Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
22-11-2024 14:19
General
-
Target
file.exe
-
Size
1.8MB
-
MD5
1daa3a0aa5ed7e06b400a47309ba5003
-
SHA1
8d475fd4be28ee701dbe5e2fe489fe9e9b3e826d
-
SHA256
c3d0427b8bc9d084ac65b881ec50f55be52650f60850ac05010ccc8d56e3d1cb
-
SHA512
bc671cd250579413e693d2a61c2873a776a7c39125addd78b7a39a268c508fb638cd7c552faabd3ac9a53baf4b97086173af09264dd68e2f5a7516b55a3f2ed8
-
SSDEEP
49152:PMGDMQEgEDs8SLI5GQ3+l1cxRGPfyJgSuOB3X:PMLZuIgQuxpSbF
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
meduza
109.107.181.162
-
anti_dbg
true
-
anti_vm
true
-
build_name
439
-
extensions
none
-
grabber_max_size
1.048576e+06
-
links
none
-
port
15666
-
self_destruct
true
Extracted
stealc
mars
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
Meduza
Meduza is a crypto wallet and info stealer written in C++.
-
Meduza Stealer payload 43 IoCs
-
Meduza family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
-
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 4 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks BIOS information in registry 2 TTPs 16 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 12 IoCs
-
Identifies Wine through registry keys 2 TTPs 8 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 5 IoCs
-
Modifies registry class 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 27 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 17 IoCs
-
Suspicious use of FindShellTrayWindow 58 IoCs
-
Suspicious use of SendNotifyMessage 30 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1008207001\Crypt_Medusa.exe"C:\Users\Admin\AppData\Local\Temp\1008207001\Crypt_Medusa.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1008207001\Crypt_Medusa.exe"C:\Users\Admin\AppData\Local\Temp\1008207001\Crypt_Medusa.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\1008207001\Crypt_Medusa.exe"5⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 30006⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1008208001\57009455db.exe"C:\Users\Admin\AppData\Local\Temp\1008208001\57009455db.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1008209001\bc069581fb.exe"C:\Users\Admin\AppData\Local\Temp\1008209001\bc069581fb.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1008210001\5f846b7e22.exe"C:\Users\Admin\AppData\Local\Temp\1008210001\5f846b7e22.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1900 -prefMapHandle 1892 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d6f23903-8a38-4d52-a7cf-799673a22de5} 2212 "\\.\pipe\gecko-crash-server-pipe.2212" gpu6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2420 -parentBuildID 20240401114208 -prefsHandle 2396 -prefMapHandle 2392 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {edd7ae86-947c-4556-a17e-ebe39b19c5d1} 2212 "\\.\pipe\gecko-crash-server-pipe.2212" socket6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3000 -childID 1 -isForBrowser -prefsHandle 2568 -prefMapHandle 2868 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5eb453ca-86a6-4259-a659-60325f7af082} 2212 "\\.\pipe\gecko-crash-server-pipe.2212" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3648 -childID 2 -isForBrowser -prefsHandle 3672 -prefMapHandle 3668 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2cb0fb3a-3334-4d7c-82d2-1e791b83c03d} 2212 "\\.\pipe\gecko-crash-server-pipe.2212" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4412 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4536 -prefMapHandle 4532 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5306c105-e9ed-4279-95de-5a5fe25d12a3} 2212 "\\.\pipe\gecko-crash-server-pipe.2212" utility6⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5204 -childID 3 -isForBrowser -prefsHandle 5384 -prefMapHandle 5280 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aba5cfc2-b847-40cd-b47e-cfd5041cb038} 2212 "\\.\pipe\gecko-crash-server-pipe.2212" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5732 -childID 4 -isForBrowser -prefsHandle 5652 -prefMapHandle 5660 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {76cdd8d9-a151-4845-bfef-33036224644b} 2212 "\\.\pipe\gecko-crash-server-pipe.2212" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5844 -childID 5 -isForBrowser -prefsHandle 5924 -prefMapHandle 5920 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {909e9b71-cadd-4837-8bec-2a991ff95d52} 2212 "\\.\pipe\gecko-crash-server-pipe.2212" tab6⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1008211001\56f204ff95.exe"C:\Users\Admin\AppData\Local\Temp\1008211001\56f204ff95.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\1008212001\9ef9f9e5ac.exe"C:\Users\Admin\AppData\Local\Temp\1008212001\9ef9f9e5ac.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"4⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8b743cc40,0x7ff8b743cc4c,0x7ff8b743cc585⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2284,i,10558661739268865083,11162990936174262691,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2356 /prefetch:25⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1712,i,10558661739268865083,11162990936174262691,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2372 /prefetch:35⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1984,i,10558661739268865083,11162990936174262691,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2620 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,10558661739268865083,11162990936174262691,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3180 /prefetch:15⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3204,i,10558661739268865083,11162990936174262691,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3244 /prefetch:15⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4260,i,10558661739268865083,11162990936174262691,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4452 /prefetch:15⤵
- Uses browser remote debugging
-
-
-
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5172 -s 17284⤵
- Program crash
-
-
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5172 -ip 51721⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Query Registry
8Remote System Discovery
1System Information Discovery
5System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
20KB
MD5c7f2401d7816af0184d19c36e8cdcb2a
SHA10969b3bef0e13f9105aa115e0b41f89f23cf1d23
SHA25657148dfa4eba41ac8a98ad01adddafa610747031f390972c0a00440d62d0b8d2
SHA5125e2fd23b74d111dde5044729372f90a0ee5b0e273e8a8ff165d7cca7288fcc3084e2f3786c226d299a86ecbcb0c13e77f9e88dd58b9ce4136c4a4e0e3ac26850
-
Filesize
13KB
MD5714fdf8924e18571bc50e7edcbd16bfc
SHA1b7a79a09dcce0a3e50d9cac462525c7968382ead
SHA25688a28acc30c84ca2fbd559a8b571e2f4584cb7242d6afa4f5855ae4359efbf93
SHA5120e3bae6ec12198a4ddae647f3984318b47acef2f0a4619e5bab0ad3a3afc6c0299f92b0e721d5e2e6c92d93e2ac264860612529be60442dba5e7718337f3cfdb
-
Filesize
4.1MB
MD53f6b461548bdf92e28da68177b1c6e5c
SHA16f8d46823ac5710ba74f5e9f90429dd64ae792f3
SHA256cc332b2b190d6bed3bfccf6f7b878a2065cf70babd1cc79a65b7adeadf130323
SHA5122a8c3421b7c5f718077efe03970de7e716eceffeea39df6b5e4cdf6d8468b896a60b6842d8d174cdc96e58a372b3cbfd07fedcb308f9348a6860e441c72bb88f
-
Filesize
1.8MB
MD5a86f2c1f9149bb3b144a8bb9dae81fe1
SHA1d92e5093e65fe71cab7d620358b61e682563e5a3
SHA2565c0f9637fb888a34dfde5a50476a9ec70abdd40d0aa54c1f0d7580f66abb0f20
SHA512efa9c4a74330435932459e45c01ae51136fa2a27d6d8e69b8f6a6737088c14853f1de056ab7d52ade5e3e601367a29c6e63b3abef0cc7b5f1a98cbaa82900945
-
Filesize
1.7MB
MD5bc7e15f0d547a97f33b7084eb8bb6e35
SHA183ee297f1a2f1651c6596c5349614ea27e4643d5
SHA256bee50744a16bd59e87b06e58043e3efd7bd2d3fb31f25e4481a9ea498e181194
SHA512e02e938300749d0c12b14a7b58c7cbd5bb0ab24680313bdcce95aef40403dcebfd10e1ce9f27088e6540fb21e5df70e09b296eeca832e165c74f4cf72b08b1ae
-
Filesize
901KB
MD5b0895a0731c64e8b38c574eb8309b613
SHA13ea5cf134fe2eeac85d6e0d270e020e0d70673af
SHA256b98202d8039c3e44098b3d63a000bd426afa2d01ad5365b4c4a36ee936f97bba
SHA512980d03ffc4763b4c4b2941a66ef43f0f5dbb11dcb55eae172d0e2074af41504a718d849c3d696fcfaf0b3c74c62c59dc661394349f02f78e365fd073c0632dd8
-
Filesize
2.7MB
MD551dad23c32335b9cf2517bd6d2b8602e
SHA10262f39a2b1562fa0eaf497490a712eed240fcb1
SHA256aa4b16bcda60809267bffc7edbfd75d29ba563d9f341cc57994d2676ada69156
SHA512bb2e9854819b47cf2360fba54f40bba9b883cdc04adf4d4f4ede0cca0cb40191d86c2ef56605b035101d2424a9ad2b0952ca80a6b5bc5d0ecbb7a910e1cbca72
-
Filesize
4.2MB
MD5b759516b5ee0d73ed0870c1be43fb479
SHA134533e5ca737f48d55c73ba5cb939f39089c04c2
SHA25691180f943fef39f7177bbd1c1d8cf225fe93c0264dee172ebc7c96e69592373f
SHA512e911a8ca629d58942da1b2f8a85552b7f65814e071fb3105049e61eeef75fe4b545adbd95e01d58510b48f2abe83a630d438c8ea95abfd0e1866de330f27bc26
-
Filesize
1.8MB
MD51daa3a0aa5ed7e06b400a47309ba5003
SHA18d475fd4be28ee701dbe5e2fe489fe9e9b3e826d
SHA256c3d0427b8bc9d084ac65b881ec50f55be52650f60850ac05010ccc8d56e3d1cb
SHA512bc671cd250579413e693d2a61c2873a776a7c39125addd78b7a39a268c508fb638cd7c552faabd3ac9a53baf4b97086173af09264dd68e2f5a7516b55a3f2ed8
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
18KB
MD5b6dc03879d3cf33d232c0162b0e86ef4
SHA1d3e18a8378db7c9030f21589e81e31cce16a5730
SHA2561fa9631e613a5a169aff4eb551450c84253d27362e0482dc2c5de3717ffbfdb0
SHA51296f5988bf8b1761bde83775622147e74c885400a83e8525569b5f2726a0503eaf122c5ad1db42b3542017a887366d25f1d9749b2d3c1c93fea553ce31bbed635
-
Filesize
6KB
MD5327368042517450744192e83ad2fc768
SHA1ac792180768bc4bcdce1ed5450fee799aeecda5b
SHA256991f536f3674556a5357b0b867a90b1a78bf9fc174b64a52f3631c7e3befbac3
SHA512566ed495b3b91fc0a50360a265e5ff4ebf852ec148b5120a344d18fd5d5ef46e1f65c549297575036a8ea9245dc90b5754c6362df9f74d0beb32eb495941a55c
-
Filesize
8KB
MD5cf27a499cd2fe6d0a30b998c2e6501b0
SHA14c3e6180a8ef47cb45fd96ae5b82c8f556f45eab
SHA25690aae2ae9d14d716ff919a4cd6e8ebd1ea9261c3301588dfcbb0dc059d40d65f
SHA5124223ce8f8194181ef314a1869df16e421fc3b580725fd5309cd682bc93df9ca8afa69605722f1851d5d696d88f5416b775527f8816a3b5f7f73f600664966c6d
-
Filesize
12KB
MD583a99052a6ea20b2b3b7e9a853457510
SHA17ad493cab9b1b4c4ed169bdb5e04268c501bb052
SHA256d450d91b2c5fa0328d723a9518d4ede250f15cb94f5183ed196f828f04f659ee
SHA512b735d16c6553b2e1ae3a8bdb508a5a75a7cc9401a00fbae3ea9d3b36b76bfd547cb310cec7b7554c49b54ff5815c3a7d3a4baacd25b9ac989b0af46afc8f4b2e
-
Filesize
5KB
MD5110a54cd1dcfb56efb2bb7875d0ca093
SHA1dd9117e7c40ce87f768701413092180b71a9d2df
SHA256ca1abf76770bfe88a21f570447ea20e329ca472d2d8f5a00113cd740e30fdceb
SHA512a721e7f88f0351109192ff02383f1909eb4cc8d5875e11fc793e8f49b81c7c28fb4820e6f289850f09a9fd13474292ee41c39aba173d7dc898e10c9df7fc074d
-
Filesize
15KB
MD5a962529fcb28c2ae46332486a8ebb68f
SHA15b98d7a43bbacd6fc4a2ef2c12846000d19cde6b
SHA25623e391a8a1eaded55fe08cb58f417ac00c9922f8eda20ca1da66ecc9c91f9e30
SHA51226d02648ce1a4b00027bef0f9f93f2f552919a278ea046d8ad4e242eda8e265e17c6c1675c0e3b64748cb0332c3857ac29945eed359c61db735b26f29227d6c5
-
Filesize
15KB
MD58f927035d3a91f1bced1c1c5e62a26d0
SHA15ab656adcd416dfa6e9cb7860627170e8c79cf76
SHA256753f9b1d11f995cfbf87bc1bff1d8746e5b3d8c6a964a2d54da6dc135d36889a
SHA512e176b80123ee5e20068ad331f94dd9425dafd94f2ad894dd444e7f490c653e7b87106bb3fd21290f98e485490cd50ab46b3c5d9261fb0b871f89ae87429465be
-
Filesize
982B
MD55e4f80859c69105811be9168d454b5cb
SHA1c955dc83295194421327dca6e974e41fd8e3e309
SHA25630f004c6422d9dbc6396b7aab12331de697b8abc4d23cf42c3df1f4ac10a871d
SHA5121f3c320753bcace3a14a3d2e87c90b244666aec65427e8e542a90d965c42e5b191b1546a58063495720cbba262102440f2f26b3d5aa542643c5649cc8b33cbd6
-
Filesize
26KB
MD5ca744d3bfed73e2b730997a831f5fe20
SHA1a9069384afec3ba646c8084759025d1a6df2d912
SHA256fd643bf7adac00d8fd25eb204ee3a28352826c0a595ba581b9adf42fbe35292e
SHA5126b7952e0e863e2492c632a8b78f603c1959040d28885f946fcdfdbe5aba882672d9bd4c85255ad0a32baee8cb21775dd6353ccff55b2a14e386f80497feb756a
-
Filesize
671B
MD5562dd0f5f8f9769891112d925f7b5296
SHA1bb03299f88949365f6cbf7558ed904832c8d6ec2
SHA256f9fcdd147ad9db4b1fe03c6335565c77682674d9baf836673d7d609487f45a86
SHA5121284096e965f9c5732382b111673c3a8acfd96f66d06a1d13e8247fc49a16b3852640be7eb4c152e42f4ca4968527b1b4351ceaa09453075116a578248f59cf6
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
11KB
MD55965baca0f6d119fb8c953a2654e8a0b
SHA12459ddfb6cf2991719074b9afe8f186569d7f2e0
SHA256be4855ae4e85af2b1f27e06d109d782f1e598f305442f730935b219b3f67b6ca
SHA51288c27f290a5d766421a6ab3dc94aa572fb549d0c705a58a22e4fe68b6a4daf04bf3f01cfed63c547d4a69fe835ef641c2ab74c5ce0c0717e69ab3d08c2be8673
-
Filesize
15KB
MD597fd910432571bda4896e24fb3b66361
SHA1a894a56b542433c0ae308eb6e0df3190dbeaf9e1
SHA256e1245b3e1d005ebd2146fbcf25751eeb13bbf3d77ffded39448fb76f13585155
SHA512b1c590f447511b08cf05459ed95c8ceb726bb859e49499b5117f48aa09d4423c35c49ba193f9990e70c7d4641e7701d36a9a8a427f68301e2b49f7ab5be2f2d4
-
Filesize
10KB
MD58138873cb94854e3b303a78d24105911
SHA1160afb6e36efd9b080b3ff40a7b799b7531531be
SHA25695d1cbc1ea7ee952d8b99fde71fe27ddb45363f9630d8b045fbadb15aa4128c0
SHA5125087d9ae40ea0f6817dac7ca4c0103a6986ec3afbb409cd322745103ad508f77d94d4737711515a8d908e6287e54a2b4928fa259fb52ef2ae7bad01f99990702
-
Filesize
816KB
MD5b8cb973e2f112e30d606064dbb50ee11
SHA16f120d299a13b4faae0894c85232d53ec1a921f8
SHA256bcff4307090907865c198c51973d66e9cd21d39c81cb790d78a3b6db06a13007
SHA512360b22632aca91b2bfd0d0801f72b95e664014dc1181a614db439ad13d713555457db9230f6a2dbb0b5350d02cc3838a9ccfb145d4895fd9a4c08d6a69e77caa
-
Filesize
4KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
184KB
-
Filesize
8KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
184KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
12.4MB
-
Filesize
12.4MB
-
Filesize
12.4MB
-
Filesize
4.7MB