Analysis
-
max time kernel
148s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
18-11-2024 09:10
General
-
Target
0ca80e0270df72d89b954befc890d2104ad0109d4ecb6aa07b26be20b66beacc.exe
-
Size
7.0MB
-
MD5
930dfa5976d97c9c077da24c93de6556
-
SHA1
a36f4e54fda94148a1a17b1d68a2f3ff498e554d
-
SHA256
0ca80e0270df72d89b954befc890d2104ad0109d4ecb6aa07b26be20b66beacc
-
SHA512
cee5cf5c664ea9710bb8beb3e5ecadead502bfcec58b69f72713567d236b3820bcda7aa73dbf7d81040581babf1a77e70fe7c7cad66fff01f6e92e989afb2c71
-
SSDEEP
196608:F4tUvHQC9iWtC2cmD5yTAGNhiujxhZ07NR:F4t0HkWtC2cQ/Ch1a7b
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://processhol.sbs/api
https://p10tgrace.sbs/api
https://peepburry828.sbs/api
https://3xp3cts1aim.sbs/api
https://p3ar11fter.sbs/api
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Cryptbot family
-
Detects CryptBot payload 1 IoCs
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 12 IoCs
-
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 4 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks BIOS information in registry 2 TTPs 24 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 15 IoCs
-
Identifies Wine through registry keys 2 TTPs 12 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 7 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
-
Drops file in Windows directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 18 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 5 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 36 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 13 IoCs
-
Suspicious use of FindShellTrayWindow 60 IoCs
-
Suspicious use of SendNotifyMessage 32 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ca80e0270df72d89b954befc890d2104ad0109d4ecb6aa07b26be20b66beacc.exe"C:\Users\Admin\AppData\Local\Temp\0ca80e0270df72d89b954befc890d2104ad0109d4ecb6aa07b26be20b66beacc.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n8Q43.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n8Q43.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\W0w24.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\W0w24.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1z90D1.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1z90D1.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1007117001\d1f2eeabc6.exe"C:\Users\Admin\AppData\Local\Temp\1007117001\d1f2eeabc6.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"7⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffcfddacc40,0x7ffcfddacc4c,0x7ffcfddacc588⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1844,i,12529715161487827309,7265898814897337444,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1840 /prefetch:28⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1916,i,12529715161487827309,7265898814897337444,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1940 /prefetch:38⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2268,i,12529715161487827309,7265898814897337444,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2432 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3200,i,12529715161487827309,7265898814897337444,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3216 /prefetch:18⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3100,i,12529715161487827309,7265898814897337444,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3284 /prefetch:18⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4576,i,12529715161487827309,7265898814897337444,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4472 /prefetch:18⤵
- Uses browser remote debugging
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1007118001\f498054a65.exe"C:\Users\Admin\AppData\Local\Temp\1007118001\f498054a65.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1007119001\cc8802f06c.exe"C:\Users\Admin\AppData\Local\Temp\1007119001\cc8802f06c.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1007120001\b1ed335667.exe"C:\Users\Admin\AppData\Local\Temp\1007120001\b1ed335667.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking7⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking8⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1948 -prefMapHandle 1940 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {10b9ad53-a217-4b5c-9e95-d34654b7bcae} 4032 "\\.\pipe\gecko-crash-server-pipe.4032" gpu9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2492 -prefMapHandle 2488 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd909c54-6ba5-402a-add6-fa01616fce07} 4032 "\\.\pipe\gecko-crash-server-pipe.4032" socket9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3040 -childID 1 -isForBrowser -prefsHandle 1780 -prefMapHandle 1480 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {76bdc239-56fb-42ce-a80a-177abf240126} 4032 "\\.\pipe\gecko-crash-server-pipe.4032" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4212 -childID 2 -isForBrowser -prefsHandle 4204 -prefMapHandle 4200 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b5e8d53-b618-4368-af6e-ea51716a4980} 4032 "\\.\pipe\gecko-crash-server-pipe.4032" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4816 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4856 -prefMapHandle 4852 -prefsLen 29197 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f9e450b-46b9-4e4b-a959-8a7e12b2366e} 4032 "\\.\pipe\gecko-crash-server-pipe.4032" utility9⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5232 -childID 3 -isForBrowser -prefsHandle 5308 -prefMapHandle 5252 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {047475ca-0faf-40ab-8a51-c7f9a39a04d7} 4032 "\\.\pipe\gecko-crash-server-pipe.4032" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5436 -childID 4 -isForBrowser -prefsHandle 5540 -prefMapHandle 5536 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1bc4fc3b-1d22-4de3-ae99-1227bf12b398} 4032 "\\.\pipe\gecko-crash-server-pipe.4032" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5688 -childID 5 -isForBrowser -prefsHandle 5648 -prefMapHandle 5552 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f4ff409c-ed18-47ca-81b8-60bd52a42849} 4032 "\\.\pipe\gecko-crash-server-pipe.4032" tab9⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1007121001\72248c89d4.exe"C:\Users\Admin\AppData\Local\Temp\1007121001\72248c89d4.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2I3703.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2I3703.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3R49m.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3R49m.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4B733U.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4B733U.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
19KB
MD51e05bfaa4e2ddf02786b2f548277a71a
SHA1e34df43528c1bb23225893a6e1bf61eb9e2da049
SHA25698b93fe86639ee6e2c24f27ed8eb9f4488d379e39e92e68a9801e0c04cbb6a69
SHA512a4c0504ad298e2c67ee926167ea6abd14330588e9e45a7057170d44c327f3c1c89a8c9a114c32c17c87aea1b0f7076ccf1a56f4aca5b3d38439ed2657cb14619
-
Filesize
13KB
MD5a4d3158313ecf4c212b5e626fe0fd0d7
SHA14fa4776cd74932532d81e7342a39e33ef6e6dff4
SHA25678b9a3e4b141b73e0fc791a93544bd10f6bd5b04755a2d589785f1e1d899f0c9
SHA512d351d954c963c2b595c15e1b9d81e2fd7e8b71c995d69654de48e082ceaf9fe4c591099453fe2150478f0a4c81c48e09bdb1a7d4bd79ea246b24fd588902ce6e
-
Filesize
4.2MB
MD5ecbc8e5795841534da310554cf558564
SHA14f5c4a459c679a613083fb8ebeaf6b72a62099c4
SHA2564ba3a14b8848a345ee40fe5e6c9a08a3bf7ecfaff176350082871a35a90973ea
SHA5124f74e57b352d9e64ea7abacf59a44159640a5607dd405ecf70dfe1fc71701d70d696d08e2c58846528b6e2e7931b4edb6b12467fd22c54c38b7fb060ffe2685c
-
Filesize
1.7MB
MD52fe2ab5b511de6ef48e3eba0378f3e12
SHA1c350d71c99c8c079714e71c219c706c6716a22aa
SHA256ab2e92bf1d70567a32aef956b7d64cbe4d49dadf779fc6d455674fab35509b14
SHA5124beb110952f7f3d6f351149448344f0e5918694bfa3fa958e08690999e16f270abd32100e2d844c5a13564e4c8fd664d17882979e6ca567111983ef62ee4768e
-
Filesize
1.7MB
MD513a85c121414fb45d5693a9ab8910086
SHA1040b4aa8746c65929784f80116bb13c7f125ddb2
SHA256de0db7603189d02c7051013fe43244a3e86fbd2a884a733a64fed84836912e0c
SHA5129c9d7a5e6cf4d76a79870b62a37984783c0ec174b7f2e4557154cd0632d6e2ee7943d9ecc6149eb09277ee1dff4d8eb2692ce60934d69eae97f80451344dc5d6
-
Filesize
900KB
MD55ce51bebf5df5616c0afad430b705cda
SHA197b05e3b842ea60a341e600c12110092a27240cc
SHA25665177fb5a41a621039697bb1c2559cfb544bead0f3a91722008f425fbe89e261
SHA512c141267589f896649c97dae327c98e2abfc5de85c06917a00062acc7bb4e42da94085ea1f6b70f6c8dba4ef1725ae9bf0b64747792f80c824d99eef1f23e7ee8
-
Filesize
2.6MB
MD5bea1589178b4eda7c5b15d47b076f6bd
SHA181a654fe6ca77c26d0c87d9f8fe1786c4ee4582d
SHA256336b2204ee1f34c545ac54145a9db9f548ee478708fe1bc22c679fb037063068
SHA512d8ed0c2b19b94aeb4aed0d2e7525cb3eb8289b9da0d4df8c1b24340060976233af90861fca9ecf259c7cbe40775d1f8fa6ff814bdc542abd9381497ee60d9d98
-
Filesize
2.6MB
MD52ffeae42aa3821be91b12932c1f311b0
SHA10955f233082e9fce22c627d00fa6c714c627ad5b
SHA256c4dbba7a9953e2f7c86dbcae9ed8b5252379f492a82ffcae5ab441a58a401026
SHA512d81aa3830f10394cde7bc2cce8ed7ab23f62b258cc523bf5f896aa4cfa14ce6010bd94ce4d2df70cbfc784ae503a113c860efb287470bd1c9c38dbdcce8c1913
-
Filesize
5.5MB
MD58c46434742f7d1508c3cf59824345a68
SHA17f4288f3034df6ded9379089bfc5e3d6b18780bc
SHA256ffa34d06160f2c154c4051b09eaf666aabe01f23fcd1192fad56c5a05a139668
SHA512b188617027d09328034deb93d601d9ee1351548c51af4716db5e42865fc8ae35e404d532b98fa4f94377bb5d724955eafcf8933deb9f056c9513133766bffeb7
-
Filesize
1.7MB
MD53c1fc0e5501a732f21671110d1593fed
SHA1df8457ee8030c34112df1216a8457de65c80d122
SHA256a92119cb350ecb1278481b42dfd550cdfdebc144c39b83f291ee7deb91c23d87
SHA5126a7ae4c0bfe6d83cfa161995bd9587eee86b311729c5ad748b91c035bf03748d521eba54343e258e6bb8de32ff09ecb05cc92b6936dea192eca4eb8b6e8f97e2
-
Filesize
3.7MB
MD531a9337a848a2ac28564e2874dc4ef21
SHA1f7fe4107f7cbbb410949d3b6601f2ac956070342
SHA256d535c6f5fc55670e771f6521abfd9075d41ba4f01bf78dba2f6a06b80b517c1e
SHA512f93d262bfe9e28cb3f3296fbe89f7be8a9987011b16233c62cbba8ecf067f1a26295f2143177c8b6beb7c88eaefbfc378d92ea3920d660fc29b533d00968e39b
-
Filesize
1.8MB
MD50666d4775f770d43fa3cf484008b6d93
SHA1787d16fe61592cbbd321d55e7ef52664267b5a08
SHA256c4e3b29ae305fbd372d763a1bbaf7573732dc10ae08f7d60d721d473b737893e
SHA512fbc23e5440b1aa2ba06f7eabe24e37efb46499746fd3d2564ba9b63ae27da3a4b4bb77fdfc3a38b16b27e835d3531e4259fc6a5799ecaaea95823ae3c1339f13
-
Filesize
1.8MB
MD5ea82a77aee044c4ed6569062542cf1bc
SHA16358392b6d512df6d325a179e612ca695726c4ca
SHA2567c23f62e1045c5458f8f72891d71a65d39d20d5cbd596f6fb060c045fa5b4782
SHA512b91f38d0bbe8ef1b1770b89bc2f9510139f6261975a9866a840283a69fcc46cc02912b931d3474bc2c156184ac8c02d463bfa7497c4f4c45b574e8311080dd91
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
8KB
MD5013041a2fd4d4bbc9df89322c4d3f192
SHA173d627613876f586f31db8bd6525286cd1bb2704
SHA25657615448172b5a79710cae3376df7e2fe782326bd69831f7daa53cc6d3b49519
SHA5120e9f35ede505e6eec850e3b184e55b4013aa33dd8af1d781ef49dc905bbc3e3571e18fe0a5d1056109fa9361568d8509acfeb88c53052a2c328d08cb7ffdef31
-
Filesize
15KB
MD5ff4d853c8370fae294f675b2dd189010
SHA1aad047adba4d0f447e37eca8b7f39b974f71509a
SHA256cf8d1c86561427c724ac0af430ce2e134e5391b6f04e4e772b840bb9d9ca18af
SHA5123d237f05c77329cd76336f0d1901fc7b404fbf746b9eaf26b626211974534504caf70efebf4e716be453d49df702d1ef6b29d94fee1e1bd0a6c6b5b9deddf6f5
-
Filesize
23KB
MD50b8f486ab25e923037ac3e726c0426e7
SHA1499f15c726cf5230ddb3b4076aa188e4fabba3ad
SHA256b450918d564d4e88228b3fb4a581967b9172fc4adc853174389e6899a3bcdc3f
SHA512618944b83881211e901824af01e39becf6f24edd9a2905cfeb9ea2541e0061262c10c061fa6943068b4259ba9d2c283a79551e3b9af97f5558496790c3ad127c
-
Filesize
15KB
MD59a4f220be7a0e9a1fb3a3e0f3e2af31e
SHA11d6b18cdfc7dc81f4b2bfff9923d68826814ed78
SHA2561eaeb31e7c0d5e7d7d1059c4eac7d5ba42148d3ce12a8e66ceabd45cff31afb3
SHA512aca33670e7b0581c4f987bb6001eb1bab8ea7b87845d0478fa6b23d4530a9cb711badf47dc9c0f0ac4d542088704086ff5cc0334cf69bd8b8cbe7cd60b22f8e6
-
Filesize
5KB
MD53bceffd348babe879373f195cee45f27
SHA11192f7dceea3d2c000b4313cdca5e455149d730b
SHA2561df8cf72cd2a31f79173c57f4e9d4d6e47c5258392bf5797b8bd17410fbc8ed2
SHA5124d0d5e32fa267323734bd62af0d8b54ceda69eebdcfbabde5e318d4787fcd959426cab80d73a1855a8cbfaaea55f2e004094bf19f71e24ef3b1857596de19080
-
Filesize
6KB
MD541c10b880a5abd9bf60acbf49834ffe2
SHA1c83fd0f70e9cdaaad6b486521a0eb9d517edba71
SHA256aa2dc64f9b203f14f357510cbcbc349ed0258784863cf7e78ef63fd594d7a3db
SHA51278eeb7f158a5cc4d1b43a33d1be4e5951ad54f0fb570ea4c489f0acdb134d25f3593a7ffc29b1078edda5dc661310cb621eabe0017dda28a7ce5198ece551845
-
Filesize
671B
MD56106f2e1bf5946ab4c7a68a4defe19be
SHA1a7c0dc9278f0efdd73f1b25a91d36a932be1dda8
SHA256722cb5d38df816cf395272472975ca85567e3cce939695b2de1b4066e5ca7bd7
SHA5123204adfcf498df3ad81e1d5a93a7c6df6a161fd9b5e49702ae0c3c4268b2f19b16b86937c4d2bd5721d8f463a955ba45d479b9924891106763d16b774644352d
-
Filesize
982B
MD599def777d2f1cd647dddc568c2669600
SHA1419532f25e7a1e24866edec566a9771a6830875e
SHA2561055d088aabc058dc8ac13dbece6d9ecb7177a1e853294a9c906650e40dcf563
SHA51269c8d093ff9e42b6a86c229dc03d9e94c179d464afdfa3bd4a4b0c96d31e18e36bc64e56bb6a7b122775579a5b9744bc77a5a5213902358851de9a2caa26561b
-
Filesize
26KB
MD5e4cb5c04ea716cf0422b677bdf4c38fb
SHA1633b522f00afe216f1d205f0f1c1d517ea13c170
SHA256851fc6df2c1c660565ece1aea27d1727fa9d7980f960adb63f4b31b3706fcbc9
SHA5121cbedd163aa963cd3bbb143280722de39edbaaeb5f6c6705469dd2806b7adb80a5dcb222780865ee46091cc47062c27860319eefc4099d28700e38feb6c33c04
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
15KB
MD5016ea7d7e2d5b41f6abbf8342c6f9e6f
SHA118437e27a202124b92208c730dc7801d1980f1a1
SHA256b979468466853dfb6cb40d3e0691444c8dd8aaf3a61b4fcf9f625fa096e0c145
SHA5126de41761cf1cd79847ad39a5d4b900ef9fe7a39ab033c2ad59fa9745d81e41cd1743034cf984be775697a1c30f82fdac48a209d2d44ad96a29e530f83dd019ca
-
Filesize
11KB
MD5f72d6a3bb130ba3db4c7264d784e0f2d
SHA16e5a465f64878138b60206c8d00eaa10e8eeaed7
SHA256d7c6eadbea5c3edb5c510966fbc4b0f6a73356d08b36280eefaf1fab150f3681
SHA5120dde9456f1f25d9d2d003512838dd2a81f274a697992e082dd60986ae521a89a47579d13c0943d549eb1401cac070202b898ce18c5f8243b1b0f7708474bb1ba
-
Filesize
10KB
MD5c24cfa12c04c2a51386b08b08d3d25e8
SHA18ae7b50b15df68892e321b7b599e2bf11a7d65c4
SHA2562c44f524ebe8e2b8b3586f57bd9f23f4264528d6758f38b7488199079a66e692
SHA512fc06923ffd09b0120563ab4369f7e5794d77b329a761c7434e62a147d85308ec88e2b818240251e82e9f8d9eab17243121ffee1ad25e1f676ba5c0f515fb2176
-
Filesize
12KB
MD54fdd5ad8844ddbe36a61017b963e5df1
SHA16095fa45480665d481a436b266afbd8aa0a33713
SHA2565e9f0a134b8935f074afa20503f7cb45d4852e76d0991a1461714739b52ee166
SHA5120b8e60f7033b2ad72eb860720d44ad21cd39e3639f50f41cc62324d5f7940318d93a26c44e267e01f1ee5216867ec11976e0ae497a9d1df13e9b30c9a8ba8600
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
4.7MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
11.7MB
-
Filesize
11.7MB
-
Filesize
11.7MB
-
Filesize
11.7MB
-
Filesize
11.7MB
-
Filesize
10.4MB
-
Filesize
11.7MB
-
Filesize
11.7MB
-
Filesize
11.7MB
-
Filesize
11.7MB
-
Filesize
11.7MB
-
Filesize
11.7MB
-
Filesize
11.7MB
-
Filesize
11.7MB
-
Filesize
11.7MB
-
Filesize
11.7MB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.6MB
-
Filesize
4.6MB