

description pid process

Token: SeDebugPrivilege 3304 ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe

description	pid	process
Token: SeDebugPrivilege	3304	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exeea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe

description	pid	process	target process
PID 3304 wrote to memory of 792	3304	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
PID 3304 wrote to memory of 792	3304	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
PID 3304 wrote to memory of 792	3304	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
PID 3304 wrote to memory of 2728	3304	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
PID 3304 wrote to memory of 2728	3304	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
PID 3304 wrote to memory of 2728	3304	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
PID 3304 wrote to memory of 2728	3304	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
PID 3304 wrote to memory of 2728	3304	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
PID 3304 wrote to memory of 2728	3304	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
PID 3304 wrote to memory of 2728	3304	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
PID 3304 wrote to memory of 2728	3304	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
PID 3304 wrote to memory of 2728	3304	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
PID 3304 wrote to memory of 2728	3304	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
PID 2728 wrote to memory of 4488	2728	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2728 wrote to memory of 4488	2728	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2728 wrote to memory of 4488	2728	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2728 wrote to memory of 3724	2728	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2728 wrote to memory of 3724	2728	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2728 wrote to memory of 3724	2728	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2728 wrote to memory of 3008	2728	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2728 wrote to memory of 3008	2728	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2728 wrote to memory of 3008	2728	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2728 wrote to memory of 4888	2728	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2728 wrote to memory of 4888	2728	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2728 wrote to memory of 4888	2728	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2728 wrote to memory of 4308	2728	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2728 wrote to memory of 4308	2728	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2728 wrote to memory of 4308	2728	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2728 wrote to memory of 3224	2728	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2728 wrote to memory of 3224	2728	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2728 wrote to memory of 3224	2728	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2728 wrote to memory of 2168	2728	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2728 wrote to memory of 2168	2728	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2728 wrote to memory of 2168	2728	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2728 wrote to memory of 2412	2728	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2728 wrote to memory of 2412	2728	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2728 wrote to memory of 2412	2728	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2728 wrote to memory of 1568	2728	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2728 wrote to memory of 1568	2728	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2728 wrote to memory of 1568	2728	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2728 wrote to memory of 4056	2728	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2728 wrote to memory of 4056	2728	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2728 wrote to memory of 4056	2728	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2728 wrote to memory of 3644	2728	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2728 wrote to memory of 3644	2728	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2728 wrote to memory of 3644	2728	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2728 wrote to memory of 3004	2728	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2728 wrote to memory of 3004	2728	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2728 wrote to memory of 3004	2728	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2728 wrote to memory of 3192	2728	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2728 wrote to memory of 3192	2728	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2728 wrote to memory of 3192	2728	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2728 wrote to memory of 4028	2728	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2728 wrote to memory of 4028	2728	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2728 wrote to memory of 4028	2728	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2728 wrote to memory of 2444	2728	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2728 wrote to memory of 2444	2728	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2728 wrote to memory of 2444	2728	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2728 wrote to memory of 2100	2728	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2728 wrote to memory of 2100	2728	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2728 wrote to memory of 2100	2728	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2728 wrote to memory of 4640	2728	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2728 wrote to memory of 4640	2728	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2728 wrote to memory of 4640	2728	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
"C:\Users\Admin\AppData\Local\Temp\ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3304
- C:\Users\Admin\AppData\Local\Temp\ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
  C:\Users\Admin\AppData\Local\Temp\ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
  2⤵
  PID:792
- C:\Users\Admin\AppData\Local\Temp\ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
  C:\Users\Admin\AppData\Local\Temp\ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
  2⤵
  - Enumerates connected drives
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.doc" /S /B /A
    3⤵
    PID:4488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pdf" /S /B /A
    3⤵
    PID:3724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A
    3⤵
    PID:3008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
    3⤵
    PID:4888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xl" /S /B /A
    3⤵
    PID:4308
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A
    3⤵
    PID:3224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A
    3⤵
    PID:2168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
    3⤵
    PID:2412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.mdb" /S /B /A
    3⤵
    PID:1568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.accdb" /S /B /A
    3⤵
    PID:4056
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pot" /S /B /A
    3⤵
    PID:3644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pps" /S /B /A
    3⤵
    PID:3004
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppa" /S /B /A
    3⤵
    PID:3192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rar" /S /B /A
    3⤵
    PID:4028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.zip" /S /B /A
    3⤵
    PID:2444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.tar" /S /B /A
    3⤵
    PID:2100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.7z" /S /B /A
    3⤵
    PID:4640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.txt" /S /B /A
    3⤵
    PID:4320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4140 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
1⤵
PID:1532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/792-11-0x00000000002E0000-0x00000000002E0000-memory.dmp

Download
memory/2728-44-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2728-28-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2728-48-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2728-64-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2728-57-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2728-56-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2728-53-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2728-52-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2728-68-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2728-72-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2728-12-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2728-76-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2728-13-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2728-15-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2728-16-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2728-40-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2728-18-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2728-24-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2728-36-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/3304-8-0x0000000006DB0000-0x0000000006E26000-memory.dmp

Filesize
472KB

Download
memory/3304-17-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download
memory/3304-10-0x00000000070E0000-0x00000000070F0000-memory.dmp

Filesize
64KB

Download
memory/3304-9-0x0000000007030000-0x000000000704E000-memory.dmp

Filesize
120KB

Download
memory/3304-0-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download
memory/3304-7-0x0000000005930000-0x0000000005940000-memory.dmp

Filesize
64KB

Download
memory/3304-6-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download
memory/3304-5-0x0000000005720000-0x000000000572A000-memory.dmp

Filesize
40KB

Download
memory/3304-4-0x0000000005930000-0x0000000005940000-memory.dmp

Filesize
64KB

Download
memory/3304-3-0x0000000005760000-0x00000000057F2000-memory.dmp

Filesize
584KB

Download
memory/3304-2-0x0000000005D10000-0x00000000062B4000-memory.dmp

Filesize
5.6MB

Download
memory/3304-1-0x0000000000BA0000-0x0000000000D14000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads