outsteel | ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9

General

Target

ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
Size

1.4MB
MD5

41af4d9fbd0bc719212b78cd7a1b89ec
SHA1

ca93ffbbc38fbd3c62fb31290a198284ac13be0d
SHA256

ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9
SHA512

1461694f1281cad81d823ac85c246480a3281a30b7e1319521bf8f39a70954dcc8cfe76aebaa8069dad133fbb0b5f68600d972c6bb5b8a1442372231fb196bca
SSDEEP

24576:Hqk7E6r5Q7AaJBo3QXerYFnGTx5hJydkCPUhiOd:HqGNQ7AaJB9MQa5KdkC8hR

Score

10^/10

outsteel spyware stealer

Malware Config

Signatures

OutSteel
OutSteel is a file uploader and document stealer written in AutoIT.
stealer outsteel
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe

description	ioc	process
File opened (read-only)	\??\n:	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
File opened (read-only)	\??\p:	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
File opened (read-only)	\??\v:	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
File opened (read-only)	\??\y:	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
File opened (read-only)	\??\a:	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
File opened (read-only)	\??\g:	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
File opened (read-only)	\??\i:	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
File opened (read-only)	\??\m:	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
File opened (read-only)	\??\r:	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
File opened (read-only)	\??\s:	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
File opened (read-only)	\??\t:	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
File opened (read-only)	\??\w:	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
File opened (read-only)	\??\b:	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
File opened (read-only)	\??\e:	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
File opened (read-only)	\??\l:	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
File opened (read-only)	\??\q:	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
File opened (read-only)	\??\x:	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
File opened (read-only)	\??\j:	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
File opened (read-only)	\??\k:	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
File opened (read-only)	\??\h:	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
File opened (read-only)	\??\o:	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
File opened (read-only)	\??\u:	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
File opened (read-only)	\??\z:	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe

AutoIT Executable 15 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/2568-5-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral1/memory/2568-7-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral1/memory/2568-9-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral1/memory/2568-10-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral1/memory/2568-12-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral1/memory/2568-20-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral1/memory/2568-28-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral1/memory/2568-32-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral1/memory/2568-36-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral1/memory/2568-44-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral1/memory/2568-48-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral1/memory/2568-60-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral1/memory/2568-65-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral1/memory/2568-68-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral1/memory/2568-82-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe

description	pid	process	target process
PID 2656 set thread context of 2568	2656	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe

description pid process

Token: SeDebugPrivilege 2656 ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe

description	pid	process
Token: SeDebugPrivilege	2656	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exeea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe

description	pid	process	target process
PID 2656 wrote to memory of 2568	2656	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
PID 2656 wrote to memory of 2568	2656	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
PID 2656 wrote to memory of 2568	2656	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
PID 2656 wrote to memory of 2568	2656	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
PID 2656 wrote to memory of 2568	2656	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
PID 2656 wrote to memory of 2568	2656	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
PID 2656 wrote to memory of 2568	2656	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
PID 2656 wrote to memory of 2568	2656	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
PID 2656 wrote to memory of 2568	2656	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
PID 2656 wrote to memory of 2568	2656	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
PID 2656 wrote to memory of 2568	2656	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
PID 2568 wrote to memory of 2596	2568	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2568 wrote to memory of 2596	2568	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2568 wrote to memory of 2596	2568	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2568 wrote to memory of 2596	2568	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2568 wrote to memory of 2740	2568	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2568 wrote to memory of 2740	2568	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2568 wrote to memory of 2740	2568	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2568 wrote to memory of 2740	2568	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2568 wrote to memory of 2464	2568	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2568 wrote to memory of 2464	2568	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2568 wrote to memory of 2464	2568	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2568 wrote to memory of 2464	2568	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2568 wrote to memory of 2444	2568	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2568 wrote to memory of 2444	2568	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2568 wrote to memory of 2444	2568	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2568 wrote to memory of 2444	2568	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2568 wrote to memory of 528	2568	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2568 wrote to memory of 528	2568	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2568 wrote to memory of 528	2568	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2568 wrote to memory of 528	2568	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2568 wrote to memory of 2024	2568	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2568 wrote to memory of 2024	2568	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2568 wrote to memory of 2024	2568	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2568 wrote to memory of 2024	2568	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2568 wrote to memory of 1484	2568	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2568 wrote to memory of 1484	2568	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2568 wrote to memory of 1484	2568	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2568 wrote to memory of 1484	2568	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2568 wrote to memory of 2720	2568	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2568 wrote to memory of 2720	2568	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2568 wrote to memory of 2720	2568	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2568 wrote to memory of 2720	2568	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2568 wrote to memory of 1600	2568	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2568 wrote to memory of 1600	2568	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2568 wrote to memory of 1600	2568	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2568 wrote to memory of 1600	2568	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2568 wrote to memory of 1964	2568	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2568 wrote to memory of 1964	2568	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2568 wrote to memory of 1964	2568	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2568 wrote to memory of 1964	2568	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2568 wrote to memory of 1920	2568	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2568 wrote to memory of 1920	2568	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2568 wrote to memory of 1920	2568	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2568 wrote to memory of 1920	2568	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2568 wrote to memory of 1828	2568	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2568 wrote to memory of 1828	2568	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2568 wrote to memory of 1828	2568	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2568 wrote to memory of 1828	2568	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2568 wrote to memory of 1804	2568	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2568 wrote to memory of 1804	2568	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2568 wrote to memory of 1804	2568	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2568 wrote to memory of 1804	2568	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe
PID 2568 wrote to memory of 1768	2568	ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
"C:\Users\Admin\AppData\Local\Temp\ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Users\Admin\AppData\Local\Temp\ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
  C:\Users\Admin\AppData\Local\Temp\ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9.exe
  2⤵
  - Enumerates connected drives
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.doc" /S /B /A
    3⤵
    PID:2596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pdf" /S /B /A
    3⤵
    PID:2740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A
    3⤵
    PID:2464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
    3⤵
    PID:2444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xl" /S /B /A
    3⤵
    PID:528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A
    3⤵
    PID:2024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
    3⤵
    PID:2720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.mdb" /S /B /A
    3⤵
    PID:1600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.accdb" /S /B /A
    3⤵
    PID:1964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pot" /S /B /A
    3⤵
    PID:1920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pps" /S /B /A
    3⤵
    PID:1828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppa" /S /B /A
    3⤵
    PID:1804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rar" /S /B /A
    3⤵
    PID:1768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.zip" /S /B /A
    3⤵
    PID:1704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.tar" /S /B /A
    3⤵
    PID:2588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.7z" /S /B /A
    3⤵
    PID:2188
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.txt" /S /B /A
    3⤵
    PID:440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2568-12-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2568-48-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2568-82-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2568-28-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2568-20-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2568-5-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2568-7-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2568-68-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2568-9-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2568-10-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2568-65-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2568-60-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2568-44-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2568-32-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2568-36-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2656-3-0x0000000000540000-0x0000000000550000-memory.dmp

Filesize
64KB

Download
memory/2656-1-0x0000000074650000-0x0000000074D3E000-memory.dmp

Filesize
6.9MB

Download
memory/2656-4-0x0000000074650000-0x0000000074D3E000-memory.dmp

Filesize
6.9MB

Download
memory/2656-2-0x0000000004DA0000-0x0000000004DE0000-memory.dmp

Filesize
256KB

Download
memory/2656-8-0x0000000074650000-0x0000000074D3E000-memory.dmp

Filesize
6.9MB

Download
memory/2656-0-0x0000000000EA0000-0x0000000001014000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads