outsteel | ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28

General

Target

ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
Size

938KB
MD5

d7510192dd826e6c63266ba412c4a8c6
SHA1

e51431ab4448d503db3d154d1da7bec25eb5aaac
SHA256

ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28
SHA512

d73107b3f061d95a10f3e2ae025bfccad587866d4ccca8a71b31d51f34119d5127ed313a96ef3fe3421939ae871575d5e7ff7fd28eb9b2ddb3eef7f29c528ebc
SSDEEP

12288:xtkuv9tmvboNKAM9qPg6f0blJwoodEJLaCyi5yH6CxBX5evFmwEH07i2Yvf+vMM4:xtkuv9mENKAiGolJwooKJVyVBpeERjM4

Score

10^/10

outsteel zgrat rat spyware stealer

Malware Config

Signatures

Detect ZGRat V2 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2440-3-0x0000000000460000-0x000000000049A000-memory.dmp	family_zgrat_v2

OutSteel
OutSteel is a file uploader and document stealer written in AutoIT.
stealer outsteel
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe

description	ioc	process
File opened (read-only)	\??\e:	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
File opened (read-only)	\??\g:	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
File opened (read-only)	\??\k:	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
File opened (read-only)	\??\l:	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
File opened (read-only)	\??\p:	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
File opened (read-only)	\??\q:	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
File opened (read-only)	\??\s:	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
File opened (read-only)	\??\b:	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
File opened (read-only)	\??\j:	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
File opened (read-only)	\??\o:	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
File opened (read-only)	\??\r:	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
File opened (read-only)	\??\x:	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
File opened (read-only)	\??\a:	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
File opened (read-only)	\??\h:	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
File opened (read-only)	\??\m:	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
File opened (read-only)	\??\n:	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
File opened (read-only)	\??\v:	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
File opened (read-only)	\??\w:	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
File opened (read-only)	\??\i:	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
File opened (read-only)	\??\t:	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
File opened (read-only)	\??\u:	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
File opened (read-only)	\??\y:	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
File opened (read-only)	\??\z:	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe

AutoIT Executable 18 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/2896-4-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral1/memory/2896-7-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral1/memory/2896-8-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral1/memory/2896-9-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral1/memory/2896-11-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral1/memory/2896-17-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral1/memory/2896-23-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral1/memory/2896-27-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral1/memory/2896-31-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral1/memory/2896-35-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral1/memory/2896-39-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral1/memory/2896-45-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral1/memory/2896-47-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral1/memory/2896-55-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral1/memory/2896-59-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral1/memory/2896-63-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral1/memory/2896-67-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral1/memory/2896-81-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe

description	pid	process	target process
PID 2440 set thread context of 2896	2440	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe

description pid process

Token: SeDebugPrivilege 2440 ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe

description	pid	process
Token: SeDebugPrivilege	2440	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exeffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe

description	pid	process	target process
PID 2440 wrote to memory of 2896	2440	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
PID 2440 wrote to memory of 2896	2440	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
PID 2440 wrote to memory of 2896	2440	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
PID 2440 wrote to memory of 2896	2440	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
PID 2440 wrote to memory of 2896	2440	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
PID 2440 wrote to memory of 2896	2440	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
PID 2440 wrote to memory of 2896	2440	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
PID 2440 wrote to memory of 2896	2440	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
PID 2440 wrote to memory of 2896	2440	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
PID 2440 wrote to memory of 2896	2440	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
PID 2440 wrote to memory of 2896	2440	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
PID 2896 wrote to memory of 3016	2896	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 2896 wrote to memory of 3016	2896	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 2896 wrote to memory of 3016	2896	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 2896 wrote to memory of 3016	2896	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 2896 wrote to memory of 2912	2896	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 2896 wrote to memory of 2912	2896	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 2896 wrote to memory of 2912	2896	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 2896 wrote to memory of 2912	2896	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 2896 wrote to memory of 2612	2896	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 2896 wrote to memory of 2612	2896	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 2896 wrote to memory of 2612	2896	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 2896 wrote to memory of 2612	2896	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 2896 wrote to memory of 2368	2896	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 2896 wrote to memory of 2368	2896	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 2896 wrote to memory of 2368	2896	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 2896 wrote to memory of 2368	2896	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 2896 wrote to memory of 2620	2896	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 2896 wrote to memory of 2620	2896	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 2896 wrote to memory of 2620	2896	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 2896 wrote to memory of 2620	2896	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 2896 wrote to memory of 2360	2896	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 2896 wrote to memory of 2360	2896	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 2896 wrote to memory of 2360	2896	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 2896 wrote to memory of 2360	2896	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 2896 wrote to memory of 2776	2896	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 2896 wrote to memory of 2776	2896	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 2896 wrote to memory of 2776	2896	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 2896 wrote to memory of 2776	2896	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 2896 wrote to memory of 2160	2896	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 2896 wrote to memory of 2160	2896	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 2896 wrote to memory of 2160	2896	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 2896 wrote to memory of 2160	2896	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 2896 wrote to memory of 1440	2896	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 2896 wrote to memory of 1440	2896	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 2896 wrote to memory of 1440	2896	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 2896 wrote to memory of 1440	2896	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 2896 wrote to memory of 2140	2896	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 2896 wrote to memory of 2140	2896	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 2896 wrote to memory of 2140	2896	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 2896 wrote to memory of 2140	2896	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 2896 wrote to memory of 1508	2896	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 2896 wrote to memory of 1508	2896	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 2896 wrote to memory of 1508	2896	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 2896 wrote to memory of 1508	2896	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 2896 wrote to memory of 2684	2896	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 2896 wrote to memory of 2684	2896	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 2896 wrote to memory of 2684	2896	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 2896 wrote to memory of 2684	2896	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 2896 wrote to memory of 2900	2896	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 2896 wrote to memory of 2900	2896	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 2896 wrote to memory of 2900	2896	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 2896 wrote to memory of 2900	2896	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 2896 wrote to memory of 1708	2896	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
"C:\Users\Admin\AppData\Local\Temp\ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Users\Admin\AppData\Local\Temp\ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
  C:\Users\Admin\AppData\Local\Temp\ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
  2⤵
  - Enumerates connected drives
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.doc" /S /B /A
    3⤵
    PID:3016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pdf" /S /B /A
    3⤵
    PID:2912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A
    3⤵
    PID:2612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
    3⤵
    PID:2368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xl" /S /B /A
    3⤵
    PID:2620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A
    3⤵
    PID:2360
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A
    3⤵
    PID:2776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
    3⤵
    PID:2160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.mdb" /S /B /A
    3⤵
    PID:1440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.accdb" /S /B /A
    3⤵
    PID:2140
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pot" /S /B /A
    3⤵
    PID:1508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pps" /S /B /A
    3⤵
    PID:2684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppa" /S /B /A
    3⤵
    PID:2900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rar" /S /B /A
    3⤵
    PID:1708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.zip" /S /B /A
    3⤵
    PID:1948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.tar" /S /B /A
    3⤵
    PID:1216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.7z" /S /B /A
    3⤵
    PID:1244
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.txt" /S /B /A
    3⤵
    PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2440-6-0x0000000074610000-0x0000000074CFE000-memory.dmp

Filesize
6.9MB

Download
memory/2440-0-0x0000000000B40000-0x0000000000C2E000-memory.dmp

Filesize
952KB

Download
memory/2440-2-0x00000000046E0000-0x0000000004720000-memory.dmp

Filesize
256KB

Download
memory/2440-3-0x0000000000460000-0x000000000049A000-memory.dmp

Filesize
232KB

Download
memory/2440-1-0x0000000074610000-0x0000000074CFE000-memory.dmp

Filesize
6.9MB

Download
memory/2896-17-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2896-35-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2896-8-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2896-9-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2896-11-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2896-4-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2896-23-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2896-27-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2896-31-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2896-7-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2896-39-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2896-45-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2896-47-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2896-55-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2896-59-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2896-63-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2896-67-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2896-81-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads