Analysis
-
max time kernel
144s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
18-11-2024 08:24
General
-
Target
261ac9568ccfeff2921463af2553ff01b664bef0e42d563c36fe3c89991ba1a9.exe
-
Size
7.1MB
-
MD5
b1e8ef6ab04be67e3ce955f8c44d23b5
-
SHA1
d178148766194b72f1b8193ab31718a4815b7025
-
SHA256
261ac9568ccfeff2921463af2553ff01b664bef0e42d563c36fe3c89991ba1a9
-
SHA512
c5b141c9e616f382be0ed06261427c0440efbd63624af45dba2b0f4f3cb67f024851fb0c4ba6bfae2c4bbbcf0a4bd9daefc9ee5e12d222e37097e9d9411d7868
-
SSDEEP
98304:YoPFgVL1VcG+u/TJ9afBZ8n/rDs16sPiUwuJGixAAaq6fWwMM6+qNKOa93AwVqN:YzL18u/Vkr8rS6zUPHKuwMp+CKVH4
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://processhol.sbs/api
https://p10tgrace.sbs/api
https://peepburry828.sbs/api
https://3xp3cts1aim.sbs/api
https://p3ar11fter.sbs/api
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Cryptbot family
-
Detects CryptBot payload 1 IoCs
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 12 IoCs
-
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 4 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks BIOS information in registry 2 TTPs 24 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 15 IoCs
-
Identifies Wine through registry keys 2 TTPs 12 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 7 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
-
Drops file in Windows directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 18 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 5 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 36 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of FindShellTrayWindow 59 IoCs
-
Suspicious use of SendNotifyMessage 31 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\261ac9568ccfeff2921463af2553ff01b664bef0e42d563c36fe3c89991ba1a9.exe"C:\Users\Admin\AppData\Local\Temp\261ac9568ccfeff2921463af2553ff01b664bef0e42d563c36fe3c89991ba1a9.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\J7A49.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\J7A49.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G6t64.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G6t64.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1R34X0.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1R34X0.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1007108001\de7e360add.exe"C:\Users\Admin\AppData\Local\Temp\1007108001\de7e360add.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"7⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffbb108cc40,0x7ffbb108cc4c,0x7ffbb108cc588⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1904,i,6546600764166830544,4154763456817714421,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1888 /prefetch:28⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2180,i,6546600764166830544,4154763456817714421,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2236 /prefetch:38⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2264,i,6546600764166830544,4154763456817714421,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2556 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3212,i,6546600764166830544,4154763456817714421,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3224 /prefetch:18⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3464,i,6546600764166830544,4154763456817714421,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3476 /prefetch:18⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4488,i,6546600764166830544,4154763456817714421,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4500 /prefetch:18⤵
- Uses browser remote debugging
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1007109001\afeb3e1b6c.exe"C:\Users\Admin\AppData\Local\Temp\1007109001\afeb3e1b6c.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1007110001\ea1cb7dfe6.exe"C:\Users\Admin\AppData\Local\Temp\1007110001\ea1cb7dfe6.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1007111001\ee9ba19a6c.exe"C:\Users\Admin\AppData\Local\Temp\1007111001\ee9ba19a6c.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking7⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking8⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2036 -parentBuildID 20240401114208 -prefsHandle 1964 -prefMapHandle 1940 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {17b0787b-8028-4f43-984c-a3472983abc4} 1816 "\\.\pipe\gecko-crash-server-pipe.1816" gpu9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2472 -parentBuildID 20240401114208 -prefsHandle 2464 -prefMapHandle 2388 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {af138cc2-bfc1-4dbd-8ec8-5cfa63cacbd2} 1816 "\\.\pipe\gecko-crash-server-pipe.1816" socket9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3208 -childID 1 -isForBrowser -prefsHandle 2836 -prefMapHandle 3044 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e036de7-51ee-4268-aa30-8a68bc967f60} 1816 "\\.\pipe\gecko-crash-server-pipe.1816" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4076 -childID 2 -isForBrowser -prefsHandle 3944 -prefMapHandle 3940 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {24c4c2a7-b3cf-4424-a35c-a997a8ebb42f} 1816 "\\.\pipe\gecko-crash-server-pipe.1816" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4812 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4868 -prefMapHandle 4864 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec0f0d6c-d334-4773-99ce-d4c91655c96e} 1816 "\\.\pipe\gecko-crash-server-pipe.1816" utility9⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5236 -childID 3 -isForBrowser -prefsHandle 5228 -prefMapHandle 5224 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e58a8d39-b013-4c83-9548-b26fe504cc6b} 1816 "\\.\pipe\gecko-crash-server-pipe.1816" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5260 -childID 4 -isForBrowser -prefsHandle 5252 -prefMapHandle 5244 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a08560af-f97f-49c2-abd0-402bf29289ae} 1816 "\\.\pipe\gecko-crash-server-pipe.1816" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5628 -childID 5 -isForBrowser -prefsHandle 5636 -prefMapHandle 5640 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5aa316a8-5618-4f9f-98fc-2af7afad2619} 1816 "\\.\pipe\gecko-crash-server-pipe.1816" tab9⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1007112001\2073288150.exe"C:\Users\Admin\AppData\Local\Temp\1007112001\2073288150.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2D9169.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2D9169.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3v18H.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3v18H.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4f101z.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4f101z.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
19KB
MD550d01552433e928b9c086068c375de25
SHA1119dcf3672225e2ea4db24a969cc34c746ed2d78
SHA25650aa490ec14db94cf6c6161fe44a7efb1b72b7a56e51031ef0e919f4cfbb6204
SHA5123aa80e0e76d76831d0e869c15fdcadd360fdb0f8923566a692b05d7679618e38cc4cf82c7297bc7e05d8c53521677472274c7b7099635a3dc62676bb5359e825
-
Filesize
13KB
MD5c60bff5aadcb640ffb08b6da123b2b24
SHA12cab73b592656910bfe442662b05b46335a0b0d9
SHA256f550c2f4c0c23243273fae5f71797ed5c85ae3b531d455ae24920adca80fe5a3
SHA5120bfa1d25cdf2e0ac393f976562484304d1dec8ec3067c6e5e30ee3a3629257be0c8349aab5550202c5bb885c7b5e735ba6176291451e05044976310c8ef2a53f
-
Filesize
4.2MB
MD5ecbc8e5795841534da310554cf558564
SHA14f5c4a459c679a613083fb8ebeaf6b72a62099c4
SHA2564ba3a14b8848a345ee40fe5e6c9a08a3bf7ecfaff176350082871a35a90973ea
SHA5124f74e57b352d9e64ea7abacf59a44159640a5607dd405ecf70dfe1fc71701d70d696d08e2c58846528b6e2e7931b4edb6b12467fd22c54c38b7fb060ffe2685c
-
Filesize
1.8MB
MD51c9baba3863eb6e2cd1fcfcb0fb31d1f
SHA1d3d44d8c18d93be08804bdc8a98d82c791d9487a
SHA2568be06ad676b76e25164e3c83e1f5bc69c0cb5417bceeee1dc03799b9c7261653
SHA512eb0a3e427cf28c5b41b6ecc63dd133290ab94cfed98f7774c02fd684b7f00633a847dadfe668680b7f6545d63e9a5073b51b4ce6bc820124dfcd5ede3db8097f
-
Filesize
1.7MB
MD5bed918183c456251eb2def949e77e958
SHA118cd870f1fe9729e2ca7040c94ae96cb5a06d54f
SHA25685765fad0f7110797e87c8765fdba37475435c1e1ac17096d58badc90c555acc
SHA5129f544f637cc7aef92fdbee0775bc3eec6c763bbcea1800711f93eb781bd775726a060b45fe5fb931eb885e04a0abdebb7d31f1c4b4325d42e0de9b989991b3ba
-
Filesize
900KB
MD5b651212b079aaae7a41a35932178135f
SHA11aab44c321fb93bfdc8c46d2e51a5354bb8d2e08
SHA256e4141cc09eb998a186001be4fc7fecba5e718476e6540ad9046cb99fe64fddac
SHA512c75c57cbf0f9cc9103514938ef07b7d79aeebe3509cc6f0addec868f1993423102098b15993bee1741df71dcf48d142b2ce7501106d4e1f7101d00006541b10a
-
Filesize
2.6MB
MD5aba8b7461f83484c491609ed50a23ccb
SHA1ff0cdc64aff545d168dec8508c1a7dc1c81a78a7
SHA256f98d8e6aa8d6bdf79c13ce7408520431f23938f40d559cbcb41b2be0fe109057
SHA5123e1cce23cf7720b9c6a157366470898b6261ef350bd3118a66f52a2e5c5c06307ab07b877cdf8233e96c90ddda24262806b8b38cba93197375a5cda9272156de
-
Filesize
2.7MB
MD5a93345c6bc731fd47516e16dbe7700e5
SHA18811810374ca8190fb1824b0943618f149356337
SHA25624d9ce8310c3eb716a874406d624659a7ffb4e4fdf7f51140084a633831e94b0
SHA51245348e276f775601cf89dafe5a90561ce21a6476acfae788c5710faf50d808b9f8d1745d93a8a634698c7043e88c1012ab413cdd38d0ad5204669adcb8dea070
-
Filesize
5.5MB
MD59f30808ba21f9b6ed1519b71b1fc50b6
SHA10cc1f114bf7405b9d8bbe1a603b8b3c7f074ead3
SHA256146b8530ae5764be50e3d21edb5bfef047be43a6d419331530e4b5bad6e105dd
SHA512b201cc48ee7d8bfc0fe91bbea709dc6a06187933054a2f6e5d1c78763307cb2ffdb19e2c50ff1878c63eb37e98c382d7b4f3787c6f07879929a29423dffa3554
-
Filesize
1.8MB
MD5cd6989da78d758e1066490bbdca6c156
SHA18c7a2be631d1b360f66986e37d3ca1cc779805e2
SHA256f4b3a3e58bfa294ae8509a9bd41f224e67eeb7a2919d49410f9fa018fdcb4e20
SHA512b3eedd74fe93b5240cadef1797da6926cdf665284ae29d40e10c0fa2d109e5fbab78d1310bea064b259b93fb59b124b49b7a8d17a396e522a5dd556b13c9e2c7
-
Filesize
3.7MB
MD59d8b1aa87de82a7ddd78e628e037b360
SHA1e8ec583b0a97203f94d02c713b723e6423f9857f
SHA25693f129d3d9c1a7b02f14682362c55d55042f74179938423755a37384d0c72e8d
SHA51216832c07a53462f22337c3d13c794ed118ac7650c8fba9bf81cc46e6d78545c42bcb0bedc00db7c4fab5e03689c6c98ea5dda45271ec8912d8fde769f393d50f
-
Filesize
1.8MB
MD59219b0d1dd0e33ca434ffd0db8b3bdbe
SHA16d6d6018ceda52dee9c733d4ced0ab997fddfd69
SHA256408570855f8686662dd74ca774155ba23ce0d0d912344b4a3df0dcf49759bf4a
SHA512e6f90d8f91980196ad3b9f444ef32a3ca8b7c7aceb5d25ea32bc208cb27faa1f88166311c4279b7d82e111d56dae9b7e62505f7054370cb4285008ad87b9ff8b
-
Filesize
1.8MB
MD503bd155c22cddc63aa7414a50b98fe0e
SHA125bea392faefc9256150b8732c83a4a18d1fd9e2
SHA2565b925045e850cc5704bbe0d7d9ebab9372699b97a54a29832b09c01c2e868433
SHA51233f530d448b469e63a6d2e34ee0429ff1714b234166825947375d2f23ced5e4d9578bc47dc5650a9fd891e4b265301eafc1b29d9af8364fdd2d626aaa8d3f70a
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
6KB
MD501ea271126e334b8c5454618bf528b16
SHA10d9cdcd216ff193b1fa6eb83cda71c52a0e09572
SHA256ad54d95cd4ca120ff3584b89ff65962005dea8476fc86411536256bf2c7cc778
SHA512a8b381262afea9fd11c806b6eac5a779992a1471945e9af284b59244b543d7c41584fc3d00a936241105b8e9528dd97e4b2b02564b7cc08f46f45c7732ac5ed5
-
Filesize
18KB
MD56f1854fe6c884aea0152177a1ae63e4d
SHA18234f2acc024ec48bfd1d1872d3351631ac2c59b
SHA256d2000adbbeabd10fc6739fe2cd433381fa8c294dc0731ad83dc8b0f88ed65bbd
SHA512a05e1254e33e3e670e5ce93a9a68f00d1d10d1c5d9e9836c9aa1e6dfb95cb1b5e1b6395386247c52d8893aba451d10b32409ff5bddb7c05843ebf1d0de822162
-
Filesize
8KB
MD51cbcced3dbabbd6e43a58984520ae556
SHA1e652ff57972bc942aa514ebe97b076bb3fdf8a03
SHA256008e76374e26d38f92586afe42d6f3c3280c80eb47ef2111b295d3b7b5995ecf
SHA512fff5284ec0532294c32bd040f73188f7a12aae6afa68ce3665572bcac3361084301dd93d6564c8e6b89d7e09b0db9460dd2fe27ef74b6a7ebc604caf9758de3d
-
Filesize
15KB
MD55d085d3b8336c08983af9a42aec208eb
SHA19d72a15d4a563e6d63fc9159baf1e4026364571c
SHA25680ccfe98c742d14e1c39b1e7aea8b118e28234fbd8844a9acde811ebd731f19e
SHA512ddeca06bf284598e343549a0a63b8e8646b72333a9572b59b912d0b90693958be34aa725a62b5d1ccf1169683afe3511c313ccae23530cdcb2009af7b5f1a02e
-
Filesize
23KB
MD565c3df3a8bb085d93d864f2e6a84d01d
SHA17d8d6639fe40dd7b2f9c0c69aa2a7586399761fb
SHA2567720b0c50279f29caaaa94478f2093b962ceac23f2888f2a6bbefcd74d83fbd5
SHA512cba178b7c77ad541ecd04a319629d8f978091376528e43319247fd0ca6043880d7edc5bc3260b3b269b65e5226ee24ed147445bde09890e9c0f1418b3a049cb0
-
Filesize
6KB
MD57054e0bb0a4415a2715a0f67d3fd0011
SHA1eeca11468d9dcd74219f0a4be5033d4b44318821
SHA256eeccfdac443de9684647648d91f417af13bf86557c512de584c18e05d1ebb649
SHA51222e5d7dc5f770990d20b85c48169584342abf213db7aa2c8c9b2046c44a30585dfee9a313c454514b96f0169a97e5168ab70a5eba6b81be65179d9f69e329838
-
Filesize
15KB
MD527f0d792c5e73925ffd5d10eb8e87b73
SHA1c86b0be5c30a9d2af64300fa02fe9c8b02697412
SHA256a91191156ee9d35b27a6f0983ae0868404968e9891b7fd706f11c8f779f6193d
SHA512b8fdfbdc966783f27b5d4960c01d5b932eab2528129c8f88d2e3021fa0380c197bd15b01a423d3d6e9240455d4f5d592209f5142ce92e4d77564b199e7b2a2bd
-
Filesize
6KB
MD57fd9b9655744be2bb9c30e4958dec700
SHA1764558d4fd7dafe621a4b385021efb94b0c611f8
SHA256d84167df0a9a5238e22eb08bc814adfaabb685d601e140bf244706b02fc9d8ed
SHA5120947a5913cccbf352e8cef549df5dc7fecd24ecd41df62d447da6a38fe472d46ec30794aa40d871916c505b0634ecf86af430417a81b7d1d19c229576ddeb1b5
-
Filesize
5KB
MD5ba1b0dad75cbaf56861a44ffc149afc7
SHA1640ecc350c9f5ffd182ddddad8bad541c2d96f47
SHA2565818d57e9238741a59a417070e8cb754293e9ebae219c53b330aeceebc5bce43
SHA512d53d6d78ba7df1d57318de02d9a0ba5e5dd19e24cfdccedaeb3e0ce5b7a4fbcb5147bd4f19b5363b4e42761606e649ff5b9ce05ede462e66fabddc72d7d8c2d0
-
Filesize
5KB
MD5cdb1385e81f2f271b5cd80ee45bdc12c
SHA158dc497f714cf2d349536bb1c20c6ffadb92cc4e
SHA256f74ab58c129a6cf01d80e8dee23c431141740584803c18b4db70ba393ce80824
SHA51215060b0d52efc830c3ac2b86a29609d91ebe055ce600836f084d1a454285eccf92130ca94ab9bc2491447eea507c5941245ee24c355421fd3b3dfc70f7c5e56f
-
Filesize
982B
MD5f2d5e47d75e7a59aedbc394658ac6c5d
SHA16d52b1f5fe759b8d6e0f13f94466db1e4656c0e6
SHA256461ad592b33752e6172a02922084721e769d9579ab57828ff5e22e2ba0cf900c
SHA512fc922a61f829ff8e0af21625e79696b7b1838d32a43fcd4fce1cb9d109c641f71ddbb3d6587b5aedfed7f56f509e916162ce995fa8d1b2f13201e83efcd374ab
-
Filesize
671B
MD5582e8fe05b6aa585193973595f935169
SHA19e64b776d303ac1f99d1ba14a251ff5a3a239cc4
SHA256f248ae0a1198b20cb77ecf41a0ae0fea29d65c82a2f1e512be70683f83e8624e
SHA512b54dfab76b300a1e28e6cd32a048511a7fc36f4e2f7d47fd38be8caa13b7c272dd7eca01dea58461b9a39ed4f66ad69ee42a8d8ab7d2d4f0fa8854a4e585226e
-
Filesize
27KB
MD5060e5d43687bb716853ca533d07eeb3d
SHA16645bc9473c66ddd946a0c09e0f86831711236dc
SHA2560080a7ff4b3d98ed709c88fdbeee5b2e2b46c293c7482c111aabd9820e188b48
SHA5122826b675e2c728ac3060421609748c6d93eb4d9175e12b12f4416214a7f6574494e72067e0b9f734bf3e08fc4b2f68e78a7a0cfc0349904a2a29dbace8b66a1e
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
12KB
MD5b5ff13efd67f6e43f457914057664515
SHA1d55a806d93f024aec642700fe7250a80384aac81
SHA2562159fe450fd7fc28144f7eecf6caad94bbe62d84364d8053600ef3d8a9299d50
SHA5121c2a7ca27131124a73dc0d47d89cc2276bb1eaf30eb561c07845194a412abdd713c74cd53b5e29a5d6fe81248699031ba64dfb81b3c858f4ffd80c9f79ff2719
-
Filesize
16KB
MD56c057afdbfbd0ed0017879b208d6c725
SHA1ab4137db1e85d7227cb445f390a855c54d4ff2f8
SHA256086c78878538a04fd4f1ef229668ea3fca53a1e020882f2b67772983df0b7387
SHA512187cf3390e7253872ae22be09716951543ddcc38562ecf451506f5296f1e47b4b5677e0a08e330354d3a098920c54f3e31451e6fedd903be9f846e66c6756198
-
Filesize
11KB
MD506bb8061b1ab06d7cd791f7fcbda13d7
SHA16dae15e6c14ea6d9d302e08628823fd0683b781b
SHA2567c715033a9504378118b868edd8e40800598e55eb6817e0103cef43a4d275e94
SHA51204587c6ceae68daecd967322cc4e364386babc270327ec94e0fab2e53f63249d45017c029d49ce68ed24150af6f9e5bb495c647d01560e8b9e6756bcd4cbc1eb
-
Filesize
10KB
MD5895b2c5fba19f19a2c9d0ad23e0bd878
SHA1f76dfa69ab78ee80871b28b5ddd7590d5ebf4a13
SHA25634237d233d200d190f3bdd763a28763b30013f64f537cbfe9a70c3ef3830a508
SHA5124284c36bd1235cd288f3162846c572c32118cd8e148716caf186f93b8a37ad6e43a88b37038ab723cbf11da8df316a6ecb20f5a2380727c9cbf71082e85ca00b
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
11.7MB
-
Filesize
11.7MB
-
Filesize
11.7MB
-
Filesize
11.7MB
-
Filesize
11.7MB
-
Filesize
11.7MB
-
Filesize
11.7MB
-
Filesize
11.7MB
-
Filesize
11.7MB
-
Filesize
10.4MB
-
Filesize
11.7MB
-
Filesize
11.7MB
-
Filesize
11.7MB
-
Filesize
11.7MB
-
Filesize
11.7MB
-
Filesize
11.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB