outsteel | ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28

General

Target

ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
Size

938KB
MD5

d7510192dd826e6c63266ba412c4a8c6
SHA1

e51431ab4448d503db3d154d1da7bec25eb5aaac
SHA256

ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28
SHA512

d73107b3f061d95a10f3e2ae025bfccad587866d4ccca8a71b31d51f34119d5127ed313a96ef3fe3421939ae871575d5e7ff7fd28eb9b2ddb3eef7f29c528ebc
SSDEEP

12288:xtkuv9tmvboNKAM9qPg6f0blJwoodEJLaCyi5yH6CxBX5evFmwEH07i2Yvf+vMM4:xtkuv9mENKAiGolJwooKJVyVBpeERjM4

Score

10^/10

outsteel zgrat rat spyware stealer

Malware Config

Signatures

Detect ZGRat V2 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2196-5-0x0000000005210000-0x000000000524A000-memory.dmp	family_zgrat_v2

OutSteel
OutSteel is a file uploader and document stealer written in AutoIT.
stealer outsteel
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe

description	ioc	process
File opened (read-only)	\??\e:	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
File opened (read-only)	\??\s:	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
File opened (read-only)	\??\t:	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
File opened (read-only)	\??\y:	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
File opened (read-only)	\??\z:	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
File opened (read-only)	\??\a:	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
File opened (read-only)	\??\b:	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
File opened (read-only)	\??\j:	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
File opened (read-only)	\??\n:	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
File opened (read-only)	\??\o:	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
File opened (read-only)	\??\p:	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
File opened (read-only)	\??\r:	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
File opened (read-only)	\??\u:	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
File opened (read-only)	\??\g:	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
File opened (read-only)	\??\h:	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
File opened (read-only)	\??\v:	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
File opened (read-only)	\??\w:	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
File opened (read-only)	\??\l:	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
File opened (read-only)	\??\m:	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
File opened (read-only)	\??\q:	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
File opened (read-only)	\??\x:	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
File opened (read-only)	\??\i:	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
File opened (read-only)	\??\k:	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe

AutoIT Executable 21 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/memory/4372-6-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/4372-8-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/4372-10-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/4372-11-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/4372-12-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/4372-14-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/4372-26-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/4372-30-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/4372-34-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/4372-35-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/4372-38-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/4372-42-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/4372-46-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/4372-47-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/4372-50-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/4372-58-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/4372-63-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/4372-62-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/4372-66-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/4372-70-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/4372-84-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe

description	pid	process	target process
PID 2196 set thread context of 4372	2196	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe

description pid process

Token: SeDebugPrivilege 2196 ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe

description	pid	process
Token: SeDebugPrivilege	2196	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exeffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe

description	pid	process	target process
PID 2196 wrote to memory of 4372	2196	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
PID 2196 wrote to memory of 4372	2196	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
PID 2196 wrote to memory of 4372	2196	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
PID 2196 wrote to memory of 4372	2196	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
PID 2196 wrote to memory of 4372	2196	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
PID 2196 wrote to memory of 4372	2196	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
PID 2196 wrote to memory of 4372	2196	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
PID 2196 wrote to memory of 4372	2196	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
PID 2196 wrote to memory of 4372	2196	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
PID 2196 wrote to memory of 4372	2196	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
PID 4372 wrote to memory of 1512	4372	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 4372 wrote to memory of 1512	4372	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 4372 wrote to memory of 1512	4372	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 4372 wrote to memory of 4236	4372	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 4372 wrote to memory of 4236	4372	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 4372 wrote to memory of 4236	4372	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 4372 wrote to memory of 1844	4372	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 4372 wrote to memory of 1844	4372	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 4372 wrote to memory of 1844	4372	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 4372 wrote to memory of 4532	4372	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 4372 wrote to memory of 4532	4372	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 4372 wrote to memory of 4532	4372	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 4372 wrote to memory of 4536	4372	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 4372 wrote to memory of 4536	4372	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 4372 wrote to memory of 4536	4372	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 4372 wrote to memory of 4548	4372	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 4372 wrote to memory of 4548	4372	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 4372 wrote to memory of 4548	4372	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 4372 wrote to memory of 3112	4372	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 4372 wrote to memory of 3112	4372	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 4372 wrote to memory of 3112	4372	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 4372 wrote to memory of 3732	4372	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 4372 wrote to memory of 3732	4372	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 4372 wrote to memory of 3732	4372	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 4372 wrote to memory of 4604	4372	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 4372 wrote to memory of 4604	4372	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 4372 wrote to memory of 4604	4372	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 4372 wrote to memory of 4864	4372	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 4372 wrote to memory of 4864	4372	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 4372 wrote to memory of 4864	4372	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 4372 wrote to memory of 3164	4372	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 4372 wrote to memory of 3164	4372	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 4372 wrote to memory of 3164	4372	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 4372 wrote to memory of 3928	4372	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 4372 wrote to memory of 3928	4372	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 4372 wrote to memory of 3928	4372	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 4372 wrote to memory of 1668	4372	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 4372 wrote to memory of 1668	4372	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 4372 wrote to memory of 1668	4372	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 4372 wrote to memory of 384	4372	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 4372 wrote to memory of 384	4372	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 4372 wrote to memory of 384	4372	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 4372 wrote to memory of 3596	4372	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 4372 wrote to memory of 3596	4372	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 4372 wrote to memory of 3596	4372	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 4372 wrote to memory of 3888	4372	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 4372 wrote to memory of 3888	4372	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 4372 wrote to memory of 3888	4372	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 4372 wrote to memory of 1216	4372	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 4372 wrote to memory of 1216	4372	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 4372 wrote to memory of 1216	4372	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 4372 wrote to memory of 1032	4372	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 4372 wrote to memory of 1032	4372	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe
PID 4372 wrote to memory of 1032	4372	ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
"C:\Users\Admin\AppData\Local\Temp\ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Users\Admin\AppData\Local\Temp\ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
  C:\Users\Admin\AppData\Local\Temp\ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28.exe
  2⤵
  - Enumerates connected drives
  - Suspicious use of WriteProcessMemory
  PID:4372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.doc" /S /B /A
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pdf" /S /B /A
    3⤵
    PID:4236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A
    3⤵
    PID:1844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
    3⤵
    PID:4532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xl" /S /B /A
    3⤵
    PID:4536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A
    3⤵
    PID:4548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A
    3⤵
    PID:3112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
    3⤵
    PID:3732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.mdb" /S /B /A
    3⤵
    PID:4604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.accdb" /S /B /A
    3⤵
    PID:4864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pot" /S /B /A
    3⤵
    PID:3164
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pps" /S /B /A
    3⤵
    PID:3928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppa" /S /B /A
    3⤵
    PID:1668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rar" /S /B /A
    3⤵
    PID:384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.zip" /S /B /A
    3⤵
    PID:3596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.tar" /S /B /A
    3⤵
    PID:3888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.7z" /S /B /A
    3⤵
    PID:1216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.txt" /S /B /A
    3⤵
    PID:1032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2196-9-0x0000000074E80000-0x0000000075630000-memory.dmp

Filesize
7.7MB

Download
memory/2196-1-0x0000000074E80000-0x0000000075630000-memory.dmp

Filesize
7.7MB

Download
memory/2196-2-0x0000000005200000-0x0000000005210000-memory.dmp

Filesize
64KB

Download
memory/2196-3-0x0000000005130000-0x00000000051A6000-memory.dmp

Filesize
472KB

Download
memory/2196-4-0x00000000050D0000-0x00000000050EE000-memory.dmp

Filesize
120KB

Download
memory/2196-5-0x0000000005210000-0x000000000524A000-memory.dmp

Filesize
232KB

Download
memory/2196-0-0x0000000000630000-0x000000000071E000-memory.dmp

Filesize
952KB

Download
memory/4372-30-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/4372-42-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/4372-10-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/4372-11-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/4372-12-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/4372-14-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/4372-26-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/4372-6-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/4372-34-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/4372-35-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/4372-38-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/4372-8-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/4372-46-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/4372-47-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/4372-50-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/4372-58-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/4372-63-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/4372-62-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/4372-66-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/4372-70-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/4372-84-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads