Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
-
submitted
26-11-2024 01:08
General
-
Target
fd15d97c8fc88aa354c097d5e94d69ac2389e0383baa7fb6fe32e56655b501ed.exe
-
Size
1.9MB
-
MD5
f324cf036831114e3c8c681220ca0489
-
SHA1
44bf59a5f94477316d0e410fad8d2ea4b552a37d
-
SHA256
fd15d97c8fc88aa354c097d5e94d69ac2389e0383baa7fb6fe32e56655b501ed
-
SHA512
68c0138aa66b76ec360bd775cb6dd2a80aa7d8e09159061b2c957b5bff12641767ac38c92b293242b5219ab3ed0efa423f1305f0b39e8372838a39dbea5ba47c
-
SSDEEP
24576:8YUyqDQZf6VOw2Ti4fDZQtQiAp6XbGLOr8DnD0e2AemsOdq4961TNLD8Uf+N1JTY:dU/QZf6Vyiop6XWC0nDuPcqEwTJ0EW
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
mars
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Cryptbot family
-
Detect Poverty Stealer Payload 1 IoCs
-
Detects CryptBot payload 1 IoCs
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Poverty Stealer
Poverty Stealer is a crypto and infostealer written in C++.
-
Povertystealer family
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
-
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 4 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 12 IoCs
-
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 19 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 18 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 5 IoCs
-
Modifies registry class 1 IoCs
-
Modifies system certificate store 2 TTPs 5 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 21 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of FindShellTrayWindow 49 IoCs
-
Suspicious use of SendNotifyMessage 13 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\fd15d97c8fc88aa354c097d5e94d69ac2389e0383baa7fb6fe32e56655b501ed.exe"C:\Users\Admin\AppData\Local\Temp\fd15d97c8fc88aa354c097d5e94d69ac2389e0383baa7fb6fe32e56655b501ed.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1009118001\x4lburt.exe"C:\Users\Admin\AppData\Local\Temp\1009118001\x4lburt.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\computerlead.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\computerlead.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1009146001\xl.exe"C:\Users\Admin\AppData\Local\Temp\1009146001\xl.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\1009157001\1Shasou.exe"C:\Users\Admin\AppData\Local\Temp\1009157001\1Shasou.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\1009166001\8e60fa6c71.exe"C:\Users\Admin\AppData\Local\Temp\1009166001\8e60fa6c71.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"5⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef4b89758,0x7fef4b89768,0x7fef4b897786⤵
-
-
C:\Windows\system32\ctfmon.exectfmon.exe6⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1176 --field-trial-handle=1200,i,10143429767287922832,8334294313957497866,131072 /prefetch:26⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1516 --field-trial-handle=1200,i,10143429767287922832,8334294313957497866,131072 /prefetch:86⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1616 --field-trial-handle=1200,i,10143429767287922832,8334294313957497866,131072 /prefetch:86⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2292 --field-trial-handle=1200,i,10143429767287922832,8334294313957497866,131072 /prefetch:16⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2324 --field-trial-handle=1200,i,10143429767287922832,8334294313957497866,131072 /prefetch:16⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1260 --field-trial-handle=1200,i,10143429767287922832,8334294313957497866,131072 /prefetch:26⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9222 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1336 --field-trial-handle=1200,i,10143429767287922832,8334294313957497866,131072 /prefetch:16⤵
- Uses browser remote debugging
-
-
-
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 9605⤵
- Loads dropped DLL
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1009167001\532f239474.exe"C:\Users\Admin\AppData\Local\Temp\1009167001\532f239474.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1009168001\8328f7a9c9.exe"C:\Users\Admin\AppData\Local\Temp\1009168001\8328f7a9c9.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1009169001\8c66b8dd00.exe"C:\Users\Admin\AppData\Local\Temp\1009169001\8c66b8dd00.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking5⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2344.0.402299788\1434856739" -parentBuildID 20221007134813 -prefsHandle 1216 -prefMapHandle 1208 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e42c77cb-9438-449a-95da-5636e5962396} 2344 "\\.\pipe\gecko-crash-server-pipe.2344" 1280 11fd6d58 gpu7⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2344.1.1251215757\398095122" -parentBuildID 20221007134813 -prefsHandle 1480 -prefMapHandle 1476 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d690a187-5d89-4852-8cef-2537385fa613} 2344 "\\.\pipe\gecko-crash-server-pipe.2344" 1492 e71858 socket7⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2344.2.324826183\1183200872" -childID 1 -isForBrowser -prefsHandle 2100 -prefMapHandle 2096 -prefsLen 21811 -prefMapSize 233444 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {efee7cfa-d26f-419f-bd9f-81dc89844994} 2344 "\\.\pipe\gecko-crash-server-pipe.2344" 2112 1a07ab58 tab7⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2344.3.980280719\289128445" -childID 2 -isForBrowser -prefsHandle 2904 -prefMapHandle 2900 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {af81e4be-ad71-4451-8b45-3953002baac4} 2344 "\\.\pipe\gecko-crash-server-pipe.2344" 2916 e64258 tab7⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2344.4.197743998\235589081" -childID 3 -isForBrowser -prefsHandle 3548 -prefMapHandle 3604 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b6cf3a4-c4ca-4788-99ee-0d0b433f2996} 2344 "\\.\pipe\gecko-crash-server-pipe.2344" 3636 1f7d2458 tab7⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2344.5.742092600\697142976" -childID 4 -isForBrowser -prefsHandle 3756 -prefMapHandle 3760 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e4dd996-d423-4e2c-8dc5-2c623196ec44} 2344 "\\.\pipe\gecko-crash-server-pipe.2344" 3744 1fb14e58 tab7⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2344.6.1307583242\1741500341" -childID 5 -isForBrowser -prefsHandle 3912 -prefMapHandle 3916 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {734f5c58-8e28-46a3-a844-dbcc1eaf2838} 2344 "\\.\pipe\gecko-crash-server-pipe.2344" 3900 1ff2e858 tab7⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1009170001\953b49765a.exe"C:\Users\Admin\AppData\Local\Temp\1009170001\953b49765a.exe"4⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {59866FA0-4F90-451E-93FD-703083E6611F} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]1⤵
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD56cf145e73972c64c79a5b92161888253
SHA1f3daf887ccfa976b8fee821a8ee6f20c9cbf5e54
SHA256f0a42c2dbf698bf4153335012aa443966a9dc5452d09e6498af8710c03b68e44
SHA5123bd3c546dc231157168c669f83e040c5368b672171960f82065ad5a96e68fc5615ace910da06e88815c70492392796d30947d05dc71170c9172ea0c67e04df12
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
Filesize
31KB
MD52f5d68be5ba21b6ecea0289cbc201cec
SHA1d916682f02abd29884bc338e1bd1b6118cb80a3e
SHA25673fe63ebc8b90d634bf48dab3673d7d5aa48dda4e686f7cd18f7ea4ad8fee76d
SHA5127782666c1d239a5aca93e7debbb1216fb65e7971136ec8698f79d20644db83f9b98ee8563e3544a15e57869f0ed6e4ae7e7164d3470b3cdf6077f5443f1baacd
-
Filesize
13KB
MD5f99b4984bd93547ff4ab09d35b9ed6d5
SHA173bf4d313cb094bb6ead04460da9547106794007
SHA256402571262fd1f6dca336f822ceb0ec2a368a25dfe2f4bfa13b45c983e88b6069
SHA512cd0ed84a24d3faae94290aca1b5ef65eef4cfba8a983da9f88ee3268fc611484a72bd44ca0947c0ca8de174619debae4604e15e4b2c364e636424ba1d37e1759
-
Filesize
932KB
MD596a7b754ca8e8f35ae9e2b88b9f25658
SHA1ed24a27a726b87c1d5bf1da60527e5801603bb8e
SHA25621d262741b3661b4bf1569f744dc5b5e6119cfa4f0748b9c0fa240f75442cc50
SHA512facb2e44f5a506349710e9b2d29f6664357d057444a6bd994cf3901dee7bea471247b47496cc4480f1ad2fac4b1867117072ea7a0bfa83d55ced4e00dda96745
-
Filesize
228KB
MD50a089e934eb856c3e809d0fac53000c7
SHA1661f86072031587be18ada0b6606ee82bb52038f
SHA256f4e5ec593dcb18dca253d98f5133050e96f27f86c1e46b5882abf797fefe26b1
SHA512026152c47e9547d1f2c254bdb824f9b8ac113df6b3a98c61b1ac4adde0286dc8a06ade4a3bd73a149b4a9eaad0f86d702ab4b4042dbb7c17cc0af5a14e34cadc
-
Filesize
29KB
MD5d0038532ae6cec64be83bc19d0b8f695
SHA117a23380f80068d15ebc014cb2b1748bb45fb5c1
SHA256b412dd132cb21a0d4d7bb622c6fe49f9e6c5c934201815d570db774ac80194f5
SHA512af269471f7093445fb05bc6d6d185f9e48d0666674a3de50c4217757d3fdf39b067668bf2ca37eac91d5cb203c3ce3d4d634661e470d84d12c80c332344503ea
-
Filesize
4.2MB
MD5e3f5abc2332ea769c91f7c6f2a5a664a
SHA12969a201926786c2e4d03f215077d2abec517dec
SHA2566bf3521dbb4d8610035627fd1ffba23169aaba4c7ed723522a1a73386edf5b69
SHA5126a2f821451483ad5781b761bd9f462fcbf6239c1d6260d2af02f128680588c56fb4b03ad199a01334ce50d4a351393a2dd69abd345fe949434c5733078949f2a
-
Filesize
1.8MB
MD51ae6f683a54eda849fd92462d37f1937
SHA19c98888d6444414719478467a0bcb7467311268f
SHA2560419321447abb2012698b519a851f6ce4ad90dcedd457f8e7fe9c5b64af07fcc
SHA512a45a42171982b6e5dfb30e1e30aee8860bb63cbc744eb0e9c8ca3f795a47d27c1a43e86a42e3520318bc3ff47abaed603f1634d0cde7af90fa258ae57698bc04
-
Filesize
1.7MB
MD5ded0eb089d3679972dcf011246f04abc
SHA1222c4fdea41b569389fa64ff718b5f9944b5faea
SHA25691c13e6200f741745516347b90adc8b5dea0c43f0b0163f6035570142a5153f6
SHA512eaf8e2c036574a001d77472d96b5af088bd1e4777229d504870e3d0743285374c223a9de93b2cecc9927eb8af3c039ab5a8be888ee82e9d0a63990025f7274d9
-
Filesize
901KB
MD5396550510e969006e52ea8931b9a79e0
SHA169a1977c9bc1caefbe14e37dab010b7044f71a23
SHA256da90d008b44097ea1201a68c6d6f4bb294eff9c62486ec0c67dde91d9d9c24ce
SHA51211e081f23121c6cb122c502dd9ef90fd00913ec2c21b077a84d0a3cb2239847096d4541a46b9277facd9ff1188af3cc178af0606427c63fad383c5c2ee7e8a62
-
Filesize
2.6MB
MD522370d009f56cb4eaa0c65191c9ce569
SHA161709a4936735ee99136b7dc86de24480146d8b5
SHA2563c15b93399455363458932130652659f24d2415b1dc2ef02ace1f943cb83e78d
SHA512b35ac9f727ca14431375b29188029a3ffed85b076de97c3295d2303a9ab329fb0428da444276c2443698f770f2e9f8f85462dd11a36020826d52be7929f81734
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
1.1MB
MD52354e800eefc681a7d60f3b6b28acfd9
SHA110b6a3d9d2283b5f98c9924fa1fca6da79edb720
SHA256d3c21f6c3892f0c444ffb4b06f962caddf68d2c3938bbd399a3056db255007e3
SHA5120395737b77891d8cf7761266c2b3d594deb8e742bd5f12f15f58b2c161c242356b953ebf8cd1f41924a917b2c1332bd2e05ef275efd2419a6134a60729195354
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
1.9MB
MD5f324cf036831114e3c8c681220ca0489
SHA144bf59a5f94477316d0e410fad8d2ea4b552a37d
SHA256fd15d97c8fc88aa354c097d5e94d69ac2389e0383baa7fb6fe32e56655b501ed
SHA51268c0138aa66b76ec360bd775cb6dd2a80aa7d8e09159061b2c957b5bff12641767ac38c92b293242b5219ab3ed0efa423f1305f0b39e8372838a39dbea5ba47c
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
Filesize
9KB
MD58657f14b8b43071cac8dc10e17c8bea7
SHA19ba8c5ec9dc981625ecdcf79c1c404d7eb5f5eeb
SHA256cdd4a5efeeb0474006573df0cdffd4626f418f01e9e64697e4d21936d64fd27b
SHA512be1757e6dc2b5d5f6294d80116874fc9aef4188919ee60e1921ca0c57865ddd92b6a3988682a1228fb9e04d2740ddb8c23f1a5d405c00df329f86bda2ef14eea
-
Filesize
733B
MD5ad2f5fcea3685cc1ef3cf82921a0747d
SHA1fdbb06a8685be2fd3686612c95d4a79522ea581c
SHA25669aef3e1652dcdb8815fa57047a49dee3451ae68c83cc192e9c2f8bcaa4186b6
SHA5124cf7cfc10587fbf97bfb59e3c97430c46b2ec82324b566ed3b4d741cd16f383159797a4f25180293e89fabf6db1da9c8e7c9855c8b69fd0f281dd28cedab768a
-
Filesize
997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
Filesize
116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
Filesize
479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
Filesize
372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
Filesize
11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
Filesize
1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
Filesize
1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
6KB
MD5fbe83925772879d8163f53b4831a2556
SHA1f42bac7c086309aa3788c9538429279fb5db606d
SHA256c08afcbf22bf057e8e84f288a924abb9a2166530ff087dc7e9787945d6225250
SHA512ca09407a8bae367405d370033b0bd89dcfb98e608b0e1b35ad51ff362ae375d307f58072a34dc97f1456e49c447d9b0b8712963efa2db3f46e6e52b65d7c8e93
-
Filesize
7KB
MD5c1cc8888687e40ca100c4d2785b6c8da
SHA1e1dc378e0d94516cec86409097cc846af010e5b7
SHA25629d8e86acc326749fce4718b0b851866575cb6c8a6ed68418a59609db7e44990
SHA512716844a58cde504a98466e8ad851cdfcf27003bdb894c780d4b64e783d1cdaffbb1d443f74b0033677a365e0d0990aae5f40374b1f5111773d229cd61734514d
-
Filesize
7KB
MD5aa9014bc790ed66b3e55afa7dcb517eb
SHA13c54c54b9b2a2a689d65d388b33b577a7b5fdbba
SHA256b60ddb32b2a18d7dc7f8834b2c71c9cf32583ec8c09c70396d68c9a8e7b83d8e
SHA512aadbe5e273e42ba24daa9c38580c5c4ef92849e5fe0580ddb1a789b46a71d37fe4ee08545bebbf31f81be78385af60efe43e59c79033a8dec53de653d7a101cb
-
Filesize
6KB
MD5ec69adf4440bc9fa064c3f2260b7dcc7
SHA117b96cd3cac9acfd891a1dd2e979292a2f386eac
SHA256a0ddb207c60b896e2f15658e83602a7cc05ce332dc6a464a65d9865e8b170694
SHA5125dd62cf5718d3c7aa423132d9da11cc2c606b6a3e07d0cf2ed200d91853279c47c9560c4a2dea524120261ae2f2b598c9b579d68adccdf3a900aa8611c6f46f9
-
Filesize
4KB
MD5f84864a7a06f3760cbcc7e77a674d9cd
SHA192dc4cd4649549382ed2f55b5fc3f54db464e398
SHA25612b20ff7439ca7120025449f3c867be74ef2ba5d8c586341163b627282c75262
SHA5128ecfe4ac29ce57a393f6f370bd524ef52a6acda85078174fcd679f3102639bcf5a3fb668f73b3af7fac65e40f423fa19d9872ae8dd175aebddb55255fc9277df
-
Filesize
184KB
MD5bece0acf9d7f19d01c7943c54d2ad372
SHA1aef59ca4b0fe97f32db128e103bfb98aee3b5e29
SHA256ce40f79585195148ac86928d18da80b963cc98d6feb83c1c2e75e8b6d6ef39f8
SHA512105fb01521fca054766d1d1e46cf3bf177b8bab44800f7bbad9a84f388af32e745474b3cc4f70c1fd779b4e7bcf0912502860092e1824f7ba4b52c612ba5a70b
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
152KB
-
Filesize
24KB
-
Filesize
104KB
-
Filesize
1.1MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
10.4MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
256KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
184KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
1.2MB
-
Filesize
72KB
-
Filesize
12.3MB
-
Filesize
2.7MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
184KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
2.7MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
6.6MB
-
Filesize
4.8MB
-
Filesize
4.7MB
-
Filesize
6.6MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
4.7MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
12.3MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
284KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
1.7MB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
4KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB