Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
27/11/2024, 02:16
General
-
Target
af556c029dc19dd60c72dfd25a39e6b28fc848c9f9c4414d3bdf52c2e589aaf8.exe
-
Size
1.9MB
-
MD5
055a7c8f105841970689bb5abc2d03cf
-
SHA1
ce89a053e1465aada62d9aa7fd456fe7c48bc21b
-
SHA256
af556c029dc19dd60c72dfd25a39e6b28fc848c9f9c4414d3bdf52c2e589aaf8
-
SHA512
768b5de7c2ab491da837b5a75508055750054abb3fb428e2d8bed7cc170fb15060e01f4ea46de680838f150c1376fead072912f1a9a1fd72ba44b6c9d212edad
-
SSDEEP
24576:aAwurUWaZHIZSK/ag12afzghGH1W1hOzHkzpBRnMAj6t+6mkiebg3LHtXagbRicE:n1AZg2gnzCwk0o+Aj6vmTGqXVJeh
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
mars
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
lumma
https://powerful-avoids.sbs
https://motion-treesz.sbs
https://disobey-curly.sbs
https://leg-sate-boat.sbs
https://story-tense-faz.sbs
https://blade-govern.sbs
https://occupy-blushi.sbs
https://frogs-severz.sbs
https://property-imper.sbs
Extracted
lumma
https://blade-govern.sbs/api
https://story-tense-faz.sbs/api
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Cryptbot family
-
Detects CryptBot payload 1 IoCs
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
-
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 4 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks BIOS information in registry 2 TTPs 18 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 12 IoCs
-
Identifies Wine through registry keys 2 TTPs 9 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 3 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
-
Drops file in Windows directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 5 IoCs
-
Modifies registry class 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 35 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 13 IoCs
-
Suspicious use of FindShellTrayWindow 59 IoCs
-
Suspicious use of SendNotifyMessage 31 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\af556c029dc19dd60c72dfd25a39e6b28fc848c9f9c4414d3bdf52c2e589aaf8.exe"C:\Users\Admin\AppData\Local\Temp\af556c029dc19dd60c72dfd25a39e6b28fc848c9f9c4414d3bdf52c2e589aaf8.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1009473001\129b39dd5f.exe"C:\Users\Admin\AppData\Local\Temp\1009473001\129b39dd5f.exe"3⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"4⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa0526cc40,0x7ffa0526cc4c,0x7ffa0526cc585⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2372,i,12626696526934746295,14538754403694333061,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2368 /prefetch:25⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1712,i,12626696526934746295,14538754403694333061,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2504 /prefetch:35⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1828,i,12626696526934746295,14538754403694333061,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2512 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,12626696526934746295,14538754403694333061,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3184 /prefetch:15⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3188,i,12626696526934746295,14538754403694333061,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3236 /prefetch:15⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4548,i,12626696526934746295,14538754403694333061,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4572 /prefetch:15⤵
- Uses browser remote debugging
-
-
-
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 12804⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1009487001\fcbb070975.exe"C:\Users\Admin\AppData\Local\Temp\1009487001\fcbb070975.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 16124⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 15924⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1009488001\f67a251fd6.exe"C:\Users\Admin\AppData\Local\Temp\1009488001\f67a251fd6.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1009489001\5e9dc2db65.exe"C:\Users\Admin\AppData\Local\Temp\1009489001\5e9dc2db65.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1900 -prefMapHandle 1892 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3ac0d0f-4cb2-4ddc-996c-4df1f34cf975} 4932 "\\.\pipe\gecko-crash-server-pipe.4932" gpu6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2404 -parentBuildID 20240401114208 -prefsHandle 2396 -prefMapHandle 2392 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3010fa7a-37f3-4f67-b0c5-085c5bf7d8b1} 4932 "\\.\pipe\gecko-crash-server-pipe.4932" socket6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3300 -childID 1 -isForBrowser -prefsHandle 3292 -prefMapHandle 3288 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8cb5d156-f007-47c1-859f-794eb8f4c329} 4932 "\\.\pipe\gecko-crash-server-pipe.4932" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3668 -childID 2 -isForBrowser -prefsHandle 3660 -prefMapHandle 2756 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c2ea85d-6220-44c7-a9ef-0f81ccb2a93f} 4932 "\\.\pipe\gecko-crash-server-pipe.4932" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4616 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4568 -prefMapHandle 4612 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c04491b2-fdff-4735-8d0a-b3b292bbe4d8} 4932 "\\.\pipe\gecko-crash-server-pipe.4932" utility6⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5444 -childID 3 -isForBrowser -prefsHandle 5436 -prefMapHandle 5200 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a205226-7cf5-42aa-949b-9dd619946505} 4932 "\\.\pipe\gecko-crash-server-pipe.4932" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5680 -childID 4 -isForBrowser -prefsHandle 5672 -prefMapHandle 5668 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6df97fc1-e442-472b-a5ab-cdcf4830d689} 4932 "\\.\pipe\gecko-crash-server-pipe.4932" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5688 -childID 5 -isForBrowser -prefsHandle 5592 -prefMapHandle 5452 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8ff6b88-8c70-46e9-a25c-e063fa27fea0} 4932 "\\.\pipe\gecko-crash-server-pipe.4932" tab6⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1009490001\c24b67936d.exe"C:\Users\Admin\AppData\Local\Temp\1009490001\c24b67936d.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4552 -ip 45521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4552 -ip 45521⤵
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4456 -ip 44561⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
3Virtualization/Sandbox Evasion
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13KB
MD5a0d0083f16bb98eaa871df1553daf69e
SHA1c41e34c23ace351e027a350c1f13eeac67d25217
SHA2566a3f6af08d7e52af50027697fea42d0405c807f9aac9498dfe5907d85a6489b5
SHA51227d7ce659f9ec8ceac7d368ef779ba8631f019a6107dad53438f99f84d90f566ba27515d6a1a55d5bf24f90d0b1b8b2d28a4cdbee200ebe208d46e44a6e041f1
-
Filesize
4.2MB
MD50b701490dbde8b74ba30256ef258e334
SHA1c6fd5a1f913fb28339d70469624076eebccb1ad2
SHA2566cbaace9fa4d0cffc57dfc14014351cf69204f93c4cd273d85058a0fa056e449
SHA5129f1404ec7293fbf700ae3e4ee61dd370d11706061667230b918f7994cc366987655404df5f1ceaec91ce299abb90b17f5590b731de82badb5c849876f7e1626f
-
Filesize
1.8MB
MD54d590c2e2723f4ddad39983cfcd016e0
SHA17820b528b791f5bc0a6f648e1abcdcf153d0584d
SHA256f2c1208026df174002f01a627d04e9dedc0722b40736fadaea5573dcb1dd7ad4
SHA512920ca5ced1d710acdae75f3fa643355ebf99c4d107a8afce30e4c7377e5b7a230a8a49d978ffdb84d706adb37045028b9f005f354b3a9362e1a5bdc711b31eb2
-
Filesize
1.7MB
MD5957d1a37c48a91e2b68183a1b8071f17
SHA158a65738f2c90b1c3dbce666d254c25eb7ffc181
SHA256807edadaf8265da90820759a2d1c60a9962ad6dd515f0d18ac4696c8a4bf4ca6
SHA5129d8b73940116417bebcf78bdc2fbe69e20591163259a9e64b1341d503c5c206a619cf1b7dff65c094e4f9d8f7eab86bfed3686b25c3f4a80a7f2d01c652fca22
-
Filesize
900KB
MD5f4890b6809d98b2a6be0764fc93e0670
SHA102a007f7744929d56586a319102deaca67a4ae55
SHA256439224970ca8cf83f01947f69fca52645e57beddc8fd61a214a4b961b1b6bd52
SHA51266d084ab650dbd4d11109e00084ea544a6e9ed747d7552d50a860e5de5e2c46b3ce33c31ca8c2c01734b887f0e32e469d9c89e758ca54fbc6764127867d42738
-
Filesize
2.7MB
MD57c5c84a24fb15ffff1d92b6e72efa101
SHA14ad29785c9168995ad616b799314f53b25552a75
SHA256112dfbf128000bb2106853e51a73b90dd5441e94bb9fae7b1cc44345baae229a
SHA512ff2ac1545cc37deaeb6f9c1ffa6a062842dccd1f9c1e67ccb443136ac87af8b61d23bff000e7d39bdbac1eee5c9a3958355ae6fa3944dcb503c048332598f859
-
Filesize
1.9MB
MD5055a7c8f105841970689bb5abc2d03cf
SHA1ce89a053e1465aada62d9aa7fd456fe7c48bc21b
SHA256af556c029dc19dd60c72dfd25a39e6b28fc848c9f9c4414d3bdf52c2e589aaf8
SHA512768b5de7c2ab491da837b5a75508055750054abb3fb428e2d8bed7cc170fb15060e01f4ea46de680838f150c1376fead072912f1a9a1fd72ba44b6c9d212edad
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
18KB
MD5ac6d1740e0f4eb16f5f3261b7eafc1df
SHA11eb1df996bda52d27e6379c7a178f0142adf7608
SHA256096999267c123c0d6bd92170bd81aff625955eef8d15e5db1141dae5bc350dd8
SHA5124cc9a15ef16eff6948bfdb32cd7bbe2aac5adfdf6ee98d22a0cb01e54d3d7913395694c81fa371ba6fbb725a741ee136fa9c121ba295e8decd3068f74cfa3a35
-
Filesize
8KB
MD51a147e35087420ee2949b7dbcf9bffcd
SHA1ab09140570f8207c2b2b0e82e2799ad4b9a90075
SHA256cc920a9cdb881a05ad86b97e9211948e14b0a0b27dface65a525bfae6985e21e
SHA5122e7ae8fe1f341c659979a1c0cce2ac375caa06f87413d6183fddee2157850a8754ea14ac55253ef7563feaffe336af29e00e92e7b23ffccc39c8dd8f72f2c6ce
-
Filesize
10KB
MD55cae3a7348bfabc6c37ecabb04ca0292
SHA1cbfc2e45e8990fa68df4d335eeb8578ca981eb4a
SHA256bdffcb3c818db8d8ae6e879906c8017eab22a743403a162fa27b13dd97984309
SHA512bc8936fa0cfc3e04d962c7c38464b2b2c78615cb3cc5169121df91e3c15db78b2624c902ffa2aedc84d2bc1a4cb169e2623179a3803ba9303126d51b7aaa91bf
-
Filesize
21KB
MD5d0ab4056c28436a6e11721d28b768ba7
SHA1be1495cc90e74f258aa0bd3af246b463b6e582fb
SHA256daa5aed4520ae8724bd7d195194b282b69051f2e811791d257bdfaf29a26de46
SHA512d3683d4af4e449c6550d9cfd89897b46bcaf4f0fbc0640ae3c9c6c4101a0a31eb97bfdecc4bde2870d15ccbee44c40f99550678ebaae06c3f87dc8ff2d3706c2
-
Filesize
24KB
MD59fe0f52c98f54606d1c88831a138ff16
SHA1c8ae576d57c4dee3479a24ca368dfd23f88c35e5
SHA2561915364ca64ae187154e268f2a13f92c55e15ebd477a0e3a93406a24cf75d9b1
SHA5120aa741f2027d116741ffc7ae517fe4bd0cf097f162b1f87cc67d1509a99f2fb3c92c3616f999e86f23b3d9907c6301d0173fdc2734a2d61ac06eecd7d098b452
-
Filesize
22KB
MD521396f4dbee641919f61c26d6012df75
SHA1828d33a0be8bad2fe708223f33e75c4c4751f544
SHA2567cf1b29395715a42d73ad1ae8584eeeb545fff8f430c4782994124b522b4985a
SHA512c3459ff876e126adfffaf900f6b22e192a14b0dea3de87d3b2e4b4796567f628c6aa1af638b482100ac867713581a959f9c795d0782956fa30b1e5f5fc5e70ed
-
Filesize
22KB
MD5f4ebcd87072c42fb108c8bb287e0b32d
SHA1183287034ea5ff2abd0aa2ffd852c8699c8f1313
SHA256237951db58ae637073e595e8f3c439ab4c45603b0983eb7c5f8bc4e30d488c26
SHA51284e211e5b48cfffe6cb25c0a70bd9599fbe8be0d7cea8b86916dc74bb0145921b6907f8d6b293e38821f9313d34e50614ccf4b478499a5ac22d33e1de29851ad
-
Filesize
982B
MD575b5d4ea80ec7f7a7b4c2f6633df29fe
SHA10ab1cb2049882ae2952f752cde96d3d86af588a4
SHA25658f2b3df1ff1c52aab838104260a2b8f99368fd68b6c3c15a60fe51d5fb600c2
SHA5125c0f44da68bbd310e93df59e5c338f663df5b86e0e1621e8480819ef40c4f14a4144ade7df45d2dada5eaf2b4b573d3040af8de7f41b55f429ce9b2728ce0aa2
-
Filesize
659B
MD5a958b65973dea1077441cb15798a0e91
SHA1e2c978e2a0c9d8bfd4e0f497ad7ca43054128b9e
SHA256fca2470024695e7ae15719f27bcf9d7d273d7623ed7e88b74d5dc9ed7e3076fc
SHA51292600e2abf07f2070dd5636317d371f204e7292b9a8a31a1931cce53a9373fce05954478f8652844d60f749d71ee6bf6e974574eea93a9dcdec74da14a978d02
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
10KB
MD51098cf0bc06627c103512480b218c67f
SHA1ce00c34423ad63c4d112400e20728eee9b686fb7
SHA256e51b30f8ec9251fae722aa44d6643d607249ff73323df5da4c6dbd1951671a24
SHA5128998359d1680f8f49a841300b02ba95e7ee3c1351134af08756be4a9d0560e7e83300a20e6217dd52fc554850052d708ec57d9ef72e7e962c46f97715ab960f3
-
Filesize
11KB
MD5943638434c1b0005154e0e672505877c
SHA16261206c482b277fac4f2a29b89e57d7890fd28b
SHA25638762f1e6c4567d6e0435384cffa2a7258cb9bf7c244f5127abf361a57a732a7
SHA512b5e5b7e7d945c5f18db1080d71853f7ea23508ee2cff16dfdbffac51cae59b63e2f76a803fdd4205b54556224f78f67ff86721c00a138cca59ebf44913d1dad5
-
Filesize
15KB
MD5c347ef633af481cc15168472d199a6d9
SHA17faa47bcf7f2ff919096dc5a2e72e089d53f7a3f
SHA2568d6b27c7a329627a1dbc68e15ac2c62629840ee01935468913300170f3a10a1d
SHA5126191cd455caee1c0e64b2f1bc7f846c28d907b92403c56c2cc1a15410de666956fafe6a1bf88f2e2572833c4e17b2e485b6004e999bc3dfab6f1d405916b0ea6
-
Filesize
11KB
MD5f4ac186d6161d7a0b12def036366f807
SHA14b346b7216e670f6dfd838e4edd7d6ebab4f8fc0
SHA256369b95a72413e5c853d55c8d726073c5258e435cb753ab712481af8f5805499f
SHA512737c3455322de0d4b4240b06e8e6023294cf4c323ce2a3ee69a31294331a4154ae6d6972e204881334ffac22d95cd87701b5459214a900f2160a31084c90d6f4
-
Filesize
664KB
MD5ae3ad3562f24f8467bcb038ea140ee05
SHA13d998427478c252eaa1195d17ccbd214780771d0
SHA25600424111da39cf45dfc978f48d60952e62e4b8677128a64901cb99c5680c6973
SHA5122165e45a5e14164f09610b5cd8c3cde15bcff0bb2e57b78ebe84873a9a1ae3866e9d76a739307e715fca26405fc1cbcde13cda78204ced32053516adba987d09
-
Filesize
1.9MB
MD55ed4b1748712a37c3dd385036b88e3d9
SHA1e55b6a2409b1e1e11199a1e39fb1df01cbc1b1ae
SHA256dd7a203dcdf9574a40f24d6eb8e13ae314914bd47bba8f3eaf94a8c807c5efed
SHA5125c570474878f313eaaa138dcf30eac31cac88034bdeaed9add157eda94a3bd571c2e1e8857702c02cc9db3b802cc978ac817a40a58a56ffd64a58b20a50578a1
-
Filesize
2.6MB
MD5b3e4b5b35e651dc8a9fb8e0872c2f50f
SHA1dc188b89d7d2abbf94f8f1766352ceb9daa72879
SHA256ce520a4baab3916d85b9fc93993c2dcc614a76777c54c3fc342f40976305d1f6
SHA5129974a4daca991b30ae5517ffeb6b68c8b3b1e09098f75f6dda5f86de32d34c1596bf9d874c368f4f9a339b01cbde015fe5d5db45036eb204875b9292404d0b84
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
72KB
-
Filesize
184KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
72KB
-
Filesize
1.2MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
184KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
12.5MB
-
Filesize
12.5MB
-
Filesize
12.5MB
-
Filesize
10.4MB
-
Filesize
12.5MB
-
Filesize
12.5MB
-
Filesize
12.5MB
-
Filesize
12.5MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.8MB
-
Filesize
184KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
8KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
4.8MB
-
Filesize
72KB