Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
30-11-2024 02:14
General
-
Target
19de0fd6ffb9e81c5d82212a4c90a84415849fed81b01c173cc90a4c422117ae.exe
-
Size
1.8MB
-
MD5
4bda10f72c2430d42325f6370b200503
-
SHA1
90dea37e11ef453277c70c0893cba71e4300c2f7
-
SHA256
19de0fd6ffb9e81c5d82212a4c90a84415849fed81b01c173cc90a4c422117ae
-
SHA512
c8cfd93dc322c7d1e2fc6ecd1da797ed43b9c8bbc544d920d1f62e80b19b6ac45642e4d474001fab9c8144a5cf99cdce6752c1117828bbd3d1a0dab1b6a71807
-
SSDEEP
49152:nE/WgpUXWX6t2GXpNSlTPWUpdZZByL4ML7F0:YUXWWrXS1PFdZ+
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
http://encrypthub.net:8080
https://encrypthub.net/Main/antivm.ps1
Extracted
lumma
Extracted
stealc
drum
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Xmrig family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Enumerates VirtualBox registry keys 2 TTPs 2 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 11 IoCs
-
XMRig Miner payload 12 IoCs
-
Blocklisted process makes network request 9 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 22 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 15 IoCs
-
Identifies Wine through registry keys 2 TTPs 11 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
UPX packed file 17 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 18 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Kills process with taskkill 5 IoCs
-
Modifies registry class 1 IoCs
-
Runs ping.exe 1 TTPs 3 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 34 IoCs
-
Suspicious use of SendNotifyMessage 31 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\19de0fd6ffb9e81c5d82212a4c90a84415849fed81b01c173cc90a4c422117ae.exe"C:\Users\Admin\AppData\Local\Temp\19de0fd6ffb9e81c5d82212a4c90a84415849fed81b01c173cc90a4c422117ae.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1010425001\XW5qFPl.exe"C:\Users\Admin\AppData\Local\Temp\1010425001\XW5qFPl.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\Local\Temp\ps9182.tmp.ps1"4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fqmmwpf0\fqmmwpf0.cmdline"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESACDA.tmp" "c:\Users\Admin\AppData\Local\Temp\fqmmwpf0\CSCD503147E651D45E6B91D1A8217A8AD8B.TMP"6⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 2684⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1010433001\gU8ND0g.exe"C:\Users\Admin\AppData\Local\Temp\1010433001\gU8ND0g.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\attrib.exeattrib +H +S C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe4⤵
- Views/modifies file attributes
-
-
C:\Windows\SYSTEM32\attrib.exeattrib +H C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe4⤵
- Views/modifies file attributes
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /f /CREATE /TN "MicrosoftEdgeUpdateTaskMachineCoreSC" /TR "C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe" /SC MINUTE4⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.0.0.1; del gU8ND0g.exe4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.0.0.15⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1010466001\efa7494568.exe"C:\Users\Admin\AppData\Local\Temp\1010466001\efa7494568.exe"3⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1010467001\4f55471723.exe"C:\Users\Admin\AppData\Local\Temp\1010467001\4f55471723.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 15324⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1010468001\5469513115.exe"C:\Users\Admin\AppData\Local\Temp\1010468001\5469513115.exe"3⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1010469001\94e80d192e.exe"C:\Users\Admin\AppData\Local\Temp\1010469001\94e80d192e.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 16484⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 16404⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1010470001\6381ece043.exe"C:\Users\Admin\AppData\Local\Temp\1010470001\6381ece043.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1010471001\8951c326df.exe"C:\Users\Admin\AppData\Local\Temp\1010471001\8951c326df.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1916 -prefMapHandle 1908 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb6448eb-d524-4b9b-b330-e76687f194e9} 3756 "\\.\pipe\gecko-crash-server-pipe.3756" gpu6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2436 -parentBuildID 20240401114208 -prefsHandle 2428 -prefMapHandle 2424 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e1d4cf8-d3e3-4b35-9dc3-305b3548e3aa} 3756 "\\.\pipe\gecko-crash-server-pipe.3756" socket6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3184 -childID 1 -isForBrowser -prefsHandle 2736 -prefMapHandle 3092 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {52790d01-8906-40b9-8f21-2f110e60129c} 3756 "\\.\pipe\gecko-crash-server-pipe.3756" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1552 -childID 2 -isForBrowser -prefsHandle 3900 -prefMapHandle 3896 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7cc2b59e-61d3-407e-beb1-05c86584b56d} 3756 "\\.\pipe\gecko-crash-server-pipe.3756" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4784 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4824 -prefMapHandle 4852 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e892d19-4f02-4dc7-899c-f29451e22693} 3756 "\\.\pipe\gecko-crash-server-pipe.3756" utility6⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5476 -childID 3 -isForBrowser -prefsHandle 5496 -prefMapHandle 5492 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {98befe5e-9799-4e75-a4f5-2563aa45bafe} 3756 "\\.\pipe\gecko-crash-server-pipe.3756" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5628 -childID 4 -isForBrowser -prefsHandle 4768 -prefMapHandle 5472 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d2c05dc0-ad2e-44ff-8543-d6118a5601bf} 3756 "\\.\pipe\gecko-crash-server-pipe.3756" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5820 -childID 5 -isForBrowser -prefsHandle 5824 -prefMapHandle 5832 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3e77f68-0a05-451b-af71-4379f3d19b4c} 3756 "\\.\pipe\gecko-crash-server-pipe.3756" tab6⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1010472001\0943f1073a.exe"C:\Users\Admin\AppData\Local\Temp\1010472001\0943f1073a.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3052 -ip 30521⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exeC:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.1.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3192 -ip 31921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4156 -ip 41561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4156 -ip 41561⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exeC:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\explorer.exeexplorer.exe2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe2⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.1.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
Filesize
53KB
MD5124edf3ad57549a6e475f3bc4e6cfe51
SHA180f5187eeebb4a304e9caa0ce66fcd78c113d634
SHA256638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675
SHA512b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee
-
Filesize
1KB
MD5e0ec6bf376a6b15852bce768196c5ed0
SHA105fe4e592ebbb7e29f36b8d30a6a90ba29bd4f81
SHA2562d4a39cbbd597a7cfff477817c3c7c541c14974c8d234b4c0de6d229e3a3ce97
SHA512dc0c7d3d127c88affea9ae402d7358c079cfa7fc3ecb417085e31dc749da1406e72563bfbe42167fdad57e10aa0c6cca7a8ba06921b3a1212ad7ccee1a0f859b
-
Filesize
1KB
MD53babf9c6c05da9255430d00a9911a8cc
SHA1fa7459a172d7749885fe9f1099a2e636f5341608
SHA256eec01bed0972a50daac662c278463648f12c0916624c2ded005ad2379a5df9bc
SHA512a8a3b5a05afaf4551cc2e8e3992240e18137655ba6e69e73e84a3f5b2d9aed8d730ee175219040b4d50b2b751757f716292d0d96bddb8aede3dc26f89d8ccffa
-
Filesize
13KB
MD5a00478c52edd4104c28bfac4cd5ad116
SHA14bea0565b66eb0a07340c6c5ec1248a23fc8113e
SHA2563c8921a632f033fa6349fa8aab0da5262d7eb4c131048aad6bc58008095d2c06
SHA512ca77d514629ae9f82dbea8f51a35998dd6d4e7133e8bfe9e410d4a6b11356409126c32fcc29c83dcda1f05145fc21762324a45963beb3349b8baf58ff6d4359c
-
Filesize
5.2MB
MD5f9d439154b882444a73ebece7b6dff73
SHA17f824a2f7c485c1445d7c1d249217b0c01c3acda
SHA2569c022e0b33b29cde3ad608628c8928939e543be3fcc62397c4a7951cbc552488
SHA5124f1474de49831a62a33656a0107f430b80d5a08658d888ba6bc0990ba610068d4dab59216ea956ad059ca084f6c51325b79e28199ced66adc806d95843d59c05
-
Filesize
224KB
MD5dd15cf2bfc32f80e24ca203869cdf7a0
SHA1d65e41d3e892c26d31d64bd129d0de29b4729df2
SHA2563373ad6983c5f596d6c022403fabc1642b957de64b3d5ea7360a11d2c862c040
SHA51228f2ced84d162d86aea6dd508869292c484cd0907f338b9185500a1301144191e32eeb596833d4333c3ef819102887044007952ed93ba04dddbd8b23fd3b650b
-
Filesize
2.2MB
MD54c64aec6c5d6a5c50d80decb119b3c78
SHA1bc97a13e661537be68863667480829e12187a1d7
SHA25675c7692c0f989e63e14c27b4fb7d25f93760068a4ca4e90fa636715432915253
SHA5129054e3c8306999fe851b563a826ca7a87c4ba78c900cd3b445f436e8406f581e5c3437971a1f1dea3f5132c16a1b36c2dd09f2c97800d28e7157bd7dc3ac3e76
-
Filesize
4.3MB
MD552fcb84b6a36a8e28a1b56f2603edf23
SHA17c57ca452f6cac2ac981a6d9a2f6dd6b3f1024cb
SHA256a335b6dfadfcba436732f642a8051ecd6d92b5ed1f140a7204166318885d1977
SHA512a716a7694be16901b89e8d2a5b811ae09b23f018c2745ec71c1a266311e2a83fcd4cc80b7669ab8f1bb76b960cfe1ab06beb69339173e8b7a50182c7e8ef1d0f
-
Filesize
1.9MB
MD5bfc42771a57c54c13eaf5c08d901d575
SHA13b56aaa66444eb79c8e6a9158a677652420162e8
SHA256db977ee9f15c7de15daf23d0da221fc050dda8f26ee192f7052c1aaf97eff338
SHA512bb18a33231f241c7503886da19a470e65b2c3cdc62b049fd3352f8b8e6180e4ed16939fd7f5d5b495389ac8d9de0917713e9bbda1a00a9c116e2d4ce0dda857e
-
Filesize
4.2MB
MD5ec8ed73e21b10c6b4e769c69ede7c092
SHA1c0dc8df08ad331206be57370a03350a0c93b4c34
SHA256aac5962d87db217c6af7fa8fcd430da59251e2d8d98ee371bcdba6c4f5c91067
SHA51218d5939b63db842370227d3824fe45ab1032703e0b05879c505abcf4b3aeb7b9f095b454e7257fb1a08cde63e5affe0b8d8ff6b378808eea143186fe7d8528c5
-
Filesize
1.8MB
MD58f22641c66c6456fcf2ede553588c7ac
SHA1565a7aac9d7b143800249cc3d764bde0da8cb543
SHA256e838b1da3cb25600d92250ff58f560547d33a872dedc01846efef9e8e9d0feea
SHA512413785420304092eafd782f48e1aa44935eb373354d25075d1c454cf7ede2c5f179789f78adccb4f940c8c6309b246fde7cb964e5f696cc132e6a98f629fce68
-
Filesize
1.7MB
MD54b1829d06a2bfaa44a8641352f72e9c7
SHA12fb0dc341ce2cd9821f706d3f008d1fd4d66f99f
SHA256aba4c12ea3dae07d48556e2e9cdce2917f17a22297b8340940ce21552c06495c
SHA5123d567b96c693ee74633cf3a82187e0087241c73f603d0a9c7b583b453633497c8e47fcf682cdd69b92f9ae3b21ad46f627054e14271d2640316af048d28469fe
-
Filesize
901KB
MD5d458150353e036de3d0ad086097981f5
SHA1d6847190302c2dd027a9e81657070de7fc7f1ff2
SHA256f45a44994e90602e0da5c528b9fa4bfea3af5919913d596b1106b6da56387618
SHA51298cd2fae3c6cfa52c31e3a0637ea32967c8e470c362780fbaac19df88d8f12cc8a90ae5046a480bab157b496761c9304b219fd055f256d1c5ffd88e267a848c9
-
Filesize
2.7MB
MD542145e1ebafce34187ad375e1f69e103
SHA11e0e36bf698c2e5e63ea73d9e92f932ceceb7b87
SHA256c1bfb6a5d5542512a2bfe1b4837c4a3a7a1aec01311905fa9d949cf030a0f3d3
SHA5128eed4ad9d304c5f9b55aac922835826380df646ac2bcc881a322ab39f078c67af56a5263c1c109b0088c95a78b018073ee84fa02d043c9ea254d845e83f023af
-
Filesize
1KB
MD52c193cf02ce7375e1fd38c2560005cf4
SHA1cb91f3f229029549400fd304358348d6e68569b8
SHA256d7486ee1bd7648737d93414782e86980a8554111cfed11e582228f205e269586
SHA512477abb69cd7b5194939f368a740a805d28bf96e04e98d50dae9d2b8763d4009b2451bc41db5ee78f9678d09b1adb049dcecf7a5b247bcbfbb4fe4d1705299cbd
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.8MB
MD54bda10f72c2430d42325f6370b200503
SHA190dea37e11ef453277c70c0893cba71e4300c2f7
SHA25619de0fd6ffb9e81c5d82212a4c90a84415849fed81b01c173cc90a4c422117ae
SHA512c8cfd93dc322c7d1e2fc6ecd1da797ed43b9c8bbc544d920d1f62e80b19b6ac45642e4d474001fab9c8144a5cf99cdce6752c1117828bbd3d1a0dab1b6a71807
-
Filesize
3KB
MD5a5fb364554c6c1867ccbaa1b21fd3626
SHA1d0bb1026755b37e5ac9b7fe3ad258adc6a5f58b2
SHA256c67ab2e8f156725ef8a5fe43df8e40c56c9e98fb3c7eab0e6275e0e45d3ee65d
SHA5120d9602658d6c4c70c769d0b2807f5c887e6f3cfda1cb3f32b05dd97fa9d316b8040180311301e6f0fbf55c348b0a3b3bb7c867c1ed923bebeaef149b3bb57c16
-
Filesize
4KB
MD56a67d58617fb9923f8b51746dab46333
SHA151d6afa54aa92c82f755511d3c9029e73b17ac9e
SHA256679d28798cf9618b7be8f7d6bd669c2f4501cec6e780d9f59510021742162a47
SHA51231a9915591bcce34cb0a139e93d29d56b740295eb6e1a7d5254f591fbf77bb007d6a28737f79959d86c0392486aa4f84a6f6ff64bb151d8dcb36ed5e177d8dfe
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
6KB
MD534af81dc1aa7982cad3336887ea26019
SHA1092ccfc0bbdaa9d138abb03ac68605dfe7a2400f
SHA25635779cecc149bdd308762e865a89eaf456c84831163c757a30c820e280d2b0a0
SHA5121a236fd3b55ff6682ec2eecd5cc45b26e0aa963bc9cd34082896923b70888f8d0245b98f4e7b0d346807bd3362610770a73175872de658e21ae47299ad4edda8
-
Filesize
8KB
MD5fcc73dd6008ca67df05be3a31e4847e6
SHA1116e4f54d2f894e35fbe38bd45d5fcebf700f1bc
SHA2569e60998e1dfee6a37ac67bf9f3e6a1834f88353938efbb3ea782024f6e491167
SHA5126aaef9803943c0d18126cf0c5e9e76846a4d2ef25cad9109ceb17204ca4b4d3823977afd3809d1658821477b78fd8fc742eabb0ed22281aa80660df90a842932
-
Filesize
13KB
MD5856d666d245d7d2a73bfda36f0d7bad1
SHA189cfa86077084e846912d3c7e25309fe008bb5a6
SHA2562c477b9e34c50ba675908cc2185e143aa131c89de89372e005cfd893f7cbe8d8
SHA512c337009cc532f9608e38c0f9d7170a2b96064a0f72410e67c9ed92308cc7183bdc5e29e1104abd8a2073045118171ac9af772c6bf24992330260dfcb47f72bf4
-
Filesize
25KB
MD57e36f00fd7c83f25af0076ce6d835499
SHA1e7166d5698fba22c7d81dcf106cabc82f876fc2d
SHA256bd4a44e5b3e4242e65c45f5fa282c11f3fe91db50e618823ec63f86787409d6e
SHA512cb7b57172f185eceedddf5ff173e8654e7e5577958f7ef437a9d28f359857b8a62b9bf166a7ae49be79a5c463291f001fcfb889c4ac6f0e6c4628f004b6e7dfc
-
Filesize
21KB
MD509e3090f8facfb68785754abc5d7b638
SHA16e7a4587a4f7771de9aac2797861b2ad13f71a05
SHA256611be0795f1964125ce84bac9c255c187db49ecd2932e6ea52b549b1e51b46f7
SHA5122940d9cfa44b46de9d2974ac75b82c561e78453df1c5cd7d32b07c46dffdd31b194f98454ac567e2d7abd35f750cd17d1649edb3a3ab6fc3f732ee4a0a874306
-
Filesize
22KB
MD5995095cbc4de3d026e7b746e5a6d9e7b
SHA1470cb6baadcd2c6b2382ad34107c342b893d341c
SHA2567b6cd95e3fa022e6284e41d9b58abd8b0d0f9f6c3449244754b20ba1e84b31a2
SHA5120a020ec8931996027a09f259e3c9dbfbf1dd99727fb01b2aab15077d189f08f61f32b0a5b1f94000f7df291214a7ec2dff9d6751157d350ee936b6b4fd2a3eba
-
Filesize
22KB
MD53e010dfda759acac96d2fad55c5a2041
SHA106a684c6bf9d7b38e727d29a575f1289851d3c56
SHA2563021687547e3e49e3eda8fa3800f89a7426bf1a23a47690686ffdc4555c6ff46
SHA512539670fe161e4f6667e044726eb90ed04b51d05318ab8f85cbd5ba65835940a27dfa621dd095bea8bb6306ab9c64ffe5b761d9631f009c6d9e1e7cb31b7b3b12
-
Filesize
24KB
MD5fc49ad5cfa71d205b2e9709eee822262
SHA158553d0afebb8b53207e4eeb105fefaee34a52bf
SHA25685f84a1e0dc8c7b458b944c0d2831fd745d789edd41668b9b79a6dc77fc6ca85
SHA512adc7a2089067155c5b3232833f130f7912d0c697ce20923ba577ba2cea3ee1819adde3156d707560310678060b5a73be2b7460497d54cde570bb121e81c22c52
-
Filesize
25KB
MD52378a5a18e8c954762c6e99b2b73d660
SHA178745a63b6d251d59d44a953cebb2e75231a6852
SHA256adc05d68b91bff9577d2f0f5e25f02cf6bc7d9382443b9a7e6fc315bf4dd175e
SHA512a55ea7b31ee07c2cc28216ee464789afe2f32ac81bf985ad77d05e1f94dcc390c4a198e630752721da48be01860aa04b3631785896805dde9333481c4af356c8
-
Filesize
659B
MD59618be6ba0cc39586b4612cdd8c860f4
SHA1525a8de447b9868a8a162ada71ad96d0d0497883
SHA256db84c9dd12155f8a1b8ade3b79cbb90ae09be3e34e387aaf51ac20bdac3d3d40
SHA5127f63cb026df14456795c7d0ad33d295af06409d03b340ccc1ae79b78a1cdb0483fa512f72af69b7fe02f2e5b2a68f504721848d915f409965617af081f51d6c6
-
Filesize
982B
MD58cdf1b0205da50dc2b7c9893bf1a1f09
SHA1601110d6130125201381efa901320bbff1d88e2c
SHA256f477ed3cf2c83b32d120c1c7825e9ddddc462913d9c696db4c69b8d25f684037
SHA512c39642f9bc93b7ee59d8bc28d1dfd81a908414c1828d9d177a45c97deb9f05321575efafb28e28ef021b5b9cfcf81224de80c97441fd68f49545d42c17981113
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
12KB
MD5bf68857af1d3c89190dea52ad1d12909
SHA13c912fc340bfadcc3cd965aea448187c97327fcd
SHA25661fc85f8a16d360c6c93107abf5fa6d9fc8ab525d31d8fe6c1c6562aaf9ca008
SHA5121f0e6f81459a749e9976aea97e9c39c2cfece9f249fc536fc36fed4616ba28a496916dbf6a9bbfcf7ebeb71a5eaa6b64993322e3b7d4069bd59a25e85ce015fa
-
Filesize
11KB
MD59dad838ba7ceb302e424da4315f5f760
SHA184c1c202bf2b44d3f2ffad3b89d5af40f9ca160e
SHA2565d7caa3a7e3a80ef1a4702f7086fe016ff7ed8356d7a46de3afd1f011bf35e62
SHA512e7fd69060d71b2965de81bdae11779b3cc0527b591f881e33be25339289dc5d1ea15ba3e698b31eaba22cc121bbf4427cc1edf486ee3df022c2ff7b7f64fc712
-
Filesize
652B
MD54ff782b7d74418e7eb8976d8de298f46
SHA109e105c7d5254301016f6c125dc0cc503edd37c5
SHA2565f26d4a6e5961d9ee3e717ed5c490499edabcd04d7edd7f8e93e1d81acfcc158
SHA512aac0afaf10ab2e2fd2a9f6b777362e75329b99274a8e8aac89b0858f773e521b86a62e77a5f0b7b7fa9b131a60430c85df105b33486d76b0bc0debf87c3a9cf5
-
Filesize
512B
MD5a36c5dbd22147371b4ea6ffacb560fb6
SHA1e7248cd6a49d3aae9439efdffaceeacad6a7c523
SHA256fc874c6cbd59c24e83702e0cd6f301c4a929865687d8e0d041090a2bcd801a60
SHA512256b2e0beea6305f21024d60acdb0dcc84c2da46824d1c0610a9a22fa0e8c1753271140db278baf26e260c381f13001be1e8c651b01a178ca0922a2ab1bf4361
-
Filesize
369B
MD526903f7417b421cb03f275d2b38900d8
SHA1c38c10d21ca06b3daeb13523dc792fb0ea6bf4da
SHA25617794518404c97bde64126798c857ff21df04e21b3cdaefee33d840b6b1aed90
SHA512091b311700b0964d591114c3be4ecb89855782d81104074d36b1c7446abc8306ef877c81a4b039c7cdc2f2bcf0ab882a1c121a5907b4734dcfc3a742a22083e2
-
Filesize
9.0MB
-
Filesize
9.0MB
-
Filesize
9.0MB
-
Filesize
9.0MB
-
Filesize
9.0MB
-
Filesize
9.0MB
-
Filesize
128KB
-
Filesize
9.0MB
-
Filesize
9.0MB
-
Filesize
9.0MB
-
Filesize
9.0MB
-
Filesize
9.0MB
-
Filesize
9.0MB
-
Filesize
9.0MB
-
Filesize
9.0MB
-
Filesize
9.0MB
-
Filesize
9.0MB
-
Filesize
9.0MB
-
Filesize
4.7MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
136KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
112KB
-
Filesize
4.8MB
-
Filesize
12.4MB
-
Filesize
12.4MB
-
Filesize
12.4MB
-
Filesize
12.4MB
-
Filesize
12.4MB
-
Filesize
12.4MB
-
Filesize
12.4MB
-
Filesize
12.4MB
-
Filesize
12.7MB
-
Filesize
12.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
184KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
8KB
-
Filesize
104KB
-
Filesize
144KB
-
Filesize
652KB
-
Filesize
6.5MB
-
Filesize
216KB
-
Filesize
6.2MB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
3.3MB
-
Filesize
120KB
-
Filesize
136KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
304KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
120KB
-
Filesize
168KB
-
Filesize
40KB
-
Filesize
5.2MB
-
Filesize
200KB
-
Filesize
1.8MB
-
Filesize
32KB
-
Filesize
80KB
-
Filesize
56KB
-
Filesize
304KB
-
Filesize
68KB
-
Filesize
600KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
184KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
4.7MB