Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
23-11-2024 09:59
General
-
Target
12478d2c590877784897ca6c4e1f4fc8c0c1ca9bfc2724506dda9a0407fdcd6a.exe
-
Size
7.1MB
-
MD5
d95ff3d821e33801a9dbc8e8c4d76b93
-
SHA1
4ed26b25a2ad05a14f0e73d669c12276d0961126
-
SHA256
12478d2c590877784897ca6c4e1f4fc8c0c1ca9bfc2724506dda9a0407fdcd6a
-
SHA512
d80f03713075358bd4a994cfc385e497b44e572f39f17c4547c6f80c64299d237478d467f443cc73c4087ba04131e98794ab9a485f967bbe7e1a966bd760d567
-
SSDEEP
196608:Et2JvVqNGNdf1V1a88oXsJrGLX938RwGGDi/b:U2dJddV17/8JrGLX9sh
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
mars
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Cryptbot family
-
Detects CryptBot payload 1 IoCs
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
-
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 4 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks BIOS information in registry 2 TTPs 18 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 14 IoCs
-
Identifies Wine through registry keys 2 TTPs 9 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 7 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
-
Drops file in Windows directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 20 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 5 IoCs
-
Modifies registry class 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 29 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 16 IoCs
-
Suspicious use of FindShellTrayWindow 58 IoCs
-
Suspicious use of SendNotifyMessage 30 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\12478d2c590877784897ca6c4e1f4fc8c0c1ca9bfc2724506dda9a0407fdcd6a.exe"C:\Users\Admin\AppData\Local\Temp\12478d2c590877784897ca6c4e1f4fc8c0c1ca9bfc2724506dda9a0407fdcd6a.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\u5F44.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\u5F44.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\V4v03.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\V4v03.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1h69u0.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1h69u0.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1008401001\c92582307b.exe"C:\Users\Admin\AppData\Local\Temp\1008401001\c92582307b.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"7⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffef44fcc40,0x7ffef44fcc4c,0x7ffef44fcc588⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1892,i,16788659432986644478,5031808583053624694,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1888 /prefetch:28⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2160,i,16788659432986644478,5031808583053624694,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2200 /prefetch:38⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2196,i,16788659432986644478,5031808583053624694,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2384 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,16788659432986644478,5031808583053624694,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3208 /prefetch:18⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3276,i,16788659432986644478,5031808583053624694,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3268 /prefetch:18⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3644,i,16788659432986644478,5031808583053624694,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4592 /prefetch:18⤵
- Uses browser remote debugging
-
-
-
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f7⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 19007⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1008406001\54053a202c.exe"C:\Users\Admin\AppData\Local\Temp\1008406001\54053a202c.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1008407001\3064fc2c20.exe"C:\Users\Admin\AppData\Local\Temp\1008407001\3064fc2c20.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1008408001\75496531ae.exe"C:\Users\Admin\AppData\Local\Temp\1008408001\75496531ae.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking7⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking8⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2068 -parentBuildID 20240401114208 -prefsHandle 1980 -prefMapHandle 1972 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2866ff5-e4c0-45bc-81cd-db8850902c68} 2232 "\\.\pipe\gecko-crash-server-pipe.2232" gpu9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2420 -parentBuildID 20240401114208 -prefsHandle 2508 -prefMapHandle 2504 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e318c71-5510-44ac-ba87-d213d51910d0} 2232 "\\.\pipe\gecko-crash-server-pipe.2232" socket9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3340 -childID 1 -isForBrowser -prefsHandle 2980 -prefMapHandle 3360 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {632de94c-cc20-496b-a799-fa29bcc80c62} 2232 "\\.\pipe\gecko-crash-server-pipe.2232" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3992 -childID 2 -isForBrowser -prefsHandle 3076 -prefMapHandle 1552 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ea79b6f-1ddb-4841-99b2-be1db75495b1} 2232 "\\.\pipe\gecko-crash-server-pipe.2232" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4624 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4628 -prefMapHandle 4616 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad0263c5-54b1-48d5-af35-060f44cb0512} 2232 "\\.\pipe\gecko-crash-server-pipe.2232" utility9⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5324 -childID 3 -isForBrowser -prefsHandle 5328 -prefMapHandle 5320 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ffdeaa1-e1d9-40ff-bf7a-4825864c770b} 2232 "\\.\pipe\gecko-crash-server-pipe.2232" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5460 -childID 4 -isForBrowser -prefsHandle 5468 -prefMapHandle 5472 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2aefa798-de9e-49bb-ac14-33be5f47fd59} 2232 "\\.\pipe\gecko-crash-server-pipe.2232" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5764 -childID 5 -isForBrowser -prefsHandle 5756 -prefMapHandle 5752 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {613e4ee6-5c22-456e-afdd-2294c3bf0eaf} 2232 "\\.\pipe\gecko-crash-server-pipe.2232" tab9⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1008409001\96222090ce.exe"C:\Users\Admin\AppData\Local\Temp\1008409001\96222090ce.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2B2932.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2B2932.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3P49v.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3P49v.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4S816M.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4S816M.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1748 -ip 17481⤵
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
27KB
MD572f3d5c995cea98409d645e4e96fc7c3
SHA19a3543382a325aa91f9544a2708facc90608d8bb
SHA256fef6a73016557cc09dffb981228ad65c51755960d1353484c9c4cd84eb07d46c
SHA5123b3fe014e2defbdef3df457e71b4a335c4cf5980d8a8ea8a0e29016ba808258769d9a91dbe4261d2f1565e8df0c5cd5f5c24e4d640a083fa3c6bffde0a8c5b1d
-
Filesize
13KB
MD57a32257264a9b755359769a4e40f1f22
SHA1a7d7357c7cb06f67925ca7a5e23a1a7f478e27d8
SHA25616e01f85a8b75a37ae09b0df19de18e7cda47d7dbf6f13a4099d01044ed74526
SHA512de7c91342116d0a8e2f59e887696198c871b45eaf8c0bde469f77aa7369c596317a6042e33ea4256756376abeba985b5208fe5d7e32d07ca947b6fedf8496569
-
Filesize
4.3MB
MD5791373b49f4ee813cd3b2869a62d5e86
SHA11231ef136f9d806edc7202e44e81bd35d05526e8
SHA256ff7dc25ce280c034e4038d4ebc20560904ceef62c9ada19631c8f4a42183c98d
SHA5128321138d61d3fec4b6e45ba45c0b3965a8a9d20f79e4956c1d8c97c815b6d9fc76ae8b8861475016d1aed8397c7d321a8af4b63ab88cf9a45576b131d9ac8c27
-
Filesize
1.8MB
MD5e29592877c28430510ef200ea5e9257b
SHA1c7d17b2f2ea1cb28c450eb232c278b94a9a6f453
SHA2562398510a1839ec4b89e7c3cd91f56c9235165f8d081d633ae0913a43508afb56
SHA5124b16a577886489915916db378c914b745ff0fbed5938f6736d302716ad05ecc82124b2817033ff2265ccc2b67f38d1c74fe9741fb3451ed96d5b7385032546f2
-
Filesize
1.7MB
MD569cbce48a9ce8b1da7a0195ae4dfbccc
SHA1c05a7472201be886b55e2958351df9e211fbe639
SHA25665e88eb9ca629cda57680a4f4f7d0d39fe7dfe7ef80d619b809779e9ecff33ad
SHA512f24c8b12f0d2fd02a4ffcc7d196f96f2c1f8edbe029c5e99133795d8834589b2ad60d27f55fcb3d5887fc818b8bc178298f53dbf43a5cc879aef279e809fa311
-
Filesize
900KB
MD530e0a4341ef78b82f707de1f75554d8f
SHA124b83e21c9e861202cba0f653fbdb480c2509d2f
SHA2569324205f06fb84bd07e372d2b405adede12597a5d18b42744aba08f72914c525
SHA512e3d83fd11036bd7c860fffd4330396905281c3d8b4127c7b95bd088cc3a5d8a99e75caac493e66caa7e618f2fd98f740eb24cd4ec1b339e3fa67b4f605c54122
-
Filesize
2.6MB
MD5a4ccc1e6f4894f4832ff349ee223714f
SHA1c1863ef0b3b70c0210e30bac674ccd04b0bc5857
SHA256f7a868b76e3f413f7cbeafd75c889febb45650ab6c963449f0c1d7ccc833c3b8
SHA5122d33b57f20309e10fa5d1ab1e9c5007de9a1f91518bb24caa8a94c56d356cc2f5f96d7319cdc2817c7a8b28e77629719fb5fd5a43a5ac418b4362e9277a16d66
-
Filesize
2.6MB
MD510e805250d9b4f6094aeae0c93f4279a
SHA10e89ae4fcfd91571c37a5e059c07f02c64941dde
SHA2562f209c823b7ac5953201ab20d871bc8cb520f5ebb4e1dcc1595bc575d0b05753
SHA512fbbc0974e83c2eec00d4abb2a802126726bb76bc19eb6be4ef0f7f9aadbd029bf93e84856365f6ad9dad5d87fa39ecebf245ae4e6d7cbad08ae0029ce422f101
-
Filesize
5.5MB
MD5553ea1e552aacf6cbe86ae4b68b9aa9c
SHA179551dd48a5a1164caf76a954ab23150f3c0a322
SHA2568d25d34f1a2fff68f0ff964e5683ccad90a2099ef2719e7c0ea0e75abae302d5
SHA51203ce47db33e186280a9309a0ddf01bd3d465d9bf88386033fe7d7d4b5a68e6ea0b35224865be61c1573896889ae49ffc6b1f58d211a4e7e1331d9bb446f2dab9
-
Filesize
1.7MB
MD5e0907cecf84597ff5476178c7addd920
SHA1d8deb30212420bf1ef69199146d869cf5408e836
SHA25608dc99ba8da04f16d328f32f11c7721366ecfaafd04c21e7b3c0a3a2eb794dae
SHA5128c51b90d7aef29a5f3e7fe4410035fbdc876d4a4966e119cecdef672fa6abe652762faec5d214cd210ed9c185083718946a8434a0d0fe24a20ac9793339f1336
-
Filesize
3.7MB
MD535588e50d5097a534f6fc9d81b7bb4f4
SHA12e927724766af202d1c69293eb35df7bd431e3a0
SHA2568b2a6e11ad4578a2bdb7a5e31939f23af927b47c502f774c55aecc3e9ee05af7
SHA512a9fbf80ef4076320297075d41b8d7e50de285262541eb2e47b2c7896d7403a8a7a9fc00a80033ad90ab103f6f9452872fbcc387205b08f3363df2369197f3293
-
Filesize
1.8MB
MD5642a88e4846a4148e7a4bed5a1f988a2
SHA11e02b5843578247066ca9017b345ecb511bdc3ba
SHA2567b98dd28b55e84671d52943a82b7919967c4c825ac6bd69c2dfdadfccb986747
SHA512e82a2d6bd293de9775ab69a0ecbb68e152dd2c1c12ac324503351c942709599ea7741259903e3ad2f6532bf54f4328ef22d47aef3137465375bb585ff15564d3
-
Filesize
1.8MB
MD528eec1f233fa603a73733f421f9f694c
SHA13060dd53aee77c2ab730e5d226f283583964ca21
SHA2568ce4d7610874498b34eab78b1859c8997397635f48c9621aaba8786251cb1acc
SHA5123dfb1f3565fe06db37e200314e40d4d66f7aaf3afd5b50b7813ce5b4a1b1b3750f2dd05e90124c5d2d38f6789013bf7cdaf9b6a9d807067328e75484945dac2d
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
18KB
MD5d14242c59c1c754fefb0d9c1a2ffad9b
SHA162e26244e8e88347af5d2af4cdf2b0af953d653b
SHA256837358ba35c1149d88decb2d69eef58ba24e28d27d35fc2ed7e6d813702302a8
SHA512e4afaa06b99d3f3ecfebc4ff9fbcc176d1f9d0192dd521f9b2438dad69da24ed176b3f5b30e023d4972dc408c1550d11e71e2077d36f8a9f234b2e83e5918f05
-
Filesize
7KB
MD58e987799538c8dadf015a92fcc13bac3
SHA1419f1491cc36442563b24ea8da697b758edb8453
SHA25627860a3a41a043d2bcd24ada5ce825854902564d00d4a604d9cb62242c7e442c
SHA512ff83463626891f430a33688ee4ecd908bad6ca7679a0713aa75f87cd8322b736d243686d06da7d01261dccebec116a41afbd27d6b307f75406f06815618fe676
-
Filesize
10KB
MD5617ecb860dff0d81bcc281fa46a9763a
SHA19a8b8ae352d7200dfc0c66c62549b79a774c663e
SHA2560efcebb3be52ffdf991e517bc0499eb28a65d47e506425bd5ef4e3bd4f53ea38
SHA51269b2a88a62e897f1f483c351e6416f0c8f441758657d27d78c04937ab6ce2cdee4c9a606d7499308b3f1e31b5f95de4df032aebb55de40447d8baf3dbf0e26f5
-
Filesize
23KB
MD595db4e855cf52a61f870cf805b71378f
SHA11928f206a0bb214ad8ea762658666945ca5fd75e
SHA2568b2871abb24796ff1cb3bebab2421b1a27c33f542baaf57529cf3c4adea0ee69
SHA512224ff975f46ee33bf5cc779e90962d26165e049f3b30ae170d6e5bdec7f020c48c0ddf13cdb70d377134b5a7a965fff6e4fb9ab980af6376138c4177f45565d5
-
Filesize
6KB
MD5afccf783ad0490e611c9e8bb40e3dbe6
SHA18d57df660393caabe772b567292979895b63f5af
SHA25619747813f9406830c332bf72b092f0ae713e4e62c55f8b813a5f5867301e5ba4
SHA51238792a143be59c6ce2124a7cf9ce600f3836d3a6d2afdc13c4ef976a7fb5b186bec51fe89377f2d9adefe1a2ac56aeccceb23f1eeac7f64a9b1833f132f65931
-
Filesize
15KB
MD54568706bfa381aa64407f2560f9ac96d
SHA1051881152dd3f27e742b0818c65bf8053c97c28d
SHA2567cc4cff9e62e34ef339fa9579b927d4614c1895e4874ea335e8f9a321031573d
SHA512d7c0136e7c5ccb8795f223a5d87652c02c8d67d632b9162dc5d15c034c5232c77f4b47844a6747ae369001615a96728c60344484983b678e9497ab23fef1dacf
-
Filesize
15KB
MD5c6d157a91499fc57de394a76bfd4ffaf
SHA18c077b63dcb3944d8c8bb1001827752f121e82f6
SHA2569d4c318a741c873b6d06d7d8768524df6d1fe9de68365a4bac702dfccaa943f4
SHA512db358fc8e9a7ddfa9669c4eff2ba86563c503bbf39bc61576524da7c3bd81a272846f3fd1845b85b6ded2d56b4432c7ae236d4ff9d59ff9f5f1117cc5f380be7
-
Filesize
5KB
MD55bf766e15c016b34ff4412ece6cbbb4e
SHA1e7468ef68c0e31fe63b7ca1987865b6a6ceb57e6
SHA256ca0802080189cffc94f04d701799b70536378f99760d66ff78592b4b63b30ac7
SHA5128fe30327099ace70381abd62dc2640f3412cc1e9bb0b1de9796d546d12fc5c2b428d1fa580b02fcd200acf9080d6d369c39951ce03f2ac294f155a148a302681
-
Filesize
5KB
MD5fef86d318b729b7120fbc95d022b2ebf
SHA14cd042a346a3daa34c174c296289ade2de09b245
SHA256ade30dc828e690265f6e5ba7bdae7b190840648b273c62997242ec5223223648
SHA51216ad82821b202fb824f7db61bea0d3c3a907c389880d2bab73535a188d92144c3eb315eb6c300360138199c13463bfecfbb2c624066099da14c6a37f098295a2
-
Filesize
15KB
MD53274415971944aa9e6b2d92cee86af71
SHA150dfcef024ead88f815c27c0aec32d4bb6964138
SHA256461dde0189a1ee924678d1dbe4413e3dc3a6d84eb0c0b9f4edb00650c8f618cb
SHA51271fa2267afe7aa6c28ad4bbe38837b037d29edaec2bf40494372f794c48eda137b2d051d0cb1224dc4276bc0bbffdb3269020081763730c7c3f06485435301fc
-
Filesize
15KB
MD53c33e25e2ff4383581602287042c36e7
SHA158e2af578f38a688616fa2ed1e5a627426200d25
SHA256ca3ea235ae306c04f42f04547d21f415c7c5d0f0281afee1b68d7b6ddbf25637
SHA51212b96f43c4174c45349ce68058dcddb80d568917acd859beb7501a0e0b143cbba340edeedede6cf4c5065855326c909ed53bea172cfc1221ddea26824699714a
-
Filesize
6KB
MD515cc47655ae4552c7e03779afe1f8fa2
SHA1399ab777331f69ba6bbd3e50a9ab056ecfc6dbff
SHA25687d18c3b34f0b63f381f9b6dbd0a0e136a8320f07eb94cf509050be20989217e
SHA512af07aaf952b5fae98fa2e555204d89aa3196c6df9379a859c55fef5433f2bc71ca09731bc4dc654ed3453944162a6de3a2075a65a6fbecd1e9537f19c711cc81
-
Filesize
28KB
MD5e00007a4524f86cf98d92ed11ddd419a
SHA14c3fe55d67749ce51cdb18b3df95150155674629
SHA256a80bc3fcfd5bd81d19cbe072cd495eb65bac5fd19fc3ce77ad4468635a1d69fe
SHA512d5caf28029a0af275a56bf2a2283192f0d50393514e6ae9fbb27976bf4ae91c8cbcda1145a11ff8869cfb08537ef4cd419f7419bfbf37a4d36bbcb49ee04830a
-
Filesize
671B
MD59ad9e63963dc1a7b3c6220c41c2ed91d
SHA141900b081d0475f8c399b676929f38ba662b09fc
SHA256508397ef34c07f0fe5766af37e2d79fe909abc5d16bbe42ae5812bd6a7449993
SHA51276bd91068641e782b462327ebb5cf6e36e532ae7806ff054718850b9389842e71c3d16888e4496cb80c24f4b612233da915e6ec96a1a47490f588a9d96519150
-
Filesize
982B
MD5c4ca99569bc6adfc940db1d5276bffd7
SHA1c3ff32553c70b2b6e500dea06b263905bd8cd7d0
SHA2563321c7610fa3f3bc417ac34b94da1a64efc183c29c52cd5aa8ef6c5ec71e9c3c
SHA512e0b6bd16c30edd5bf5cbee825bfcddea5faec9f9f94d01ae37db3437a777875659ec81620f72a91e125e9b61d19e86ac44c76909f9ed34282d51b67067ad2c18
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
12KB
MD52dc090381ea903c537152991ff4765a2
SHA16e528d7565667ac8b0677dfae593d85d85a2cc6a
SHA256c1d116a2b0730e0d1a378a95a0ea56ced0e9821c2ccc4b3cf222c246247cb15b
SHA5122cf6ad478f78f92946f07b9ab943532c94940928b5ee3a9327b18c4e47cd9b299e4fff5a0fbdd2f9d5d2fd07d9cdb80a71d0253fdaa8f72dcddfa65129cfc76f
-
Filesize
15KB
MD5c2d65891be419f5083c18a49ef8aa1b7
SHA196ae54d3db3da4c5ccfbbea06ae1e994a77fefda
SHA256c64100e1918b7db7cbff164d5a298785d1fd106214349626e2c9a7a4ca34536a
SHA512689f829d3d41b0b3dc72c3c6e1f8a692498131bca3a7f6e61e514feaa4f3914600e7f97c77e40efc5806c29e80e963f98112fd7a20edfbff782522a2ac5a0490
-
Filesize
10KB
MD5a782a6d6b9e313a125c48813e0ca5a79
SHA11a31c3220c9e4dd44d1eabe2ecca846f7c5be0ca
SHA256dd4a13dbb7468fa7456a2cbfab9fe8c3f52f03b1eb2f06040f2b7c475bc8a70a
SHA512010cb7b3dbe39bab3ac25cca8f260956d6091bad9c6fa32d4f11a2dc338a41eb3f905a7bb12f6de638f7eb6a88e4b5dbb605e523010f208093048e2a266040ac
-
Filesize
10KB
MD5703a820963556c8ecc84f1216b79602e
SHA1bdf5c40f5a2cb6c8c86dcca714c9113e3ec7c1fc
SHA256d7526d21d8d3ebf886fd8f805c3ae80f69957871c04f35239b906f9114b4e3c0
SHA51293a3d9bf6f6bee0e787837b78d593d2dfef906b298f08170af1ff34cc58db941b00288f89c171cfa2279c9863334529f5d68f3f8676001634d08a5166bd91995
-
Filesize
896KB
MD59ce0ace32aa31cd1e51e683d2d2a52b0
SHA1224138d84651a4c569b50a6233d3f86e20b6bbe3
SHA25654a6739bc39c3c28b4cd9a319c395dc54f7ef375cc915c5ff4b1b71302a09c4f
SHA512960a210aaeea7776d785f0490770069300b02c8b7357fcdfddb4d1dc90129932ae06d17ab90824ee366d8530d0c1cf5b53576883473350c003bff101a544459e
-
Filesize
1.5MB
MD5c7a2eaff37288b2991785a64ca6d9008
SHA1c2256cc9c32d0448653dd1dcdbd8556acec6faf4
SHA256ca53d3f1058915f8206d5b296c564a2cc6a209ee2dffeaa4470cb50b8b4c7033
SHA512f9c5d7c95148adec46ce2ecf00adba0c4741f4628935183dcf42f376551841d2b29f61d2edc183b682453431cc0f53223db0b64361faabd49f9016648decf64b
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
12.5MB
-
Filesize
12.5MB
-
Filesize
12.5MB
-
Filesize
12.5MB
-
Filesize
12.5MB
-
Filesize
12.5MB
-
Filesize
12.5MB
-
Filesize
10.4MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
72KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
1.2MB
-
Filesize
72KB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB