Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
18-11-2024 09:31
General
-
Target
53152b87342cea47129cafdff1b3d3913f20a78817d22703468bc51a2174007a.exe
-
Size
7.1MB
-
MD5
ad62f24e0fd8a0006348bd6fbc370e13
-
SHA1
c93518630484cf603a8dec8f5d202caecd02a0cf
-
SHA256
53152b87342cea47129cafdff1b3d3913f20a78817d22703468bc51a2174007a
-
SHA512
c82a2113b8541a32a59f65555492f5058551d6072d6d628be4f7a50acad5bcaa4f34f8779c056c0ab8375288dc9f5d395a9bfa5d80adf38fec1b2843e1bb7c53
-
SSDEEP
196608:WUt5AnJtpOc7bIES3ZLbp6AUYoNPdInLpEe+:WUAnJtz7RSJvp2NOL
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://processhol.sbs/api
https://p10tgrace.sbs/api
https://peepburry828.sbs/api
https://3xp3cts1aim.sbs/api
https://p3ar11fter.sbs/api
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Cryptbot family
-
Detects CryptBot payload 1 IoCs
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 12 IoCs
-
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 4 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks BIOS information in registry 2 TTPs 24 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 15 IoCs
-
Identifies Wine through registry keys 2 TTPs 12 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 7 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
-
Drops file in Windows directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 18 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 5 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 36 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
-
Suspicious use of FindShellTrayWindow 59 IoCs
-
Suspicious use of SendNotifyMessage 31 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\53152b87342cea47129cafdff1b3d3913f20a78817d22703468bc51a2174007a.exe"C:\Users\Admin\AppData\Local\Temp\53152b87342cea47129cafdff1b3d3913f20a78817d22703468bc51a2174007a.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\D5c36.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\D5c36.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\B0w39.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\B0w39.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1l77m8.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1l77m8.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1007117001\271e30168f.exe"C:\Users\Admin\AppData\Local\Temp\1007117001\271e30168f.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"7⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffdea75cc40,0x7ffdea75cc4c,0x7ffdea75cc588⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1964,i,1620776056966492361,6705293608778641440,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1956 /prefetch:28⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2072,i,1620776056966492361,6705293608778641440,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2216 /prefetch:38⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2276,i,1620776056966492361,6705293608778641440,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2456 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3240,i,1620776056966492361,6705293608778641440,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3248 /prefetch:18⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3252,i,1620776056966492361,6705293608778641440,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3280 /prefetch:18⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4576,i,1620776056966492361,6705293608778641440,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4580 /prefetch:18⤵
- Uses browser remote debugging
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1007118001\262b3178b7.exe"C:\Users\Admin\AppData\Local\Temp\1007118001\262b3178b7.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1007119001\1292a67645.exe"C:\Users\Admin\AppData\Local\Temp\1007119001\1292a67645.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1007120001\07ff7df6da.exe"C:\Users\Admin\AppData\Local\Temp\1007120001\07ff7df6da.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking7⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking8⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2024 -parentBuildID 20240401114208 -prefsHandle 1952 -prefMapHandle 1944 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6715b42b-60fa-4772-b629-54c1ec6ff84d} 1464 "\\.\pipe\gecko-crash-server-pipe.1464" gpu9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2460 -parentBuildID 20240401114208 -prefsHandle 2452 -prefMapHandle 2448 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ca635c46-97f6-47be-94c6-6db17975221e} 1464 "\\.\pipe\gecko-crash-server-pipe.1464" socket9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2804 -childID 1 -isForBrowser -prefsHandle 2952 -prefMapHandle 3496 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {508a561d-0fab-4741-9e67-11a377f33607} 1464 "\\.\pipe\gecko-crash-server-pipe.1464" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4100 -childID 2 -isForBrowser -prefsHandle 3508 -prefMapHandle 2628 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d658953c-a548-4412-abd8-48cdc8c9173d} 1464 "\\.\pipe\gecko-crash-server-pipe.1464" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4952 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 2628 -prefMapHandle 5000 -prefsLen 29197 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aeac4501-9f6c-4104-9bb6-4b4db2549828} 1464 "\\.\pipe\gecko-crash-server-pipe.1464" utility9⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5432 -childID 3 -isForBrowser -prefsHandle 5448 -prefMapHandle 5444 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4f8cdb9-72c7-486a-a0ca-a5cec673a3b6} 1464 "\\.\pipe\gecko-crash-server-pipe.1464" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5584 -childID 4 -isForBrowser -prefsHandle 5592 -prefMapHandle 5596 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f97a6ce1-6274-4030-bc8c-a852533f1951} 1464 "\\.\pipe\gecko-crash-server-pipe.1464" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5784 -childID 5 -isForBrowser -prefsHandle 5792 -prefMapHandle 5804 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bcdd6ad2-8bf2-4887-aff2-cd37e2de454e} 1464 "\\.\pipe\gecko-crash-server-pipe.1464" tab9⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1007121001\038f7ef772.exe"C:\Users\Admin\AppData\Local\Temp\1007121001\038f7ef772.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2q9355.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2q9355.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3u09U.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3u09U.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4e052a.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4e052a.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
19KB
MD558b93c92e1694ac7cb2b724e408e1388
SHA15943077cf7956e854020ad0a7c45862b0a6e4015
SHA2569c482de21c11c4c1d8b67686dc6a35f5abff0ad4af072f56bda62aceb0ecdd34
SHA5127da2069fa6edbaa9cbf481e8b6e82eefbbf59db30921cf364342aac964bbd36745072193093289c4a13045c0e0a9680ae07128de0283ab979962854f778c8171
-
Filesize
13KB
MD51c992c431a294579bd190468c4f79f2e
SHA15763f979e519e510c69ea3b5368be52287e0c648
SHA256690472037be8fa4c667d516a09e26afbbdcb9ed7db82519b124b5fe57d30529f
SHA512d1879a0e385ea8855cccdfd56ea04b2b47a3e2333e6b8971e43112152637f119946990680053f5faa27f71bc4e0cc936452d769f6f7d9a2a6119655cc0a7ed1a
-
Filesize
4.2MB
MD5ecbc8e5795841534da310554cf558564
SHA14f5c4a459c679a613083fb8ebeaf6b72a62099c4
SHA2564ba3a14b8848a345ee40fe5e6c9a08a3bf7ecfaff176350082871a35a90973ea
SHA5124f74e57b352d9e64ea7abacf59a44159640a5607dd405ecf70dfe1fc71701d70d696d08e2c58846528b6e2e7931b4edb6b12467fd22c54c38b7fb060ffe2685c
-
Filesize
1.7MB
MD52fe2ab5b511de6ef48e3eba0378f3e12
SHA1c350d71c99c8c079714e71c219c706c6716a22aa
SHA256ab2e92bf1d70567a32aef956b7d64cbe4d49dadf779fc6d455674fab35509b14
SHA5124beb110952f7f3d6f351149448344f0e5918694bfa3fa958e08690999e16f270abd32100e2d844c5a13564e4c8fd664d17882979e6ca567111983ef62ee4768e
-
Filesize
1.7MB
MD513a85c121414fb45d5693a9ab8910086
SHA1040b4aa8746c65929784f80116bb13c7f125ddb2
SHA256de0db7603189d02c7051013fe43244a3e86fbd2a884a733a64fed84836912e0c
SHA5129c9d7a5e6cf4d76a79870b62a37984783c0ec174b7f2e4557154cd0632d6e2ee7943d9ecc6149eb09277ee1dff4d8eb2692ce60934d69eae97f80451344dc5d6
-
Filesize
900KB
MD55ce51bebf5df5616c0afad430b705cda
SHA197b05e3b842ea60a341e600c12110092a27240cc
SHA25665177fb5a41a621039697bb1c2559cfb544bead0f3a91722008f425fbe89e261
SHA512c141267589f896649c97dae327c98e2abfc5de85c06917a00062acc7bb4e42da94085ea1f6b70f6c8dba4ef1725ae9bf0b64747792f80c824d99eef1f23e7ee8
-
Filesize
2.6MB
MD5bea1589178b4eda7c5b15d47b076f6bd
SHA181a654fe6ca77c26d0c87d9f8fe1786c4ee4582d
SHA256336b2204ee1f34c545ac54145a9db9f548ee478708fe1bc22c679fb037063068
SHA512d8ed0c2b19b94aeb4aed0d2e7525cb3eb8289b9da0d4df8c1b24340060976233af90861fca9ecf259c7cbe40775d1f8fa6ff814bdc542abd9381497ee60d9d98
-
Filesize
2.6MB
MD541a8f6c96adf5f9dd2283df14d3fe1a1
SHA188b60beb69d93ed490ca7c840ec4316b1114b01b
SHA256b72c2fe6a8f95089a370e176870d6fe8134f546528606aae267576a5264d0beb
SHA51229cad33ef531b4f5739c26961034c5751bebea4eab8a8c0aee90e6ba55acf7296aecd3d9e4007e2f1182d919f4300561672b4f15511519fc52714e548bd7fc05
-
Filesize
5.5MB
MD51ff71734360fd14e86c4dd0348d3169e
SHA1a1c3dfd2c32a25bde713e9d56f223f3ccf506528
SHA256bc7499a244376445b5aa40a78edbee2b977c3539bd991130e24fa4bc5d86e5e5
SHA512dd94008602af3d88036834de10c1e1f0b9673b9dbab5051227eb63e160a334ad37cba7ce4b341bd8d4e9c4fbd403153c7186273b1e7e53d736bfdae625de8368
-
Filesize
1.7MB
MD5eb23b9440cdf9c98ca59cb2ac64b8f5b
SHA11ef3b7de6db8c5d31707fa7a577889256f42e9d7
SHA256e1b2645165b4fed7644b88a50c40961129ff2e117e0a7a086612170c00ab2fa4
SHA5121a627314395dfe5686f4f2839f75d7f36115316d477345c3d8fad0fb965a0a059b0748c709d2b09a8b51024ddd0972d84ed9fcf5a8c3b9b9c0cc3fe4963ad55e
-
Filesize
3.7MB
MD5c89c04c0cfc8247fdc76d3a34c191f8e
SHA17166986a53f55129bf4b53ef586e59c24956ba63
SHA256ccb8f1a4af661b3fd3632077afbc83c68f1c5d3c9190477464fc11a006828011
SHA512d23493561c976d9b07eb12ad8d05c04856c9614666b832f15d34e58a70e4d32bf212b61a49a8a3b49762e0365bf763c8a77b8abbb08ee3ff6aa5822e4597b923
-
Filesize
1.9MB
MD56a38eeb44e27ba7e351f61180c34981e
SHA14cf5edee9dbee85ab291bfc6afe35f7d55c4b4f6
SHA256f65b4f0e91b04fc62e4d6cd10d6b1ec53b29b955496c6e005b9443101d1f1262
SHA512436d38e455d95687636966bdb7fe4b30963a57401425c02b94152400920b9c030a1f3173e5975dd04c21a45a280cc13cf242281f86ab5a58a7a9067dec4b43ca
-
Filesize
1.8MB
MD5054f51597fdea53aeabe7221bef8f4ed
SHA14ac7f3f2620c0599508199a9831cc5b881690901
SHA256e9e61e8d998bd126741766cb0958833ba53f5cf4e6893dcbd7fde68800d7e194
SHA512595241781f363bb8cb1a2ead54dadfb4b63e2b709285169e3eca7f53916225efaec48f4e2974abb6cc8e1ae1075eb2ab457547f4464d24428500735f516b9f0b
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
6KB
MD5376ff16ec5639b60180c27504494320d
SHA12d8631a39d9ecb722117bda4be18dcfabfa3f60c
SHA25683e5dea564fdb4d8adea0778f826a7f06e3d5cc454a548454c30f55461d0dcbc
SHA512fa669a81cd598b27fa2e4e23f06c54fecc9ef9a2513495b2eedd5d5a6264bc74ee4009c814ab1626bb5a51ab14aa4af83b7b3a5e773dd95aa572ab4430d50da8
-
Filesize
8KB
MD5a51cdde6f4fb06256a1e937faee079dd
SHA1a9b3ac98e5870cc38e8911ac2c760a2a1c3d7945
SHA256528a1a1bebf9c40d6772641f06f9a3e1665f6aaa17c924b619532df4bab28b9d
SHA5124e6ad63fa52619d493544b86badba13664cb191cd04773f9e708d45e692f5981a8c7a9d1801388f35bb2d92dcbf13c9b87cb5a6159e136d95fa2dd6e7f6b4835
-
Filesize
23KB
MD545d193cb37808f07ce802541389b264e
SHA1d0256076be24c2ee442615cd48121c68fb451285
SHA256446e2ca5d6bc35e523a4108a29c4ba4b7cf0b7ee1d57d656309631b85201630e
SHA5123e98eb871af17a3e5399ddf30107a5a6567e2f8f38ca4225bfa88cd3e3ff556c3fd74d414e57d8c8a7be21cbd148ad555f46871785666db4ad547e9012c6b8cc
-
Filesize
15KB
MD5a122b51251075948a07bbad478fc318c
SHA1a0d71ab13bf338d4e90911503e7465163734453e
SHA256291c4d2dc031f508c5c512067ee650d78d2fb4149fed14c9b4eaf73ca8f2ea55
SHA512ab6115f445c43f18603cdacc76a4228119700b2f9f64d5904becc42ff9707dea6d885e87f9cc75161b711ab489d948e5a7639418ade76da943db1f5386e5311e
-
Filesize
15KB
MD526ea768dd5f82a3219fd39b1f3a5a1e0
SHA1d5a692326d27a4a5a9ba181e043f87119d8298cf
SHA256e8307a4772d4ae1e4569d379d5ea8632af54cf58b7071611badc8cf9c6ce64e9
SHA512048093625098df6f14e9104a138c217208e9ee4ef3c1535c903e906cc24a7863eb37baae0485abc5beeb631942879836bbccf8e007708f453224436df04121f4
-
Filesize
5KB
MD5eec59796f1b6ac2eaac150b6fd19a9d2
SHA1ba9e69dd1796813bee67c7b506c863450ec0737c
SHA256bdedcd9cf041cfe0998cb624142e2f27b26ef8ab01a859b10165a0ebed290487
SHA512af04ac6af685a203269f350c9aebbeeed3737fc3d71e830763983c1d0041d6e2cf5e46bd522743db1152692aafc07859cfc5f8d08f57477c3d7a915316cab8bc
-
Filesize
15KB
MD5b64192a9bcb51567748b2df54170891e
SHA15e9bc9b06377fe512d4556f8ac63798f68710c22
SHA2563c18510adb8d395f134f48035a58380b2357b04744309ea718f3f0810d9e6c6e
SHA512a6a6fc6935012f775570d2e043e864c44792c5da890f1a1a3409ba3f3141da26def4a75a697d4808617ada621a024b70028b9324540bf921d3e9f809748a793d
-
Filesize
15KB
MD553ec2a4aa28297c52b0ab197c0b03d78
SHA14761d9d35342602e48d3ed2e77f3c375e864870c
SHA256b25a0499027a86964d25be78078e8adaeb1995d05b5ff754fbe27ae2d1d7b504
SHA512f21e055509d83629e9752db6def123a83ebbf360cc993bf0ef1c2e09303ba033860642930c1ef91705a3892ec203b603f9a933aa1146b6d8367bc006d6827de2
-
Filesize
15KB
MD5a8763b6869b48a518371a075b9c8f669
SHA17a4d8c462ba12eeca6a215f0288b36afc6c681e2
SHA256911103daee874d9b7d9382f8dfb158bc213d818af6161a68ab7b61d4963d3b9f
SHA512c36553aea13af1a9b226dcba46e984978fdac5d1e3c786625d5a3fcc097a3d379984b184b05391c2c5b61e67791154f995553c5d283e8ee0e68f28fa6652c9e8
-
Filesize
6KB
MD5aae83623e83e2bc438c858d786c90924
SHA1fe9a64f2c4b0b8c48968fc11685d51078e669464
SHA2567eb1c5d2b4c0654cedca3b5e98e9a00eb01827a52c1465de2d269573231db981
SHA512ae6e571e9547763a45f94825ee2c90f73d039b90dd625a45cab0908d68a2bfb107fe3691987c3b402437a1da37f87132f69f080956d959a8959d7d8e82a677d3
-
Filesize
671B
MD51f4f429783d86f07312e7b0b82539184
SHA19b6f3ca79b8e8b2206127b0ea1a9c7fbfc46411d
SHA25662372ed0773b770146ea280d7afc142fca440ef01226344a5b2559875223651c
SHA512c7a189dd5342bb80ffa79d27fa6e97ca88eba70c5c9b01b356179033f310a44e9563c0b8b50d6339ab3216463d7b5dc29d31780df9c9a66ce3ac05d4ae30fdda
-
Filesize
26KB
MD57f578890b110455e3160672f1e17c6d4
SHA1afd7880d07039edc9db5b34fa4274e41a6ef337f
SHA256f1a97c3ca7e918afc582207ae5f1772ad2237fcd6bdfffa803696936c420306c
SHA5124536905db272307930121645f46614b0a130510649e9ee9816c1c0a87238a1f7f8740ed0c01ecf8ffd19fc7af053b1a9c644edf3fc2df1ead3527ccb8add45ca
-
Filesize
982B
MD5cfe43771d8ca792733ab49770e106460
SHA1805b70e77b876ad95ad1857975d3add9915394d3
SHA2563364828e4b672f7f7917c20d1edf2baf3cc6fded8e3d49a37fc454c1ffa8a79f
SHA51233472d59b3d47ca79e51e293313e70b36cdd71122885d00870a168bdcea1cef6eb2fc35a8bb9eb9002cd9637791e193904527a8cdcf26fbf5b98895d609bbdad
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
11KB
MD522f6ee47cd7a91de5af3b6de54b5e096
SHA1761bd4891147783c1b05be57c1f26eec4d062a1d
SHA256af4a95048829a75e03142fa9f52b5bf38422726a7f5fbd150884ae9d2d098dca
SHA512d6824e82410c4dda7c9fc0d21a13fba889908bdc555bcdc5d0519172e512d39b9c741fca4f41fca6b27c7d35caaba6601cfd5670e09e4720214d4af4d23b3d55
-
Filesize
12KB
MD507371324705f47eb69a561413902b02a
SHA1e22aa186bafcd9c160440e53af0e07bc155f1194
SHA2566ac608377ceca412c0bba4b5176f6c243bbbef8727238fc6f78eb3ea5f379ed8
SHA512ce81b0667bc2af4ff4d3b51a694ca44b612be4b1002322df9a8cbd662171be72bdff472a40ed814f17efb757874f1009fc14453640e26b5dec7fa33c9b6d3637
-
Filesize
15KB
MD5c0dfea6fbc062be8cb62242f47881b2d
SHA10232c7f29fefe9687faeb236b699f25ac23b4ecc
SHA25678524f5a2059b083431ca1aef6073f24e9ef7dd5ce5ebe58f429029bd054c9f2
SHA5128a54c4b7fdc4a55eaea2b6011a8ec64ec15662a56496be45c570fddca978c8d617971dadede828847c6d6132fea4b08935bb8848e69db099b798093be884c771
-
Filesize
10KB
MD5330fca5f2d97eec33be4b81d5d76ba68
SHA1a1f9f113c4bc9cc9db01aa8c80600fd913dcc3f1
SHA256092576629a8c4a14720886da4019e0956d644099e6c3de6c79dad1c09b94805c
SHA5122676a354fbeb1cc3980e9a686d6f354d92174fbc2991d6190592a60e34a83818d96f595b86945c0e54ea877a5340f1f9fb43500ec9c31b9b204852f7c7621525
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
11.7MB
-
Filesize
11.7MB
-
Filesize
11.7MB
-
Filesize
11.7MB
-
Filesize
10.4MB
-
Filesize
11.7MB
-
Filesize
11.7MB
-
Filesize
11.7MB
-
Filesize
11.7MB
-
Filesize
11.7MB
-
Filesize
11.7MB
-
Filesize
11.7MB
-
Filesize
11.7MB
-
Filesize
11.7MB
-
Filesize
11.7MB
-
Filesize
11.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB