Analysis
-
max time kernel
144s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
23-11-2024 20:17
General
-
Target
dfc453c8498400fd0f9cd272a842f6e4893a362e9476764a6aec751b224c7eb3.exe
-
Size
1.8MB
-
MD5
72683bf9c6f350a7af5d18a98462fcdf
-
SHA1
1fd96a421e53351f72998a1a72f923b36e866a0b
-
SHA256
dfc453c8498400fd0f9cd272a842f6e4893a362e9476764a6aec751b224c7eb3
-
SHA512
989da907980a4bfab558aed381271e77a77fce8b88458767bdf9d893c540f95ea87f9b81388f4558e27e1b9316fe5df5974481c39a45186e7770826a9c54557d
-
SSDEEP
49152:eu/AKF/HKZIZwiv29BZlYif1AYO5regp:F/AE/HmIiie9TlYC1Anreg
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
mars
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Cryptbot family
-
Detects CryptBot payload 1 IoCs
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 10 IoCs
-
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 4 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks BIOS information in registry 2 TTPs 20 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 12 IoCs
-
Identifies Wine through registry keys 2 TTPs 10 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
-
Drops file in Windows directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 5 IoCs
-
Modifies registry class 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 37 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of FindShellTrayWindow 58 IoCs
-
Suspicious use of SendNotifyMessage 30 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\dfc453c8498400fd0f9cd272a842f6e4893a362e9476764a6aec751b224c7eb3.exe"C:\Users\Admin\AppData\Local\Temp\dfc453c8498400fd0f9cd272a842f6e4893a362e9476764a6aec751b224c7eb3.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1008496001\rh.exe"C:\Users\Admin\AppData\Local\Temp\1008496001\rh.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 5484⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1008510001\3089795584.exe"C:\Users\Admin\AppData\Local\Temp\1008510001\3089795584.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"4⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc51a6cc40,0x7ffc51a6cc4c,0x7ffc51a6cc585⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1904,i,9050298480017269440,12148293922952025120,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1900 /prefetch:25⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=376,i,9050298480017269440,12148293922952025120,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1892 /prefetch:35⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2296,i,9050298480017269440,12148293922952025120,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2324 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,9050298480017269440,12148293922952025120,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3180 /prefetch:15⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3200,i,9050298480017269440,12148293922952025120,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3212 /prefetch:15⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4512,i,9050298480017269440,12148293922952025120,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4488 /prefetch:15⤵
- Uses browser remote debugging
-
-
-
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 13244⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1008515001\45bc806e91.exe"C:\Users\Admin\AppData\Local\Temp\1008515001\45bc806e91.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1008516001\66d6fb2ce0.exe"C:\Users\Admin\AppData\Local\Temp\1008516001\66d6fb2ce0.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1008517001\fc99956206.exe"C:\Users\Admin\AppData\Local\Temp\1008517001\fc99956206.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1948 -parentBuildID 20240401114208 -prefsHandle 1976 -prefMapHandle 1968 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f1d10f6-e37e-4b8c-bb98-d7585632df41} 4452 "\\.\pipe\gecko-crash-server-pipe.4452" gpu6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2464 -prefMapHandle 2460 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {01c8dde6-1607-4bf2-bcb2-7de43b58c556} 4452 "\\.\pipe\gecko-crash-server-pipe.4452" socket6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3248 -childID 1 -isForBrowser -prefsHandle 3180 -prefMapHandle 3176 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c81df3f5-4307-4a2e-98a2-974fc436f302} 4452 "\\.\pipe\gecko-crash-server-pipe.4452" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3904 -childID 2 -isForBrowser -prefsHandle 3264 -prefMapHandle 3876 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7f08ea7-0774-4f16-b779-35056b4417f2} 4452 "\\.\pipe\gecko-crash-server-pipe.4452" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3876 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4120 -prefMapHandle 4056 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e81a0ef-031d-49be-8143-0d0e63adff3c} 4452 "\\.\pipe\gecko-crash-server-pipe.4452" utility6⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5780 -childID 3 -isForBrowser -prefsHandle 5744 -prefMapHandle 5764 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae2489a4-0152-4efc-87db-d92e6d60570e} 4452 "\\.\pipe\gecko-crash-server-pipe.4452" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5792 -childID 4 -isForBrowser -prefsHandle 5740 -prefMapHandle 5736 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {49567c8d-b1e8-42ee-b6ba-a06bcb13dc9c} 4452 "\\.\pipe\gecko-crash-server-pipe.4452" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6004 -childID 5 -isForBrowser -prefsHandle 5916 -prefMapHandle 6096 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a3b46f1-1cd4-4640-a833-a96a2a6b9b64} 4452 "\\.\pipe\gecko-crash-server-pipe.4452" tab6⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1008518001\6c4ceae6a8.exe"C:\Users\Admin\AppData\Local\Temp\1008518001\6c4ceae6a8.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1692 -ip 16921⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1272 -ip 12721⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
22KB
MD58afa012b0c2c1c874f4e0eeb91724929
SHA1470bd6a9ee1e9bcbe220c36cdc9a563989a43d68
SHA2565b45484837dab0650e1c3abcb47c27c42090c2cec5c774985595c4d390e4e1dc
SHA5124c5f62e4d0d9c8a0c4a27963655354963b1369da956a17b3da021da6f07ff6e4e737dc6dad3cd5e7e1567ee147446bb3d146d024e27a29d1bef46838612f9f31
-
Filesize
13KB
MD5e11da7190803c1e1a86cb3f5213e05ce
SHA1b7376fadd0f52a51c388edbce780a3c8f306a1a3
SHA256b209567c98df91018cd7bd55f83de5b8d9cdc47e1295ec783181c7fc690eb386
SHA5127ab731cd2e065493623d12d2a6b4703ce4182a27c4e224fa88aae31740e8478cc3bcb44073ea01591800b943503fc570d99e39221bc7404cd0c10e47ba5cae57
-
Filesize
1.9MB
MD54cecb04d97630cc2d5cce80368b87fdd
SHA14f693736497e06c820b91597af84c6fece13408b
SHA25651698570a9c637ec0c9bc2b3ca6acb7edf3d7804c49b8eed33e82573950877dd
SHA512acdf93d12791a6a11b307fbbdc6df2b27a6e8de6b8cc015c4892304d4653e79ac58351600b53c7ea78d285d69df8e8f2e270cf9a168b187d372a3de17e84ec66
-
Filesize
4.2MB
MD5f97c2e9f72376f61f1d70cf0f4315e20
SHA12275dab7414471d6f71bc0d7b9904f1c28109665
SHA256df6ba8269d9aab412a1d4817dd93c5bba88c9d1baf1f3752ed7b47c47e2dfdf8
SHA512208f4779c57e285f9e458ff01b0ecc40792ad36e90872a203ca7206c531e773b1d523acc46f0466e88f732b79ebe5a5a14de9c959f9b01c4310cf13c9633b18a
-
Filesize
1.8MB
MD55e73b0576450ed5ffd50f136a205a42e
SHA144d41e87ac4a7606006f77c5c49791e1389292b9
SHA256e83261e251f282c7c4f68bb8ba9ab58577cba92e863c1cfd488d6ce6de7192ef
SHA5125da2a5015b932b76d03f8d3bec630738c0b98602c73fe4af71d7839956017aeb32ed108679d264c4fcdc15fa857fde59b2b7b9479d19985045d154b49b9a9cbd
-
Filesize
1.7MB
MD5925d775a24989da8e83cabcd00fde1d3
SHA173373f88fa6798ac4a4bc1566b62814deeb362de
SHA256362ede5e1060f28217d49706ced46a1bea1e175bf91c4a1457f921904b9bb32a
SHA512f0866e412ba6733ba460eadcd01d76b5803d8ad17a9016ec0b1d5915de0e1360d3229e9a09c5ebe1911325029388645d68aeaec1ee78e5797b2c3f83d2a5dfc6
-
Filesize
901KB
MD509061fe9b6d117a3d40497832bfe6f3f
SHA1eac5a1ef4bd5ce2b41c73bb89b3593516a15b240
SHA2566f289372761153659c56c425ba2e734614315d822bf8692c83c1496c39175a6b
SHA51263a8c0a3db7bfbead09cc85c958b1ff16e431a20bf6eff8a88cf6e9189e7a58607ad0cf0e8675611ce039ac2c3bb5a1940bb8fdd9677c53f4ada20276a119178
-
Filesize
2.7MB
MD505f8ead29013ac531082a69c2a003d71
SHA1c6c1689a70b2e01caacca97c65d4f8a90fab0809
SHA256b7ad7259ed8db0d24ef8589e7308f50ace37392d2416ccd06db16955c079003f
SHA512222dbf6de1c85ab1bf65d8872b8e59fc0791f5ecc9d2a7c6190667ba95034a02dfb11178f6a1689aeefbc1132bb8e862ac9effb7fab601b6ade411b71404d5bc
-
Filesize
1.8MB
MD572683bf9c6f350a7af5d18a98462fcdf
SHA11fd96a421e53351f72998a1a72f923b36e866a0b
SHA256dfc453c8498400fd0f9cd272a842f6e4893a362e9476764a6aec751b224c7eb3
SHA512989da907980a4bfab558aed381271e77a77fce8b88458767bdf9d893c540f95ea87f9b81388f4558e27e1b9316fe5df5974481c39a45186e7770826a9c54557d
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
6KB
MD57767eb00cd69ac41d02f14d9dd8c9eac
SHA1d15a1efa84e74f94187f20e6c95ce0d8789eecb0
SHA256fc02fa2d814fe65c2ec4ae226a0b0be041f49504e592eb73d48621b4fc07e830
SHA512de19fd3f5b57d2896e504cd76c09fbf2750d65ca7fbaf3cb143dc3590230b42d4ed680e09837e5286f65da308e78e7b7ad8e5c19bc33f1dfec9002cdb816457e
-
Filesize
8KB
MD5da03e438c7417c546b8cbf7b95e3d403
SHA14c75c13203c4e5ebf8d222b7d49b07955f082d88
SHA2562a182a6fdcdcd9778af30eed926748f129a80539d8d7a30a223793ff222954aa
SHA5125e8047dea4cc131c0d6feee5c77902d522c14c20434a335402b4a6c60f5ccd57e048401395632087f3491b661eb6878c06ee5f20d42dc57fdbd2d59ca3023696
-
Filesize
5KB
MD5f04ae4b790c87749e6675c54b60885cc
SHA137f8eedce0c3be4d9ec8b94c6137043af1a07bf4
SHA256f7c5d87df3885830f2417ba7d0e3a7638e1eb45bbdb994b4df23c5572aff76dd
SHA512188635cc357e78eb0a4c05dd4d1f7e02d763c1cab6f804cd18c746c62d27c10a9391512ace946230ab82806c74799e977fd6df9f464b42ec7247c9a210eac49e
-
Filesize
6KB
MD5631dcc47445ff3a5c4d8f6c08e8982f1
SHA1d1fff8a43f5a2d08edc141d010a3b104a9da1345
SHA2565a8c3b4699ed0c20a8f35703d544f6e01c8b419def86061b994cd271ed46a2d2
SHA512527f0e6a813b3c1e7bb29e9b87502926a598023858c4bb1d1d05ab3a48453cdc5b8e04b666226baf3734049da5c53fa0a9bbc22870cf8a77501829b32ef53041
-
Filesize
15KB
MD56b9fd59c537910bade34fba0d30dbcf4
SHA18ed24d2743f3e9a683f3cf3bdc46d3770b557789
SHA256b2b4689632d935ae3179afd0067cf0a29dffa0b38fa78e98d43449d5e4f306d2
SHA51225a2e3517afb45bcde9a1fe0f55cfa7a9812dab029d122b1ce0c2e93bc91f2c7268d075b6ab29c78c3f1fd1f6246733828a50cd9e8314125d9d92e7282f8614e
-
Filesize
671B
MD5bcf5ae36fa98fdce71cb359757b61bc2
SHA1db8566466d3f298d6dc68281026377085d788d09
SHA256fe695d887c0187d885234d3c4017dd771da33313e20b382d8440842027fa2d52
SHA51291e89abe7403637b8eb4a24727b844f55796ffdf7cc2c1ff425ea2b4482c0b4335c6c7a5a388892c9bb7f5203f097f37b356476640257e484a5f45d219190f6d
-
Filesize
26KB
MD5a2ef0b9b5edb3cdb14d6fdb0d106ce8c
SHA11d2f9f77ce74734affa657e1fee9cb05f1d7e615
SHA2566f9a376ee7e3d444822f7003b2aaa29be352ef5418e91e3b82598704b37fa04b
SHA5121743b6a1b6a7a84ff78229764411b5dfc83b1f38c0c978c2e17dffc385ecc4b9ee22d52bcbded72abc2d2e79a19e33cf1a5b6fd2250fca7f9e21a00e69a4fbc6
-
Filesize
982B
MD53b0f101b16d7c540eac191da03d3635a
SHA1afd1e25b384a70f968925e051e78ecfc5127db27
SHA256f44cc56ee65f6b4cc4af85d52464e132187634d16dd435c79d31e1e8b6fb8c8d
SHA5128f543c31adb486c43dc7aa1fccb0bda2cf04f389d38487378a32ddad24fa5fd1b9622c9a8f17f8b0da202fa25bbf4947000e593fc726ebff64a6c331a101bf32
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
11KB
MD5451f8a5ae560f73f493cc5c7d5b0bfa1
SHA10f2cef815d1da378b5d4b3d6bfcd874112667fe3
SHA256a54f60453671b1f008f9637e8838a94b7559367a6ee77c0f98fc415f27690b4a
SHA51203b06329acfe524be8a8908faec75fcb0114e6b7459889c46205e384ae008a8b82115c2e7edc4d159e1e34e4f3feeca8afc63e5a057ed3303c712645efa12897
-
Filesize
10KB
MD5abf97029b9c9e2038a5643455ebe16d4
SHA1709618746d948e4dc0c0fd306d81343c3b186bc7
SHA2567a911057920b3c0bb4cb9a2f9ff2941132f180385e50627a51fcfbeab4c694ff
SHA51216186c285fba46c1f6e77cad44ac0e3dfd06aa761147fa00c910bbfbb5ed97b36d48dbade4ea89668a17cdb980d8a768f2ec85becb8b990e3d9926ff9b2911cd
-
Filesize
10KB
MD5cb9c9ada51812b66829de5b96c9c3665
SHA1f4a9a55da7b0e787efe78ea15260486e25a1767f
SHA2566786aa6050e70c418c64adbe4d66e57a636acc202151ae57a97ee5dd706d75fe
SHA5128f0795d024af51195d32e5fab661d3c72601539684bbd56113c23fa4ce7bea20e08d34d1688a5d00b88c37da9484199b5cbcec2ee27e04f793c885fa30a66a17
-
Filesize
40KB
-
Filesize
4.0MB
-
Filesize
2.1MB
-
Filesize
2.0MB
-
Filesize
12.2MB
-
Filesize
12.2MB
-
Filesize
12.2MB
-
Filesize
12.2MB
-
Filesize
12.2MB
-
Filesize
12.2MB
-
Filesize
12.2MB
-
Filesize
12.2MB
-
Filesize
12.2MB
-
Filesize
12.2MB
-
Filesize
12.2MB
-
Filesize
12.2MB
-
Filesize
10.4MB
-
Filesize
4.7MB
-
Filesize
184KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
2.0MB
-
Filesize
4.0MB
-
Filesize
2.1MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.0MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
8KB
-
Filesize
184KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
72KB
-
Filesize
1.2MB
-
Filesize
72KB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
184KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB