Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
23-11-2024 19:21
General
-
Target
file.exe
-
Size
1.8MB
-
MD5
56a8d0ea738568054d6a68992c06af83
-
SHA1
9f965adb0cb2d9194f7dc72f8c06a52f92e4d58e
-
SHA256
6c6f1cb0ee20ab9e1a4b0c34eed3ed086357cc10b05b372d9a09e5d0d516d5c5
-
SHA512
59e90b3fc4ea54585a197b97381019c9f80d9c44213bd75be71360a297c568dd588287f999f6cec94e853c7e81c193bda3cc388584cc7a04e3b3f25ef2ebfca5
-
SSDEEP
49152:9hgHusXjVlAmvQN5yJpk/VqCIk+SVTntsI:nFsZOm5k/4w+SV7
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
mars
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Cryptbot family
-
Detects CryptBot payload 1 IoCs
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
-
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 4 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks BIOS information in registry 2 TTPs 18 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 11 IoCs
-
Identifies Wine through registry keys 2 TTPs 9 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 18 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 5 IoCs
-
Modifies registry class 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 35 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of FindShellTrayWindow 57 IoCs
-
Suspicious use of SendNotifyMessage 30 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1008450001\5468191780.exe"C:\Users\Admin\AppData\Local\Temp\1008450001\5468191780.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 10124⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1008496001\rh.exe"C:\Users\Admin\AppData\Local\Temp\1008496001\rh.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 5244⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1008497001\eecd9c4c6b.exe"C:\Users\Admin\AppData\Local\Temp\1008497001\eecd9c4c6b.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"4⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8ea82cc40,0x7ff8ea82cc4c,0x7ff8ea82cc585⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1952,i,18337409327962706851,10184020180892457138,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1948 /prefetch:25⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1740,i,18337409327962706851,10184020180892457138,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2000 /prefetch:35⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2208,i,18337409327962706851,10184020180892457138,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2568 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,18337409327962706851,10184020180892457138,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3184 /prefetch:15⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3188,i,18337409327962706851,10184020180892457138,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3240 /prefetch:15⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4516,i,18337409327962706851,10184020180892457138,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4612 /prefetch:15⤵
- Uses browser remote debugging
-
-
-
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 12924⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1008506001\6ba1d6cd1c.exe"C:\Users\Admin\AppData\Local\Temp\1008506001\6ba1d6cd1c.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1008507001\bc3e02f895.exe"C:\Users\Admin\AppData\Local\Temp\1008507001\bc3e02f895.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1008508001\98760f3002.exe"C:\Users\Admin\AppData\Local\Temp\1008508001\98760f3002.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1968 -parentBuildID 20240401114208 -prefsHandle 1896 -prefMapHandle 1888 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c78e9df-b2c4-4bc1-9c22-fba4d5b63ed3} 3360 "\\.\pipe\gecko-crash-server-pipe.3360" gpu6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2404 -parentBuildID 20240401114208 -prefsHandle 2396 -prefMapHandle 2392 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef37683a-7ac9-482d-9ad0-e353973b9aa2} 3360 "\\.\pipe\gecko-crash-server-pipe.3360" socket6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3168 -childID 1 -isForBrowser -prefsHandle 3180 -prefMapHandle 3144 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {063afea6-4106-4208-92cf-5f3e2a8a111f} 3360 "\\.\pipe\gecko-crash-server-pipe.3360" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3648 -childID 2 -isForBrowser -prefsHandle 3664 -prefMapHandle 3660 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {03ff0172-d4ac-4229-a57f-d5b42ee94e51} 3360 "\\.\pipe\gecko-crash-server-pipe.3360" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4400 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4376 -prefMapHandle 4348 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {374d2e73-1097-4b6c-b9f7-850a51c27958} 3360 "\\.\pipe\gecko-crash-server-pipe.3360" utility6⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5404 -childID 3 -isForBrowser -prefsHandle 5392 -prefMapHandle 5396 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9dc037e7-8087-45f9-a132-e96587556902} 3360 "\\.\pipe\gecko-crash-server-pipe.3360" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5536 -childID 4 -isForBrowser -prefsHandle 5544 -prefMapHandle 5548 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9dff2326-af48-4997-8b45-3cd091a5c868} 3360 "\\.\pipe\gecko-crash-server-pipe.3360" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5728 -childID 5 -isForBrowser -prefsHandle 5736 -prefMapHandle 5740 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b73fede1-252b-4aaf-bd98-2bbdc4a24258} 3360 "\\.\pipe\gecko-crash-server-pipe.3360" tab6⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1008509001\80e0f9ce36.exe"C:\Users\Admin\AppData\Local\Temp\1008509001\80e0f9ce36.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 736 -ip 7361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4628 -ip 46281⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4980 -ip 49801⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
19KB
MD5dd7d4fb22c9e2a715ab2b08925e6412a
SHA11ec8c85a2d94dc986888c6640b7ef47848f05722
SHA256d6fc04dc482793213b58663d92108a09feadb12f977918993e5055c30e04e37d
SHA5121f9b1ea1d704a2151212bcf4f8e1dea2f0670ba88f6594bb51d79f2d3f099fa63a0172818fee1281f968e94c533509fdf7b64fc2098dcf1ef78935c506ac9b39
-
Filesize
13KB
MD5d89599b503401981f664878a49e86582
SHA1e5df2b3e45c298ce0c9f7da7db67593ea8cc9212
SHA2563c6a7affccbca9bc9c6043383299b7c9c6da3c74234c193dbb6a2e7ca9a6cc78
SHA512aa2eb22d3b967646fc2627fb6c4b7d492be54d84a375aad8c09d5eadedef3ccab11533a54dc3e3d175428099462cd8417b9aba960032a36f88da85fdea3958ef
-
Filesize
649KB
MD5e7aa83909ace3906ec75144cc33e024c
SHA1333ee9d7f4c683d8e0ed05bdadfbd2baade379e3
SHA25624443cd457177eeed9c584e5d5ad194303fd94269fdb0d72e0db598215a5c826
SHA512508fd7984ea8b9d8c8b2cd3c7c3587941a6ee4627c7cf54fe56db7db75dbff0abdaf0db1b0c46876dc6ad0cc21735bd7a2f0351d5edeb735b2de796beef2ea72
-
Filesize
1.9MB
MD54cecb04d97630cc2d5cce80368b87fdd
SHA14f693736497e06c820b91597af84c6fece13408b
SHA25651698570a9c637ec0c9bc2b3ca6acb7edf3d7804c49b8eed33e82573950877dd
SHA512acdf93d12791a6a11b307fbbdc6df2b27a6e8de6b8cc015c4892304d4653e79ac58351600b53c7ea78d285d69df8e8f2e270cf9a168b187d372a3de17e84ec66
-
Filesize
4.2MB
MD515a46db0313993e635e8a7f4ae91f44a
SHA193f7e0d18cda291de56f04e2ad35fff64446eb62
SHA256aa421056287f6114a5932fc6fe92734a06fb0760567b1086774d25881b6bf4a1
SHA5121ebc9e6e2e35dac10752f4e11466f0310af10c9911f004f41455d175602a199cb17a91297733179d3d0ee59801431464da62fc1e4f8639f0ba244c16076c2258
-
Filesize
1.8MB
MD5acc594995958c5cf5f107fe27db38f8e
SHA192b6e9ee6a4a61b292883566738f8b7e038f5eb1
SHA2562c3841d0070158d8f5824289380656aad74c190ddfd4ee8240eefbfd16988b89
SHA512e82304a2948ab275c1b243255ce5dc01e5e2763f766eaea6915f6e7be0d130ab7e92d52b38f8f1186d30c809a7da2697f06bf55eb9152a52c81a26df8f21373c
-
Filesize
1.7MB
MD56af05407143697f6c49bd94e5903f73a
SHA1003809f7aa6cb6ab5bf4ddb22dc659f22f0879ef
SHA256e4853246b4c0b4d13aa84e929cf4313961f176e893a8c1c29720a1eb7f68c5a7
SHA51242447c96152cfd43f6ba7d7533edc62e10e66eab6030c8914bcf1af64d6980b29d1ac6a960fb6a1e3699ce68a8fad92684f2c3ebe11009f911d2b98e49f61b5e
-
Filesize
900KB
MD57f05860baee4ff5da95e342eaee96e85
SHA1a909d75ee89b3123f66c6ab227106c66e8cb5fb7
SHA256dabb569816b302dccb1fa4c032f5e39a2660d32c3f95ece75e9ebf4144ce0b17
SHA512a963cabe33d4f92041a1731afae796add8fd1ebb448583edfa9cf1a7e427bad514881b9dbf3d404c700d3bb24beab89fad4266fbaefd1aef3e76d4fad05bc0d0
-
Filesize
2.7MB
MD59a939117e7e796c8036b7a92bac70c4f
SHA174fe3772448794929f7f18f1c72f4f388b573468
SHA256d94dec75c03b2044787f940bd7d96bf066eeada41e23854726ec54f2ff77bd72
SHA512a722c1af22a5b67f5618b080f561977dbe5686abe1923a618a67a9c643a4cf814c033869625585cd8bff603f342a8ccfe2103654d9d6cc2bd87d56c097b651ec
-
Filesize
1.8MB
MD556a8d0ea738568054d6a68992c06af83
SHA19f965adb0cb2d9194f7dc72f8c06a52f92e4d58e
SHA2566c6f1cb0ee20ab9e1a4b0c34eed3ed086357cc10b05b372d9a09e5d0d516d5c5
SHA51259e90b3fc4ea54585a197b97381019c9f80d9c44213bd75be71360a297c568dd588287f999f6cec94e853c7e81c193bda3cc388584cc7a04e3b3f25ef2ebfca5
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
6KB
MD5ace991e0c3a6aa58e524c909bcbffefe
SHA1fd2a3d0474ad409f27c1b3d6aea8974fb1c4e71b
SHA2569a2cc0f658cedf09d595b56e502ce3ca5d166008c762341ebd75e3c592e1b800
SHA512eafedf984cb9dd33a919e9f209463d1a0810aec6c172af191032e9ac16f6a23c84c471db4cbda526a0b0976b275a0121ac25fca55f697810b601ba96cc021035
-
Filesize
7KB
MD574c35700cd56045c0565f3084b3a1a3e
SHA1be7e0beeae9dc303e15d17f47409250196f8e6d5
SHA256c2ff477f7e9279c9edd8a8ea72824ba8cfcb4eeb2748db4530765a0d0518401a
SHA51228b1d17b2df1b49b41cd6717893a96d0c9b5c0e640c63069fb3edc18e21bc7d7bd7cb96609c86df739d32b03c0287df5c1e86d47948423f3c27cb8b195dd50b0
-
Filesize
12KB
MD55395869dcdb90239f5654f9fdb689e33
SHA1175872715fc5e7fd8c30b8a418e67d1c36cc2fec
SHA25607bf20a4c4ae6556b7cc99fc2a5c073b34ba9727c881fe840b4191522d94544a
SHA5124421d196933bffc6d4454c1853b4b120dcf04401ab6ea1ce9acf2d748fc07d84f50b6678af9f5bccd5491c9259a66b501ccc37e1ab05ed51faf114448eebb175
-
Filesize
5KB
MD56406d16550899b547cff6d7994f3f3b7
SHA1fc1d34d2c4327c6376e7c8f9d30c9004e42b456e
SHA256a908b36056d42cdfc732ab45f25bcb658473c119bc265ca78473c858dba225a7
SHA512df2276a3fb9dabe3c358f461dbe79afce1ff43551bef8742adb2e7ae264cd3147f5d85744b42b2e326b3f2ee6a790977dbb24575f2a00f2060b82342ebf4ecf6
-
Filesize
15KB
MD50065341e748098b061e2d123298b76b9
SHA1c193ea877a81287bea0371bdc274ed73555c0e63
SHA2568d4b938140bf1de7ca0efc0106871f06dedbcd9d469b5abcc8b18e829b3eb490
SHA51203c9923ab1ddbb4605574003b29ad29f31dc8f43d9c8c5750c9aa3c80f82b5007512355df74e3fc071e1fd1c0a63b4666d4478b03c8b07e2c4aa6f73d6935963
-
Filesize
15KB
MD5e12389c77035ddccea458170a2266afc
SHA17d54887b528f80d5e653c90e1ccb3700ec6e81ab
SHA25608563b1601650d36ba52e69a8edc5214fbc30e8f35708de65ce43fbe9be74831
SHA512b995d76e553f04784fcd5010e06065adbd602efc07ebc994ea9fd7015f3f89a6f1c8a00efe2688f2d6643eff369de34c81c137faee09a68a2bd7defb87fa7b1b
-
Filesize
671B
MD581a6f68eab40b6d7e0734b9c33c89fbb
SHA1ff72b433f80d55b5b0141d3a7b64ba7a74fd1f56
SHA25697360269660256fb8b5d6698f6fa946c53de526305406f77e033b3325b7aaa65
SHA51241f4724fb4c2c5137696c7e9f234ffbc3d5c1853e9a7353e4ed4ae9e68d4700c95bbb138d2153af7f6176751a8eb8309bbd49ef58350b9ee5f5b865de463c11f
-
Filesize
29KB
MD548ae05db262b152047eb10c4558c4fcd
SHA1cec0f5aba691922dcbaf79274f5eaad67d4f7e36
SHA256f636cdc3de9429bed4efd7c81b8a2d899e60aa09f83f614118bb9052e2b9902e
SHA512bbbc3a974d64522a93bcf56511cd66ba7364c8aeb1cd8bcd698c4e7b327ff67218833e8499d4291019c67b133f7ce8e128de7332dfda648511abd674efd3962b
-
Filesize
982B
MD51fb47dd1707685e900bdd1a7eaefb2d0
SHA176ce04f906b3215028be644dc0d6d43e96997de2
SHA256ec4e5a44a15815af70b90de6c4acf76a7b9bca8b895ee8058bc602a486db956d
SHA51250170d535f99e1dff2646656aa0a3bfa7c613b38d24c91fa26dbd88ae27c6130ce18223c6188dccb3f357ad5331465b2635f7f4780121f7e619676aa0b00166d
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
10KB
MD56791ccdba01b0b7fed13f1ca4e597a2d
SHA1a8126c0a664b1c7c91ac2f3b53c1b64d379e868e
SHA2564ae5a07d2ae37af5c2aecc8324e4f45a67802ab7915461211ab545bd2305ffad
SHA512097f3c6d1425973022057bcfe10b799a39a50f10026e4b38ab4032f9d16696126325a327cd2b8cb87da759490c0603770e666a8118d11ddbc917d70fcb1efdbe
-
Filesize
11KB
MD5966ec00f03a8261f555107c58e172e32
SHA18c97a0bfb7195464ed5696ac5a0ca1383dfe050b
SHA25648ca26888599812920ac1e574a9ca250ddf9c39494437ce867f22c68e22c550c
SHA51204a02440b49105590a31894925b9af41ea24ba929ad1bc6a3caf192d3c1ce9e4418b52d9c8ba36f7dc6f992d1e7cbb064a093687cef0f86bfb2e02c6a35a6c02
-
Filesize
15KB
MD5d5f0c4d770376325c14c928238f3861f
SHA1f39d1e1a1b369beef7d1263ae78249cd5077923f
SHA25610bc324a21d6438bc158966f91629f55c00352c4348895af4181b7ba12e2a158
SHA512616e73c0bb645e4aa9e3e90b13d4a941f8f0285618f1558b0caf5a6bf011d92df0fd470ee9a9c7e1bd41edb1ec208c0873f0167eecc151988da6627a23b6b0db
-
Filesize
10KB
MD5aca9dfa000956455deb52a62cf75e5a8
SHA171094da6de10dc6b6c54d7d285bd6fcb7add0c8d
SHA2561d24de37b0a3d5c2dc392e82c5a58edc320fac310de0861dc4e4f482fd7edf86
SHA51271d496d4a7982d2ce5d2a4499196ffdb010312f25644ccae4c6d5777b43770c887396d1dc6961d5f0a82f3e5087654535e5d7734150cfbfa07d27f32a4d6a179
-
Filesize
401KB
MD53535fcd3063a2965f1dd8f9b65ca8355
SHA11f5c89caf911a08415d55ce1687101b65871b122
SHA256086057602eec63ed064bd97c1643b20c727aa4a557d16bd26a763716414620fe
SHA5129b623500ffbe25d6dc08c3c90aeb8c123e9fc2841f0962b6fe57ca1d2ab44fb1062352e1d5ab1d506b156c0b25aaf96ca6267a36fd064c97c12df965bcd66929
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
4KB
-
Filesize
688KB
-
Filesize
24KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
184KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
72KB
-
Filesize
1.2MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
368KB
-
Filesize
368KB
-
Filesize
368KB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
40KB
-
Filesize
4.0MB
-
Filesize
2.1MB
-
Filesize
2.0MB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
4.0MB
-
Filesize
4.7MB
-
Filesize
2.1MB
-
Filesize
4.7MB
-
Filesize
4.0MB
-
Filesize
2.0MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
8KB
-
Filesize
184KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
10.4MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
4.8MB