Analysis
-
max time kernel
105s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
-
submitted
17-11-2024 15:37
General
-
Target
8ef5d60b4e697134c974ce80ecde5f10e05aa6d9390bd9eeb759945a1d1c3bb8.exe
-
Size
3.1MB
-
MD5
4077b9cf83c4160818a7937f31b4ef22
-
SHA1
9b82eecc478cff3834296fc6425513ae48f8a812
-
SHA256
8ef5d60b4e697134c974ce80ecde5f10e05aa6d9390bd9eeb759945a1d1c3bb8
-
SHA512
43a19539f67435e5a652da4d513c099008dc11f8c5afbfdca37803f57b9cc3e9b04ba006188e64ea283664f53c93f2102e1e1439f87cc9ca0433c656d60723c4
-
SSDEEP
49152:QI91YmUt+8aGXL7uEqHK1FHTXTPPazaycTOLXzaLy7IRnhl2nY:jYma+8aGXL7XqHKvHLL+cTOLjYPq
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://processhol.sbs/api
https://p10tgrace.sbs/api
https://peepburry828.sbs/api
https://3xp3cts1aim.sbs/api
https://p3ar11fter.sbs/api
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Cryptbot family
-
Detects CryptBot payload 1 IoCs
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Panda Stealer payload 2 IoCs
-
PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
-
Pandastealer family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
-
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 4 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 14 IoCs
-
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 22 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 5 IoCs
-
Modifies registry class 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
-
Suspicious use of AdjustPrivilegeToken 36 IoCs
-
Suspicious use of FindShellTrayWindow 49 IoCs
-
Suspicious use of SendNotifyMessage 13 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ef5d60b4e697134c974ce80ecde5f10e05aa6d9390bd9eeb759945a1d1c3bb8.exe"C:\Users\Admin\AppData\Local\Temp\8ef5d60b4e697134c974ce80ecde5f10e05aa6d9390bd9eeb759945a1d1c3bb8.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1006906001\installer.exe"C:\Users\Admin\AppData\Local\Temp\1006906001\installer.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode 65,105⤵
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e file.zip -p265129275187715104258201156 -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_5.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_4.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_3.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_2.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_1.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\attrib.exeattrib +H "windows_updater.exe"5⤵
- Views/modifies file attributes
-
-
C:\Users\Admin\AppData\Local\Temp\main\windows_updater.exe"windows_updater.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"6⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1006927001\5f70bd4450.exe"C:\Users\Admin\AppData\Local\Temp\1006927001\5f70bd4450.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1006928001\df13ccee71.exe"C:\Users\Admin\AppData\Local\Temp\1006928001\df13ccee71.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1006929001\fb485ef6b6.exe"C:\Users\Admin\AppData\Local\Temp\1006929001\fb485ef6b6.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2564.0.204229909\654193758" -parentBuildID 20221007134813 -prefsHandle 1220 -prefMapHandle 1216 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {144a83f3-6f03-40a2-9cce-251ce161110e} 2564 "\\.\pipe\gecko-crash-server-pipe.2564" 1284 121d4b58 gpu6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2564.1.454233900\1053419108" -parentBuildID 20221007134813 -prefsHandle 1468 -prefMapHandle 1448 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d460c9b6-f3de-4632-8905-b3915256ada1} 2564 "\\.\pipe\gecko-crash-server-pipe.2564" 1480 10af9558 socket6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2564.2.639840499\166578800" -childID 1 -isForBrowser -prefsHandle 2064 -prefMapHandle 2060 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {759e4b8c-c231-4e04-af64-3ab3075d5e3e} 2564 "\\.\pipe\gecko-crash-server-pipe.2564" 2076 1ab8b358 tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2564.3.12543062\1211585574" -childID 2 -isForBrowser -prefsHandle 656 -prefMapHandle 648 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {60f49780-419b-4262-9704-562cae5ff216} 2564 "\\.\pipe\gecko-crash-server-pipe.2564" 2596 e63658 tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2564.4.1002083436\316133943" -childID 3 -isForBrowser -prefsHandle 3812 -prefMapHandle 3876 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4bd74a65-e8a7-4732-85ff-147846f70a82} 2564 "\\.\pipe\gecko-crash-server-pipe.2564" 3860 206e3458 tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2564.5.403910107\485010511" -childID 4 -isForBrowser -prefsHandle 3992 -prefMapHandle 3996 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {119b8144-bf8b-4082-9626-fe6ed87bfc64} 2564 "\\.\pipe\gecko-crash-server-pipe.2564" 3984 206e3758 tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2564.6.90888420\217574619" -childID 5 -isForBrowser -prefsHandle 4160 -prefMapHandle 4164 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f88166a8-201f-4432-88f2-91cd8b1f0a42} 2564 "\\.\pipe\gecko-crash-server-pipe.2564" 4152 206e4358 tab6⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1006930001\67b65ed491.exe"C:\Users\Admin\AppData\Local\Temp\1006930001\67b65ed491.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\1006931001\4112139f42.exe"C:\Users\Admin\AppData\Local\Temp\1006931001\4112139f42.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"4⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6a89758,0x7fef6a89768,0x7fef6a897785⤵
-
-
C:\Windows\system32\ctfmon.exectfmon.exe5⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1084 --field-trial-handle=1268,i,16614359480040311123,7001737870596287235,131072 /prefetch:25⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1480 --field-trial-handle=1268,i,16614359480040311123,7001737870596287235,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1564 --field-trial-handle=1268,i,16614359480040311123,7001737870596287235,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2284 --field-trial-handle=1268,i,16614359480040311123,7001737870596287235,131072 /prefetch:15⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2276 --field-trial-handle=1268,i,16614359480040311123,7001737870596287235,131072 /prefetch:15⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1280 --field-trial-handle=1268,i,16614359480040311123,7001737870596287235,131072 /prefetch:25⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9222 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3280 --field-trial-handle=1268,i,16614359480040311123,7001737870596287235,131072 /prefetch:15⤵
- Uses browser remote debugging
-
-
-
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"4⤵
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f4⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 9524⤵
- Program crash
-
-
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
Filesize
24KB
MD5a4e60c14b0db6c7ffa34411ecd345996
SHA1286b2966ccc9e53c30d13e04084b2a19e9746b47
SHA256a0e54f9a949a971c1f67535908c634696589fb18659f95ee3fd88dcf1f019173
SHA5123db375030ee77c42ad5188de23cd2a8b6e76d7a7e693d79357928e300557179ebfcbf0177add5f1b0820910484a6f0a33e5ed8acd74198c63a76717d6c40ae31
-
Filesize
13KB
MD5f99b4984bd93547ff4ab09d35b9ed6d5
SHA173bf4d313cb094bb6ead04460da9547106794007
SHA256402571262fd1f6dca336f822ceb0ec2a368a25dfe2f4bfa13b45c983e88b6069
SHA512cd0ed84a24d3faae94290aca1b5ef65eef4cfba8a983da9f88ee3268fc611484a72bd44ca0947c0ca8de174619debae4604e15e4b2c364e636424ba1d37e1759
-
Filesize
3.4MB
MD5ea92841008ce88c44523bc57ff3b9264
SHA1a00d6774503a8831aab032512503d1c2a50e080e
SHA2568ab47b2cc9ad9a729da5700643f8bd7309e2f2fc1cca5b8eed194c0d004759e0
SHA512e2ec52354758053bdb69be7b281701fe61d6f991e23a2171b5e9511f8caa6e148ae73fe8cfc7b23215ea3887d3fbf8f5be4d2c2c3f8fe20cdeea67401f68d459
-
Filesize
1.8MB
MD521630657d1a3e75724599de2a078c2af
SHA13499e579bee406c35c44fe97f0e923c81d31b1ab
SHA256fb0629c6b8aa4796a58307c7cbe1c8ab3a0b29aac0dd9d8a54b7d3786a339979
SHA5128719456525d91ab7e7b05c926e828efda2dfc8d2e74adf49ba3cba3dade9ddc26e696f8d1b4c260e355516913c00001aad824aa5103709fd6826f1059f1f365b
-
Filesize
1.7MB
MD53d8cba6301a392e92140a191fedbb805
SHA1b58c4c391f488e339f3d693235eeb7fc8732fe1c
SHA256570ffa57387064ec2722452fc921480587855a2020e052d4e082ed7ac1a12392
SHA51263c127139abdb21eac58a019e0b55d2db99d54c2e414f2be14d58509a0b7d88ba3a38661984749c25627269315577313d9f8aadb9dd8848bf3ae452d0eb167fc
-
Filesize
901KB
MD5165e51962cf6a0db16b89218b188f402
SHA1136db42c30f7487d21be9ff8c76f1a75ecefd24d
SHA2567d881b0e038551c1df2dbc12eca0a622310a7b708e0e932a771a10a4022f0f24
SHA512c0fb399b4705e2f678976169c9e36db3e2b196ec4fe33b42430903fa8bc6c0941ec67a6785a2dd5863214876bbd362eb4686fc4ccc854d042b5be9afec96cda0
-
Filesize
2.7MB
MD5104932361481712dcd327598f3d63518
SHA19d27002b9cc779f2f96622ff218618a690992d49
SHA256b8023a418cda1632147a66c4378011d56cd199b6a17299275fde863123f549b6
SHA51204df5da302837a00bb29355ce4b32f7f97157e5e6615b963450c7e79d4e7f5cb6ba500af413eea0373515afa631f26a54660671a420310cfa2a8f36c3bd5d356
-
Filesize
4.2MB
MD5f1aefbe49a406f12313f1c56deb2e3cd
SHA1182c4978fd940c4d7f504fe985477fe0512cf1f9
SHA2565e8e38f8b153083db2940a4a7e169f3118880ae012c12e87a7a976060d0b1b52
SHA51269e0f083e93b3c0a5ee153e4c6b89cb50bc5bbc4fc9c589606856de518e5705d54219f5e0fda01a6b9d53e03ab76836d335bc3d4a47047590438abd51c36ef78
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
3.1MB
MD54077b9cf83c4160818a7937f31b4ef22
SHA19b82eecc478cff3834296fc6425513ae48f8a812
SHA2568ef5d60b4e697134c974ce80ecde5f10e05aa6d9390bd9eeb759945a1d1c3bb8
SHA51243a19539f67435e5a652da4d513c099008dc11f8c5afbfdca37803f57b9cc3e9b04ba006188e64ea283664f53c93f2102e1e1439f87cc9ca0433c656d60723c4
-
Filesize
1.6MB
MD572491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
Filesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
Filesize
2.2MB
MD549bece84546c14bf9852f4982355a029
SHA171832a1cc47bdb088d0640e75f68b172949a52ff
SHA25694ed3446aff856cf13db67e66523bf5c27498a5e973a1872f0b01d5561fd84e6
SHA512ab376332432f256033edf24895a25334bb6fc5466ec27e4ff1fc97124b3fa3dfb831f957b047540e24501e57f32c782afb293982dce65baed9951576891d5613
-
Filesize
935KB
MD51c37a797095b86fcf6056c8c61b93530
SHA1d936c4b7f4d010700c5ed79eb2c492eb3ef8e0ab
SHA25644963e0061eea636f9fc04f432def875511f2ef44e3e1bbbe27e8c9f7665b3be
SHA512bf4e400d62df64affa685925507b3ad654b1441ba86d257b6ed5d500d401d2bd2a395ec326981a55cb10444e1cd34c46b3a89e4f7e9a58362ae86cd3b1d288e0
-
Filesize
936KB
MD50316b6e00496d2a010be085a35c96254
SHA1c32899260e761263c97cace3b88f6d8185c02aa3
SHA256e0028bcb87b403418f3df174d26d2dae1282b8f2c24ced445a66153131f84d24
SHA512e963ada17ff31db3329d92b43bb43bf06027814692d0bc020c4998cbc82e38246fd83e10f57496c0cd9aefa882faec126156d69388835e77e43aa75d2bc78ffc
-
Filesize
936KB
MD5533842397e87a053ddcc53be440b4de0
SHA1d633b1ad6b8c10eba2c2df61336147707cfc0953
SHA2564be46d0d712f765aec42b93f4219ed2738835be2ed863f0901aee26ff9511fb1
SHA512fb1dc065e4e995a010c324cbd7c681e352229c8cbdeb11903bbc769f56d6b590c792ffdd01cf8a5c150f9040bc4c8f66da91c24c195f6e1d7db3c42ede5c1252
-
Filesize
936KB
MD57bd2be2fe2ae9c0efd7bf6c1e4e94035
SHA14e7cfdfdf1e853c2e5ce17b4d4a961745b5e5abf
SHA256511ea1e527cfbeb81a4e94216461fe386800d6a76339fdfd43bb7f037193cb6b
SHA512ba9879e208b6452c1f526b55a84ebe937966333740682d453d75993b1bbd2ba164f233bc79618a1c94cddf094ca3f41a83870bfd53a341e72ccd0e7cf3e7a0cc
-
Filesize
2.5MB
MD557961d924cd1c4d4a697c76965549e01
SHA14661f3858cf24f054bdbbdf1208532e0b951e6b6
SHA256d662a031876e3ece878193fab26b34a44983545107945223173a3422e7e48301
SHA51232af6a9afc35b6e333be21c8ed46da12b39f8c49fe4528520756ae128199fe6b68b856d03ea69cd922924dd8b2fbb02bb9c7b7e31677c727855c6d6d09f61524
-
Filesize
1.1MB
MD507a6fec3ef9c7b81afe5c3fc0ac2e853
SHA1df97e5022e854b2a1c601bff94fabc8328d29c4f
SHA256fd176f18ce42b5ca62fb627cb6ab420c72b10a6c2f6d414c7c06a0ccf9dfdab8
SHA51299e5f667aaac4be997db920393693323495431a19c2279074eb4713e69198fc8775747d78cd8511ab4c681f2c5dd7b729e02dc8ba35ce98e5812d753c8a214f1
-
Filesize
2.5MB
MD539c5608dbca0eb60734913279eb28d08
SHA19f1ae44ea0ad16e7d5f87620c8d972870a401554
SHA2569d1ee13c76954e17c276e49f49777e677728dd486633848d17d05fe7750a538c
SHA5120d013cb0a528bffcfed35ac8433fa0a00dde0340f4059a0822ca6bf4499afbc59c693c3301560d997d9cfd6ee00128e73899f210f573a574c36561ad8d4eb7dd
-
Filesize
503B
MD5d7e0823fbf0608294117e8587febce91
SHA1e39d6cc2c88acb1d5db2c7bbc2da11e4bb889717
SHA256f0e8e915de6318aaaf1de16b9c9314893cb5913cb34ec3d6c2222d6c7aaa0954
SHA512521cea12c437547796ef794f2a8b0534f2b39aa476d96a6783c3ee0a63bbf397623fcb0585e1bbd55b45e7807e5471f2d089725d2154f0059d48352092d80c4f
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
Filesize
2KB
MD525f02a3356511ad4e32233e86ae56f7a
SHA1d1f84dc3af666863132c8548fae8c2901d23ff72
SHA25651e3519493cc93d9f17ab5e4570663b7a901c3de5752a591332c9c4187194793
SHA512224b34bb6dc0f001ba947bd20416d65b11959c3ea834139f1f6e14649f24eff122b616e7238d3f098338d6d2c79533cd2a661a6287c36731958b333216e55c3b
-
Filesize
745B
MD588876c8300e5fc9a550364acc66c9a28
SHA1c1992835efc2f6d9573d305af743443461d9bbdf
SHA256af2ea894e6acfdff2d5b90bd8cc748e3e5c5c1fa1d278ee713c7d3bf0c02e94a
SHA51205a17dcd4335f19a4924a4da09c31581b9bb00fc2f4d840b2623732e06c471ce7a9c352c664defbbb7e5569c526a4c38d5036ba360348ac447ef59a9a8705e43
-
Filesize
11KB
MD541afef16b1fd81a4c393b7ac769c4aa5
SHA1f2f8109a28ba61a2c0e795bd445a45e9bf8fb647
SHA256030721269b36f985f2b6ef5392171715410e46c2dc0f7acde3e224b26a8cecdf
SHA512609fd91f93fac48005db704cb491b03bbc5fc7fe943ac02aca4d7261fba5b93f214ed644a5ca654e4115204f490b320e590ce52b94e8de67a8b1c5e7b270cef2
-
Filesize
997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
Filesize
116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
Filesize
479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
Filesize
372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
Filesize
11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
Filesize
1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
Filesize
1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
6KB
MD5ae57ea764fffb97283b4185c28b245d2
SHA15a8107bc501ce4975bceab339bb5b6aee36f7852
SHA2567b73437e92e5aefa31699bb3adfc4cf767730bd46e277b6fe06ddde701209c84
SHA51222c2172a7983ec33f994497dba86683ee90f26b613bd26cf8c59ce9e1623297d41903dc213ecb5275c567c90c7a3b500e1f9c471a5ab191f50ee0ac36c7b8152
-
Filesize
7KB
MD5eaad379e9353982e4bf88de64142a9d1
SHA1f3a2b79883472dab310d218774f9046e2c3f2e11
SHA2568cac605a5f2fbe6dfd56c66e63ee313a8b572811c844b3b8564b9d95e1f2596e
SHA512ed7b278735842f0eef81d526004593ce08ce00ae97307d619bcba08d0ced2a4c3c28114e2e0da096f8e32e5f173c72311b16b7ce6a32f84eb42da14b106326ce
-
Filesize
7KB
MD5618b09d8e0fd5336ea2fdb6832aca4d6
SHA181bb3781de02319a7018d71c7503e2eeab2661f6
SHA256661fef008698049b9c3473436d1766f69a0874daf4afc8d3d306507714f0311f
SHA512130172e5473a6370192a8c993fb5397a417aba1941875d1c5b6972f7ee086ad15c2bffc0cb256ec9b3430a98c6e23ef67153e2c9dfcf07152e325c823e7ecde2
-
Filesize
6KB
MD55a0b25fc540bafc5c01230af2ab4a891
SHA1321151654894bc3ee18260ee3ed264705a37e337
SHA25624bae3e0c679aec17806652f7659e897ccb9c0f73c6b083d8d6ae69ea97ef935
SHA512aa323b5a26c5c7462734c67d87bbee49f4c2375e65fe7de455abab814b3b2d583636ab819a0e91f48c35682454f2d1236a63a6c0e2e9bd9d5c118306c4c82412
-
Filesize
4KB
MD5e44aa4b80880767487cbb987bd976a41
SHA15d7f3aedb21d802e0f15b7fedb6de0d819e00b8a
SHA256a203fb79c58f484659f4409beb30c7b8c10e191dfa591f09c4fd6717aff43c42
SHA512866f1c9d4cbaced7b141faf8d2c9f55fb89261ef29ef5ae745490b922b6dcac0454dad884c9d8a016ce86bf8c7965d2b7ea2d8bcb67537fe4041ce740affe9c2
-
Filesize
184KB
MD5bece0acf9d7f19d01c7943c54d2ad372
SHA1aef59ca4b0fe97f32db128e103bfb98aee3b5e29
SHA256ce40f79585195148ac86928d18da80b963cc98d6feb83c1c2e75e8b6d6ef39f8
SHA512105fb01521fca054766d1d1e46cf3bf177b8bab44800f7bbad9a84f388af32e745474b3cc4f70c1fd779b4e7bcf0912502860092e1824f7ba4b52c612ba5a70b
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
416KB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
416KB
-
Filesize
8KB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
6.5MB
-
Filesize
3.1MB
-
Filesize
11.5MB
-
Filesize
3.1MB
-
Filesize
11.5MB
-
Filesize
3.1MB
-
Filesize
2.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
11.5MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
3.1MB
-
Filesize
416KB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
416KB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
2.7MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
10.4MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
72KB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
564KB
-
Filesize
564KB
-
Filesize
564KB