Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
19-11-2024 22:05
General
-
Target
0c0acb1d42b4e8f9e95b7ac2435f7408d00800d1c2e68b29b34ffd6ce60b16eb.exe
-
Size
7.1MB
-
MD5
acd3bcd13039881226f31e23fba33f26
-
SHA1
b0fe8e1f2db3a202a51ebdf3f585463a4240920c
-
SHA256
0c0acb1d42b4e8f9e95b7ac2435f7408d00800d1c2e68b29b34ffd6ce60b16eb
-
SHA512
c5ff3fc5fdde3786e10df97e0768ee8124b7f7fd9865fa65ca579121213131bb3ecd4d486dfa8c9695b5e940fcfa5ee388c94589f3032bf63442e041099b962a
-
SSDEEP
98304:XYYOchM6PJwuqtzmlt+UozKTBPmyqyjxKOWhcg6FIQ2L3H0lKMHlhhXjRr7kycKw:Xo6ZGzmqrzMdH/6pH0l5lhhX1kaO1Ob
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
mars
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Cryptbot family
-
Detects CryptBot payload 1 IoCs
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 11 IoCs
-
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 3 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks BIOS information in registry 2 TTPs 22 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 15 IoCs
-
Identifies Wine through registry keys 2 TTPs 11 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 7 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs
-
Drops file in Windows directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 20 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 5 IoCs
-
Modifies registry class 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 33 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of FindShellTrayWindow 60 IoCs
-
Suspicious use of SendNotifyMessage 32 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c0acb1d42b4e8f9e95b7ac2435f7408d00800d1c2e68b29b34ffd6ce60b16eb.exe"C:\Users\Admin\AppData\Local\Temp\0c0acb1d42b4e8f9e95b7ac2435f7408d00800d1c2e68b29b34ffd6ce60b16eb.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\S5M20.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\S5M20.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\I9k04.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\I9k04.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1x96h7.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1x96h7.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1007509001\d2f437474a.exe"C:\Users\Admin\AppData\Local\Temp\1007509001\d2f437474a.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"7⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffeb07acc40,0x7ffeb07acc4c,0x7ffeb07acc588⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2220,i,7526272874308750714,823502861182453137,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2212 /prefetch:28⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1804,i,7526272874308750714,823502861182453137,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2428 /prefetch:38⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1936,i,7526272874308750714,823502861182453137,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2644 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3212,i,7526272874308750714,823502861182453137,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3248 /prefetch:18⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3220,i,7526272874308750714,823502861182453137,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3440 /prefetch:18⤵
- Uses browser remote debugging
-
-
-
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f7⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 9847⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1007510001\35706b879d.exe"C:\Users\Admin\AppData\Local\Temp\1007510001\35706b879d.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1007511001\a78ea3b6f2.exe"C:\Users\Admin\AppData\Local\Temp\1007511001\a78ea3b6f2.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1007512001\90c02ead2b.exe"C:\Users\Admin\AppData\Local\Temp\1007512001\90c02ead2b.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking7⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking8⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2024 -parentBuildID 20240401114208 -prefsHandle 1952 -prefMapHandle 1944 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2619c9d5-e775-4283-8242-e048fc835d88} 4628 "\\.\pipe\gecko-crash-server-pipe.4628" gpu9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2460 -parentBuildID 20240401114208 -prefsHandle 2452 -prefMapHandle 2448 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d4e5a481-f705-4b3c-9eb9-9e1ab30c2bc7} 4628 "\\.\pipe\gecko-crash-server-pipe.4628" socket9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1620 -childID 1 -isForBrowser -prefsHandle 3148 -prefMapHandle 3144 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5ae250d-67b3-44fa-b5e1-a16c6e598e42} 4628 "\\.\pipe\gecko-crash-server-pipe.4628" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3744 -childID 2 -isForBrowser -prefsHandle 3736 -prefMapHandle 3732 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fcf48790-dbd4-479e-858b-f94214e40f47} 4628 "\\.\pipe\gecko-crash-server-pipe.4628" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4244 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4284 -prefMapHandle 4280 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2cb3df0f-ad58-4040-aaca-8b9247d63c9b} 4628 "\\.\pipe\gecko-crash-server-pipe.4628" utility9⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5476 -childID 3 -isForBrowser -prefsHandle 5472 -prefMapHandle 5456 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {94e5ef7d-daba-4f2f-a0f3-a465012c300b} 4628 "\\.\pipe\gecko-crash-server-pipe.4628" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5644 -childID 4 -isForBrowser -prefsHandle 5656 -prefMapHandle 5600 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ddb990f-9a4c-4b06-8720-7fcdc70f65c4} 4628 "\\.\pipe\gecko-crash-server-pipe.4628" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5940 -childID 5 -isForBrowser -prefsHandle 5932 -prefMapHandle 5928 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f69fe6a-1679-4f34-9ab5-2a1cae3f977b} 4628 "\\.\pipe\gecko-crash-server-pipe.4628" tab9⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1007513001\2ec7749b32.exe"C:\Users\Admin\AppData\Local\Temp\1007513001\2ec7749b32.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2l3336.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2l3336.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3P17Q.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3P17Q.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4U328g.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4U328g.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2092 -ip 20921⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
19KB
MD5bf89476b8161073ea9459f5c2cf2c88c
SHA16caf0e5b87943f55d1bac5efb404d000246b0e28
SHA256aa0c0b7d9633344fd58817919ad1773cf2bf8403ce746baaa6e12dc09f1062df
SHA51263bc2ca91d12a076605a6248ee79e4c7c057a0cfefae50d376e17ab5c1734b51bdbebc6cae463bc77c0d074f010dc6731928e7f2d7afd52ab51c78b65bc04970
-
Filesize
13KB
MD5fd176af0a556a6d08ec39d43ea89c393
SHA186051e31985cef9bc75e40d60082388e67dff85d
SHA2560118bf64a3cb2c4934d25f1304a5adec871abbd57493f1e379bb6d94e97af5f8
SHA51214ce1a43b897187ee22b8b64aaf73a5b75445eb992153db1baffe6a83991bbde108bdc3fee555d37f9a22c5d185c3bc01f593cff6cf4f53d2df133b04549bd88
-
Filesize
4.2MB
MD5abf203dd0126ad56347d05e2c0f48322
SHA1b6efee54668e99435319d65f634459eb561c1491
SHA256987b2a963feaca33452ac5dda999e1447f2732014c71c3bc3f5ced7d3227886a
SHA5129c0f42d430a1df1b6b87cb3414dc0ac72524958b4cb4c080bac083ffef4948c011d26c20291ae2e5e46b1dbd20eb325e8657c067fffc9094ff5c0adf12a4e4e1
-
Filesize
1.8MB
MD5de2aa4b5f127f55c09506cd57962267f
SHA1ffac9d997902c2f0f8eebe41e4d75fbfe11d09ba
SHA256482b3d609f547c1ca3c65e42fb8b7447da245121781edac72e414fb7b20f9ec2
SHA512d7639d334ec27d150b84f0adbc9a168c28e25557b0a0f3a21b3a7769143b0aeeba45f3198a9c07edcd95cf17df9921506785c13e16c0eea73071b1b9e7e0244f
-
Filesize
1.7MB
MD56032908392c4951140ecb7830b0a0538
SHA113a821604c15f9947c076c2f705c4e8b085050f5
SHA25688359e2cf798ed00c4be01cf59eba68ca2a60d47084c4b066a5b294dc3fafa7d
SHA512c61dd54a543a7c8f2c79da920b5fe518ab328595299445742d9bbc65abf1166e20399ab40f2be395126d413a7699458b32bcc64c6b40eda8f1d44fc5052630f3
-
Filesize
901KB
MD51afc6ca33051ebf697daf4ea02562fd6
SHA164cfe0ddc48842798859756cd0d8bb1d3dac4738
SHA25691b487952951ee6cd25ff253c5ffd8f270290e6425b247d364115f41f5f362a9
SHA51279068d1de93847c90ccae9c5bf13b529770cfa81116a2fd067e94a6aa00a18a194647014997c2ff10c12be083f9955233622d2192e3740e019ab8516319f90e6
-
Filesize
2.7MB
MD5b3517ef5cd9dc889a546b165b51d823e
SHA186adda45e916e60ab18dc494064449f427801132
SHA256e8b01bcbbcd754dfd9f6ec262fa5a47567764141f1684731b02209e56850a39b
SHA512d7e92de744e5eca583692961dd6466370a9dbc4cb4e9611b5048d1d4a25bebeef06e87b00543edf5fc1d210ed654eb549c16a38dd3c8d00c358dae968b0767b9
-
Filesize
2.6MB
MD5333b260426a661dcadd5c016ab149ecb
SHA10f87cec4227cf24cdea86a82b632d45488875e77
SHA256afcc403016c3fbbb10e732010bbc93854c1e1be63df48c91901acd7e05aa0e2c
SHA5129e53484a98183723e63359ea714dea7b48d0ef43ae26a426fb0889dc1320b3b57f3876546ed4c49284cc79ab52f0b240954eb16b8be3ca392570d7010872b458
-
Filesize
5.5MB
MD5de244e6968245b2d54861eed0111bf01
SHA15f7aa8325a9c7541219b9d3cd4d7537293d18f42
SHA256da6aaf568f01b8aa8a73f9743bff84350f30c37044cf1aab4073889dc837c2f2
SHA51285c1e4772cc243d4ca55f85d512ac55868ce94912e149302017661aca67adee16c1198d28035869713f1bf664f3cea6b4d6c7fd05cbd799a87d61efede814b85
-
Filesize
1.7MB
MD5b3cec29dfcc248bc4f4f33ff5ba14470
SHA1389dc1f719b34841eaa55c8e81ce0f773fea3acf
SHA256841e3ab686e632551e2229d68366490832987ab47d308c54f6817f3e13a5ff52
SHA51285803678ee823025990a8377b0b51335be58365bc1fcabff37e4ed1330b93438bbbb94e40908f3ccaea4631ba5d155d0391198ee3639630bd981cfedfdc5828a
-
Filesize
3.7MB
MD5761d5267fa40c42711cc78293067eb4c
SHA137e96c70d59dd21c56cb1cce31d92f9f19bfd4f9
SHA25660e340ac7c40046ee154282387e9f1dd54f8a0887adee006f8887e5b295ea339
SHA512a252fc7a281bda0b6f77296cf8afe30580d9560c994949141151365dffc95c5976f7987df77021df44ce19abbaa2fb1bd9fbcce7a18c97bad2d9a093d5672748
-
Filesize
1.8MB
MD56232a1aa692fe2b9f3f8e67d35c7dab7
SHA187dc7bd254cac48669668a1833c10b8aab3775be
SHA256a7cf50803925abf03bcd899b82745e472e99963b2cd8063aa44249bd6c75395f
SHA512c29f2e3b76fe7c2ef81370990b02ee978b81f8ceebb191cc218672184ad7fd5046d8088bcc954f62b05f72255ce15d89c909c99ca3d2ab6d097725d13736300a
-
Filesize
1.8MB
MD539056519241048010fba1480bf5d5cd3
SHA1f0283822716b9eedabcda608ed38bc5b0991b383
SHA256b81816637b651ac1f6790a8ae19cbf952951a656df586960a4227e568901d55d
SHA512d2b6d09560f28ca9ad1e5f04b175c769264058db53e1ef1f7a8909bb0374ad00bd4629e97ef1c3fa25b5d2728951afb0fa2f50a85527037e4f37b77457b2ad0b
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
6KB
MD53e8579288f1a5180ceb988202591ba54
SHA1d13dd32c1f74bbab500714bb8df3b6e445ec2fe3
SHA256ab017e5d06827307548009dbcab99b496110863c1b09186eb1f9b5b380a89089
SHA5126f636368b04d0c71c88fb712daf51cd71267a14321ffcac91c8af2d8ac270e925e4b29e92da3fed423154a9cd37f81b3d9ded24eec6bcd7a1daa4cbe96a59408
-
Filesize
8KB
MD50e9cf448e670f48278650cd2c84bf332
SHA1b6630e183d64c0d31948aa06ad6d7c6c5661a521
SHA25678c01954811e1dbdf5fbd2fdad35384a34d6a7d2abc6f86d8927c5bff13e3190
SHA5128f44e094b238ffec602137ce4e4a01b6e2d1257eacce60af2a2b4e02886a3378c296a38d9a01ce18ceebbeeae4ba7f70c68f1c1689536e00fa7d99e4ccc8784d
-
Filesize
11KB
MD556a85ed0d72a1fbdc75241f4ec8ca687
SHA12b5ec38dcfe6ef1d148b153a4c738e5f228f6567
SHA25603ae5ee86854e3a5bf7f5248eb5243d289432321fddec16f5fd414c99a3b0f56
SHA5128449b677e1ee1518d43a92a0547c886cbf5bf8092236c71b8768871e4c8be82549cf48161a68f59b5de2c991daa4b2e5d0a5417d31150583721f92e06048a41a
-
Filesize
15KB
MD5bc7c9ef5b5f95c936dc2afb4bb2f2d12
SHA19cf0e129468527b8d0a69909d615eeebcbd1a5c9
SHA25679072766e0e5576038855cbee1b619ae8ff56ce7660018f0127f6c8532cce676
SHA512903c6cd8c0db9f5ceb0e36b45e11187d9b79aaff7668e90e0d59d677b58991f7ec6da0aa9f4dd864aa4a9963b91e7d005550c6f1e8b6d7dcdeac1b266f8a8a09
-
Filesize
23KB
MD5f44566887de0ebe833545db7f440fe4e
SHA15748251397daa20f1f99f3c73bacb9f7371a29a7
SHA25674a15cd231fe8d466f6ee1e8a1ef5bd0ae9aa99dfdba7b358b9bd07ad878691a
SHA512433dc8a7ba9edc56c16e8bb7fb9608602253f6e2842de647160832c935d94de322448b4e84a6a92d9605eaf276b31b4abb81de5a914f4ceefc5e09c200db1e40
-
Filesize
5KB
MD55a35ab0960e4fbc34d614bf0cfefe2be
SHA19da1239efd6e2b3af87f3a0e6d2e3b8b0d69e562
SHA2569f06d62c32f7aea6f443b2be5782709565e6c143f8ae262162ac3af48b7952bf
SHA5129d214b83d1d26d6902aab3f91c94939da68771d2aed839e699b088c520884db0a4a98caaed770e3399dcc8f88ad537db0a8155c11ae725315f46926441abba5c
-
Filesize
15KB
MD5e0982411d5d2d2240de4e6f034d7f733
SHA1bd089a1317537f44e003eb723ea09fe3691a2a10
SHA256f3813bb7d001c47125754369aa6ab3937b4c8d51992f74c35e3c9a6f15c28482
SHA512dfc229d8f4a6e6a95e92ce2e52b740fd1ead082256815e13f3884858e1198900e33c5963029d1b6831de55fabef7f9f9c715c91626ad130de347764cb1852791
-
Filesize
5KB
MD594f464bab9f746b2697b0f66d05ef32b
SHA1f47c45cc2a112adf16e0441e347bba752c736e2f
SHA2561275394ef83205a76fcb4a44583ec1891a79177152a2d4e0a56824d83fb46e4f
SHA512857f41d91a3d070bdde373c6b73fe36c233ca5954ae3826f7bbff93ebfa2c4a7c4c4dcc0a650e3926e9c07b177839aca9982a2226eaed6f969c99b9752e2d183
-
Filesize
15KB
MD56e023e74dba2cd1867b5cc8b7f1656df
SHA132d6ecd86bac6d076dcab59524e458f367812d55
SHA256838d656b4cd9fb209cbe868f5e292f922d85289e7be7b8f3dcb8c29862e40b88
SHA5123370302a163ab006f36e8387081c75e305f09456fa9eedb92c817a32f009b42d83e7596789eef72f7e059180215e7ac08d45201d0ce1fae24e5d8b0fba659e00
-
Filesize
6KB
MD544b0099c486dd253ef4dbf9ad6506273
SHA1213ca709dd9dcb33d751b7536dc56b1c1514741e
SHA2560bc55fd0acb1c07155f37acec4544c4984e49e5c832aef1960c12914ec65f62c
SHA51221524bca68a17e54e4966f6dc7bad8752c3661febfbd667c86decbcc150bbd37fd6b5340017580e5bd2b4c3835e6a26f3b5e30a0c9a9d14e40af7d93d1026171
-
Filesize
6KB
MD5aae37598145feff5b9c5dbecf1ff6d9b
SHA171f4e86dbb54653a4223aeeb206ff576c64e4d4c
SHA256048f04deed487f80ecfd1d295afa261653933ac49bc46e765b5dc3558039f9b9
SHA512cde23482578fa60dbee09fd142f811819280341bfeee36f61cbe3e57e1cd756218ee34e9419b8579ac2994e1354e2ddadde72d0e1cc7faf2348343d241dfe33b
-
Filesize
15KB
MD575f0088e0c4f0a5a987e9f391c88e3c0
SHA1ca90b6e9b1dcccecf1d3e4b372004503e0da9932
SHA2564d811631e29e3c18be27d87c32fa8d73ae2b8c836638a9000a5cab3283162309
SHA512c80783d74266c70e38d479b8464f7ee916a6e468d9e71ffcaab337e13483771bfa21ea54b5007469fd9202ba631a8aa6e56ead27250c0de5ae4f5b4ba01ae003
-
Filesize
26KB
MD5cc8160e7125b410fe90ceca7002904f3
SHA19808d9833b44b9d5a69674cd059a0f2715df831e
SHA256775d4fa8c0b5a28d3d3464434c339d47502c4f68e0d39d4e0a69f4c5fd2fc09d
SHA51295529568da2eca209ba6c6431ebd9fa8f0638bdb4b9d6bbfc5a92caacf2dd86de2221bbfc6fe8e4e5ad01c3f39b2ca6db45c6d9777300cf782e60092fee4fd3a
-
Filesize
982B
MD57299c9d7884d741e87d14432190e2f66
SHA1c0620f2d86ce229914052a4cd8136c4460debd47
SHA256967dc05ff534bf95db931f1b0058eefef27bf592a24b2edd95cd5e57835b8a7a
SHA512e81455fa3c17652d333468954081d8ed3aabe59e53228fce5c42f7736d0b91170b1710e5a94144a2f786d2f30d71befc24a856a27abf92f5fc73bfffc3e2d364
-
Filesize
671B
MD5286c0829c23b1d9afff635c87a195da4
SHA1ecfaccaabe99a3eb0a1c6bdd18f80c673b0d6a68
SHA25633c4b77a0e0b1275be1bfed7f51ce5875d0ee294979888bb21aee7dd025ee575
SHA512e6a640ab3b72cd8cf7be70c0db343fe5fbd195c613caf866eb88164389ea1129ea2c17f71af356430b833857edfa375f8c5e98830b47bd5517b766547e90d4bb
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
11KB
MD5771b1ebedbe9bc2b3830c159605e17db
SHA174949060231185e8744589ef362ea5daafd5ff0d
SHA2569d7fa3c64174022a184cefe40bb6a85da29c59a6109c3a6b475005e5be369239
SHA512638d50221150507c18cae82267a49e5cba6bffdab66df7a4392e00c5a5d81ac9fe26f7a894a3dd65320fb1e9f76a147351b9a854fe36277c59127083152800e5
-
Filesize
11KB
MD5827c1ce83524551a1e4f4238b7a331b6
SHA12ef1e66c2c71f0d660ef2473d191be1725e909dc
SHA2565cca9afab90a9c6390fbd9a077850a83625edfbc3a0a5ce9d25c6e31a3c2ee8c
SHA512d2870fa41dbf7caa75efa52a240e4dea2c154b1726259c7dd6eb6a6ecd2da0f7d9c7718cbbfeb89c042bceb060bc0958f03d60b81d09f4ef8ee44d6606fc5b17
-
Filesize
15KB
MD59d09b0109abb98f5ce0ddc790be37842
SHA196d7b1e26c22a79f2374a69ea7f8c1354d4dd48e
SHA256493ed4a3c8b39cf176b7876abd4850cceb8c471b02492e8f3d94fa4115f88121
SHA51233b7f15122a52f4936c8034738d9a42e20ccf460b50142e735b1934c2b232f4ff11e24bdee039a300990e4d9f3b13f6cb20d99880f4776b80c5b508ae7eb25e2
-
Filesize
10KB
MD5a32c1708ae2775bd0595d9df14701480
SHA1e810e093ceea1a020ab4795bef820ace98cbc95c
SHA256c92d9531862e9ace2435e115c138d34be9c6c2ba199db503608257be808fd4df
SHA512720ae939b799806557450b27006d45f6f76f8411d3121de6af28cde787f90a2aef8b406c543ba37acb3493ea60260278f5013ce37f0a8db906b03d00edec9b71
-
Filesize
10KB
MD58616019c0203581222633b0cfa537d01
SHA12f21de29d3b66a6cc8cc7dd66f8d71bb4b2b6151
SHA25600521b22eff5eabad5d36bf8fdbb48fe9751b42597b647b3a6f544be82c66107
SHA512ca546d125f1614b8a04d500d0194aa49ead72f32ce2891856e41e4dcf4743d2fcd26276f0d4316d876dd1ad47acd964e50a2cade93afe221db8d27164b231d62
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
10.4MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
72KB
-
Filesize
1.2MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB