General
-
Target
241105-dtxrgatbpg_pw_infected.zip
-
Size
132.7MB
-
Sample
241204-x8wmhaxmcv
-
MD5
136b5aad00be845ec166ae8f6343b335
-
SHA1
e51860dfb734c9715b6c9b74d9c582abe03ca90c
-
SHA256
38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66
-
SHA512
ed56b1afa85e304d6973d69e289631f15955d1619c6943a376d7d319018057d1a6fa0aa340ea6d43037ee17014f13e74e5ebddaf3aec62bf8e2da6b20b14ce42
-
SSDEEP
3145728:m2t5SZQXkJuAwd3u5d5VO4Z9WSXL5qgP47khuJWCvcICllCCrE/z:m6ClwdeyqWSXVqeU5J7CvCCrgz
Malware Config
Extracted
zloader
main
26.02.2020
https://airnaa.org/sound.php
https://banog.org/sound.php
https://rayonch.org/sound.php
-
build_id
19
Extracted
revengerat
XDSDDD
84.91.119.105:333
RV_MUTEX-wtZlNApdygPh
Extracted
revengerat
Victime
cocohack.dtdns.net:84
RV_MUTEX-OKuSAtYBxGgZHx
Extracted
zloader
25/03
https://wgyvjbse.pw/milagrecf.php
https://botiq.xyz/milagrecf.php
-
build_id
103
Extracted
revengerat
samay
shnf-47787.portmap.io:47787
RV_MUTEX
Extracted
zloader
09/04
https://eoieowo.casa/wp-config.php
https://dcgljuzrb.pw/wp-config.php
-
build_id
140
Extracted
zloader
07/04
https://xyajbocpggsr.site/wp-config.php
https://ooygvpxrb.pw/wp-config.php
-
build_id
131
Extracted
cobaltstrike
305419896
http://47.91.237.42:8443/__utm.gif
-
access_type
512
-
beacon_type
2048
-
host
47.91.237.42,/__utm.gif
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
polling_time
60000
-
port_number
8443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDS7zRQv7EhhTkbgDrCNBsNay7lzQFmcC/GWwjOq93nKwPSszjIKgtW8nwhtoRhr6MFZx4DSYFdeuJDrtJNcTZz2C/LgZzhSQJmhiEqCkVqPPCfK1C6S4PzDrzy9L794rPLOuoewlGAXgiH5/Ae2aC5k2wedRNfes3DJZDDCaJJYwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit.php
-
user_agent
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0)
-
watermark
305419896
Extracted
revengerat
INSERT-COIN
3.tcp.ngrok.io:24041
RV_MUTEX
Extracted
revengerat
YT
yukselofficial.duckdns.org:5552
RV_MUTEX-WlgZblRvZwfRtNH
Extracted
revengerat
system
yj233.e1.luyouxia.net:20645
RV_MUTEX-GeVqDyMpzZJHO
Extracted
njrat
0.7d
HacKed
srpmx.ddns.net:5552
c6c84eeabbf10b049aa4efdb90558a88
-
reg_key
c6c84eeabbf10b049aa4efdb90558a88
-
splitter
|'|'|
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Extracted
njrat
0.7d
HACK
43.229.151.64:5552
6825da1e045502b22d4b02d4028214ab
-
reg_key
6825da1e045502b22d4b02d4028214ab
-
splitter
Y262SUCZ4UJJ
Extracted
djvu
http://dell1.ug/hdfhgbdgbdbfgteerpenelop/cvnvbndtedfg/get.php
http://ring1.ug/As73yhsyU34578hxxx/SDf565g/get.php
-
extension
.gero
-
offline_id
CkRzIzWzRp3U1ooEeUkKN4owpKdqn4SHRoxPMtt1
-
payload_url
http://dell1.ug/files/penelop/updatewin1.exe
http://dell1.ug/files/penelop/updatewin2.exe
http://dell1.ug/files/penelop/updatewin.exe
http://dell1.ug/files/penelop/3.exe
http://dell1.ug/files/penelop/4.exe
http://dell1.ug/files/penelop/5.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-sTWdbjk1AY Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0156mJddLsdH
Extracted
hawkeye_reborn
10.1.2.2
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
castor123@
245f77ec-c812-48df-870b-886d22992db6
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:castor123@ _EmailPort:587 _EmailSSL:true _EmailServer:smtp.yandex.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:245f77ec-c812-48df-870b-886d22992db6 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.2.2 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye Keylogger - RebornX, Version=10.1.2.2, Culture=neutral, PublicKeyToken=null
Extracted
zloader
June08
June
http://snnmnkxdhflwgthqismb.com/post.php
http://nlbmfsyplohyaicmxhum.com/post.php
-
build_id
149
Extracted
zloader
spx139
spx139
https://xeemoquo.top/treusparq.php
https://leeephee.top/treusparq.php
https://withifceale.top/treusparq.php
https://wpsnoum.pw/treusparq.php
https://wsaexdig.pw/treusparq.php
-
build_id
11
Extracted
zloader
bot5
bot5
https://militanttra.at/owg.php
-
build_id
15
Extracted
zloader
bot7
bot7
https://militanttra.at/owg.php
-
build_id
18
Extracted
emotet
Epoch1
12.163.208.58:80
45.33.35.74:8080
87.106.253.248:8080
192.241.146.84:8080
190.115.18.139:8080
65.36.62.20:80
170.81.48.2:80
83.169.21.32:7080
185.232.182.218:80
190.2.31.172:80
77.106.157.34:8080
82.230.1.24:80
202.4.58.197:80
201.213.177.139:80
78.249.119.122:80
123.51.47.18:80
77.90.136.129:8080
60.93.23.51:80
152.169.22.67:80
190.117.79.209:80
Extracted
vidar
26.1
276
http://centos10.com/
-
profile_id
276
Extracted
emotet
Epoch3
71.57.180.213:80
185.86.148.68:443
168.235.82.183:8080
181.113.229.139:443
181.134.9.162:80
217.199.160.224:8080
105.209.235.113:8080
216.75.37.196:8080
97.104.107.190:80
203.153.216.182:7080
107.161.30.122:8080
41.106.96.12:80
202.5.47.71:80
201.235.10.215:80
105.213.67.88:80
115.79.195.246:80
179.5.118.12:80
212.112.113.235:80
139.59.12.63:8080
177.37.81.212:443
Extracted
trickbot
100001
tar2
66.85.183.5:443
185.163.47.157:443
94.140.115.99:443
195.123.240.40:443
195.123.241.226:443
-
autorunName:pwgrab
Targets
-
-
Target
ec4f09f82d932cdd40700a74a8875b73a783cbaab1f313286adf615a5336d7d3
-
Size
917KB
-
MD5
d592e787314d1c327dbc2da117e1dc59
-
SHA1
ba3a26eaa200d53129e304078309758bbb3c95f1
-
SHA256
ec4f09f82d932cdd40700a74a8875b73a783cbaab1f313286adf615a5336d7d3
-
SHA512
1e805105ab482c752bd24afa028daa3e7bd83f0258510a6fa2ea0c90eb44d1eec590c926982252dbf3a28bb070befbaea5e78c00d556bd9b380a3c79f1480cf7
-
SSDEEP
24576:Hk5FAciH/EjiQXFPQ0NQaScQqYLQnasbbTq4cSJG:Hk5O/EjiuFP32CYL/wnqlUG
Score10/10-
Detected Djvu ransomware
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Djvu family
-
Renames multiple (174) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Modifies file permissions
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4.js
-
Size
920KB
-
MD5
4339e3b6d6cf2603cc780e8e032e82f6
-
SHA1
195c244a037815ec13d469e3b28e62a0e10bed56
-
SHA256
efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4
-
SHA512
a87c47c998f667eb8ac280f4e6dc3df182d721c44267c68ee042c17e8168115e38f2e1d59c6928ca595bb93b3bfd112cbd7bffb0ee6ff8ca81f469056f26ff87
-
SSDEEP
12288:obIkK9q/oPvPrNAuPfZpAvJvqWTe57Zb8Pyfdyr4G8HdsNhAwpC:obDcnrNtPfZpYvqWTeDQIdyrb8HqhNpC
Score3/10 -
-
-
Target
emotet_exe_e1_ef536781ae8be4b67a7fb8aa562d84994ad250d97d5606115b6f4e6e2992363f_2020-11-17__174504._exe
-
Size
505KB
-
MD5
cbe9aa4dce4217491cf9bffae2c66537
-
SHA1
2b7a15303157f8b9f1cce01e5e7a130628eb2c22
-
SHA256
ef536781ae8be4b67a7fb8aa562d84994ad250d97d5606115b6f4e6e2992363f
-
SHA512
71e2736fafa1be308ef341a937a1c6d0dc5a311952bfb9bfbd492c2e16950508f1aea5e63a8e3614c9a35cdc6a684d3ff6e2dba38fe483af74508d3df41262a5
-
SSDEEP
6144:DaRhOv5KaMqEZD+m6eewOmkGOYQ87wwzcCgZi3lzAOAWPcnLiG8Ztkq66ti9pdZx:wOKhDD6yUGOYQto3lzAOATStkfxeY
Score10/10-
Emotet
Emotet is a trojan that is primarily spread through spam emails.
-
Emotet family
-
Emotet payload
Detects Emotet payload in memory.
-
Executes dropped EXE
-
Drops file in System32 directory
-
-
-
Target
emotet_exe_e3_93074e9fbde60e4182f5d763bac7762f2d4e2fcf9baf457b6f12e7696b3562c1_2020-11-17__182823.exe
-
Size
448KB
-
MD5
6becbc70725f55f6e6dbe66f383f82bf
-
SHA1
7ea5f70e20171e23ccec3c18da638b78dcadfc5c
-
SHA256
93074e9fbde60e4182f5d763bac7762f2d4e2fcf9baf457b6f12e7696b3562c1
-
SHA512
e3d8815ea584ec745bc103494e123ca489bdc8b8599745548acab449b9630a7e4a8d47c63db752aee63d18d1fec10f961f2f9c4cdc2324c26460c80421e09957
-
SSDEEP
12288:ZfzaBuiszJbE9mO4sl9kHAOyQkNvOzxrq:ZbMmO4sl9gR2Ot2
Score10/10-
Emotet
Emotet is a trojan that is primarily spread through spam emails.
-
Emotet family
-
Emotet payload
Detects Emotet payload in memory.
-
Executes dropped EXE
-
Drops file in System32 directory
-
-
-
Target
eupdate.exe
-
Size
87KB
-
MD5
ccfaeed043685c189ef498c3c6f675e7
-
SHA1
6973b66e83db7f6d9ba957a6f9cca60a4983f0e8
-
SHA256
5d81fc6ab3e6c7bd353ee53297478fc10abfc7f851359f81a65dea74c70156ff
-
SHA512
ab8f2d33ec8300d87423f53243f45b720e27d59ab7839d7dcb9d37572c1f4e34536221bfda25dee939218475f44915cac2cf4e9270881af15f53d916bd9dc204
-
SSDEEP
1536:ZzfLlsKsEJQgrsOCvojaWr2mACx9lRMgzIY/M0t4T5y5cum:Z7wngrsOCvov2mACDP/IY00eVyc
Score7/10-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
f4f47c67be61d386e7d757ff89825fa630dd5cc4ed600b5471f9cc18c21e983f.exe
-
Size
332KB
-
MD5
1e0ff1a8078820c5c10652e406d51bef
-
SHA1
e191fdbe58b527301eb4bd244a2258ba1cad0182
-
SHA256
f4f47c67be61d386e7d757ff89825fa630dd5cc4ed600b5471f9cc18c21e983f
-
SHA512
eb1a011724b988362aa52bdcb69d2886b736dbbe72fe9e53fa3530eeec6bb4089519896a88af48df8e99c7010930fb84cd33599e57f8477e8748cf5259e428a0
-
SSDEEP
6144:R+xWEy53Bhj8sW4y9wTeT10hFPascnojIXTvUv7ohqfp2:RSw53Bhj8sW4ya6T6hFPasco4cv7o7
Score10/10-
BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
-
Bazarbackdoor family
-
Tries to connect to .bazar domain
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
fb5d110ced698b06c6cb8c7112792a2d37c579dcd9bde808310cb8dc88e16d9c.exe
-
Size
19KB
-
MD5
6029c37a32d7e4951449e197d4850213
-
SHA1
6ed7bb726b1e04d6858c084bc9bf475a13b77c95
-
SHA256
fb5d110ced698b06c6cb8c7112792a2d37c579dcd9bde808310cb8dc88e16d9c
-
SHA512
bf3639710e259aa38d0cd028071408bdd41c01ee1bd0ea70a16ada78b848c63886854ed40407242e3a68fd9b5444fce2e6ddc050e0c8a2f578b00f43b6c52b6f
-
SSDEEP
384:EB8JbJPKd1Bf3rNeD9k4NcKlb5sCSvyP5CtrCzYcHe+Z:EBCNPKd155ulNzxoUzYcHe+Z
Score6/10-
Legitimate hosting services abused for malware hosting/C2
-
-
-
Target
fee15285c36fa7e28e28c7bb9b4cd3940ef12b9907de59d11ab6e2376416d35.exe
-
Size
660KB
-
MD5
b44c5540e020963aca89f3b9a96beb35
-
SHA1
14a6e46be7863db3090d81a18d4e080ac005f437
-
SHA256
fee15285c36fa7e28e28c7bb9b4cd3940ef12b9907de59d11ab6e2376416d350
-
SHA512
63ffac732d6b6b469f6072efa0b4ad0ef224072418b18ed879fe914c3cb64b6714ca4948c5d1816218d611865a1f1747121e126a407acbcc038b4615f9b7fd31
-
SSDEEP
12288:96zG7KjQ+oJLVaRwYdNKxRBUU8vg0whwRKCV50robF7z:9l7eoFsRjdN6BUUP01RKC8EbF/
Score10/10-
Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
-
Trickbot family
-
-
-
Target
file(1).exe
-
Size
16KB
-
MD5
9ca9044bbac6aa39072da89d05cb3dcf
-
SHA1
7cb6ec980704bf7eb109918a1cb037deed4341fe
-
SHA256
3ac39ece6e1953f03e88fdfb942bf9f0dcb8d1da643cbd9677032f2ac7861d03
-
SHA512
5f6cfae5220c219455a180ee6a6fe094fe73475be6acdef24f33476a995097c355af0cf147fd6b986ca3bd84eee0b4928a6d08cabfab63f101259e05d037d9bd
-
SSDEEP
384:9jmvn8X19vieB6gb9oDPlMNcLlb5sVKRye5Ct:9jmvni19TBDclMNEho
Score1/10 -
-
-
Target
file.exe
-
Size
101KB
-
MD5
88dbffbc0062b913cbddfde8249ef2f3
-
SHA1
e2534efda3080e7e5f3419c24ea663fe9d35b4cc
-
SHA256
275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06
-
SHA512
036f9f54b443b22dbbcb2ea92e466847ce513eac8b5c07bc8f993933468cc06a5ea220cc79bc089ce5bd997f80de6dd4c10d2615d815f8263e9c0b5a4480ccb4
-
SSDEEP
1536:fkSJkZlpqwZoMoG5XoZnOZBX7D/3BINVRX3FjBqa8D3tSYS9h:MXlpqwZoMz5XoZncB/3BINZjy9SYS
Score7/10-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
-
-
Target
gjMEi6eG.exe
-
Size
23KB
-
MD5
9ab1a677fb73e7c5a41d151c4c21f69e
-
SHA1
10219ed34a3f76ca7fe30eb27a1a78d83c9ada37
-
SHA256
2027c43348230de4a40e7ec590d692f744f36cdb13eb65f599983158e920cdb9
-
SHA512
0c9f2e1555c36a3742a2ec604faf9a89bfd856946024596912bc116ad7f4fd15ee67969704956d30d70e7b6cb3a626168c309add57469adb03d389df0596f3c5
-
SSDEEP
384:nY324bcgPiJLQrfARGSRUJsbY6ZgvSMBD3t8mRvR6JZlbw8hqIusZzZtd:wL2s+tRyRpcnuQ
Score10/10-
Njrat family
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
good.exe
-
Size
143KB
-
MD5
b034e2a7cd76b757b7c62ce514b378b4
-
SHA1
27d15f36cb5e3338a19a7f6441ece58439f830f2
-
SHA256
90d3580e187b631a9150bbb4a640b84c6fa990437febdc42f687cc7b3ce1deac
-
SHA512
1cea6503cf244e1efb6ef68994a723f549126fc89ef8a38c76cdcc050d2a4524e96402591d1d150d927a12dcac81084a8275a929cf6e5933fdf62502c9c84385
-
SSDEEP
3072:VMb/kbqjO/3FxV8l8wiEXHPV9r99rWhzAxH7wpjv4z:VMxo3Z8BvV9rL6h2H7wJ4
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
Phorphiex family
-
Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
-
Windows security bypass
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
hyundai steel-pipe- job 8010(1).exe
-
Size
721KB
-
MD5
0999a03694a1c97a43ac0de89cbf355e
-
SHA1
0c8fdd4c3b40c4827662baa0c89b5b50d8f0cf1d
-
SHA256
8a9bcb387cd155170986cd1938beb317ee1ee511bcb6175a6d292bd976cca15b
-
SHA512
6515a13d561d2adb08fd53dba80ecd7ee264b66080848e0c845f63313eb9a828c6be8014d6db47f8ac910e24848dd74c57aae00a92ebe9b4efd97676e0365fe9
-
SSDEEP
12288:wdnX6tet6u5CB6m6FQgsPQCjyEtbK7DSQDnwjAR7EOP9uSlcC3ro:QXUim6m6FyPJzcQjNSuYro
Score10/10-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
Hawkeye_reborn family
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
M00nd3v_logger family
-
M00nD3v Logger payload
Detects M00nD3v Logger payload in memory.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
hyundai steel-pipe- job 8010.exe
-
Size
721KB
-
MD5
0999a03694a1c97a43ac0de89cbf355e
-
SHA1
0c8fdd4c3b40c4827662baa0c89b5b50d8f0cf1d
-
SHA256
8a9bcb387cd155170986cd1938beb317ee1ee511bcb6175a6d292bd976cca15b
-
SHA512
6515a13d561d2adb08fd53dba80ecd7ee264b66080848e0c845f63313eb9a828c6be8014d6db47f8ac910e24848dd74c57aae00a92ebe9b4efd97676e0365fe9
-
SSDEEP
12288:wdnX6tet6u5CB6m6FQgsPQCjyEtbK7DSQDnwjAR7EOP9uSlcC3ro:QXUim6m6FyPJzcQjNSuYro
Score10/10-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
Hawkeye_reborn family
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
M00nd3v_logger family
-
M00nD3v Logger payload
Detects M00nD3v Logger payload in memory.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
infected dot net installer.exe
-
Size
1.7MB
-
MD5
6eb2b081d12ad12c2ce50da34438651d
-
SHA1
2092c0733ec3a3c514568b6009ee53b9d2ad8dc4
-
SHA256
1371b24900cbd474a6bc2804f0e79dbd7b0429368be6190f276db912d73eb104
-
SHA512
881d14d87a7f254292f962181eee79137f612d13994ff4da0eb3d86b0217bcbac39e04778c66d1e4c3df8a5b934cbb6130b43c0d4f3915d5e8471e9314d82c1b
-
SSDEEP
49152:znsHyjtk2MYC5GDbQ2cRQh9GexmCxBxVV56CmWQax:znsmtk2aj2cROGom6mGvx
Score10/10-
Xred
Xred is backdoor written in Delphi.
-
Xred family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
inps_979.xls
-
Size
228KB
-
MD5
56fc044937a072471fdd8d63b874e04a
-
SHA1
738552f8db33ac0271aa860775815f3d1b291980
-
SHA256
59afe59cdbebf60434bd78270826ca9689c3765264dfcace312b89c606c0a962
-
SHA512
dbaf2e36ec17d474c829d847705de796bea153b784c8e894d4ff7bebb3bfcdf01447d97f217d9303e0eed5aa9b39046b75b2581331be28771582af2ea48c960b
-
SSDEEP
3072:bfMhNhd8o7Vym+BoOvuuUVZV/AHyhb3/7428JMPvjLJKHpEYC5ZNWehxleT0t:bfMhL70DBoOmf1FbAJMWEYC5Z3leA
Score1/10 -
-
-
Target
jar.jar
-
Size
81KB
-
MD5
9e8b6710fdd55ad0675295c2c3960732
-
SHA1
aed08772376bde9f848f335e77e2e3c3c230234d
-
SHA256
f2fb2d0c469abc0add346ef809ad86e0194400d391a2e5429b8cbeea2711bbad
-
SHA512
26f94b0b9766e9c244297cbe4af78f1b09087fbe471f099b5a77f5ca76fd5c905ee4d36188af67dbd6dc2c7f8402c882d0d2503a288af277840a1025562eac96
-
SSDEEP
1536:0GZABd/SAZR5RzfFMAjP/jg6X4bUdv/mIgQnXOunxgCfj:jZ0d//JfyAz/XIbCvOIgQemWCfj
Score10/10-
QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
-
Qnodeservice family
-
Executes dropped EXE
-
-
-
Target
june9.dll
-
Size
491KB
-
MD5
f8a7273ef763776e5612ac1f47f6d405
-
SHA1
c51f2a884c024e442c1ae0d9bf9511c96a1fa02c
-
SHA256
c653365657fbf65429ad845d0a0d93106e972aca929739560ff4b4796bd2be08
-
SHA512
5ea060662350237d38d2c6a3c1da5fd7aeec6c05e71cdbb2725fcac47ad8e5c9568adc937329397108ab0cecdf29e9a811ab7e183884dd3044d7c5a6089f88aa
-
SSDEEP
12288:uDKxKMk8ChMNo+e8kGOK9ab4ozUWdBENcYcj6D9r6W3FaOi:uDjMk8IMNYnGOSSjgW41QEv1aO
Score10/10-
Zloader family
-
Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
-
Suspicious use of SetThreadContext
-
-
-
Target
mouse_2.exe
-
Size
984KB
-
MD5
af8ab92992ccc4cc6a637953836edf93
-
SHA1
ac17c77cae31fdfeb618b0083285ba869baf29fc
-
SHA256
03968a3a5a7a880feefca31686fcfbed445080a0c06eda2b6d623757179b782c
-
SHA512
9dc3bdfe45f9333d62ef3b0aaf3860a9ef1e94ced02ed0437d3ac2f96b3b9aacf6e621703f13d62f356bd50dec84cc3a3dc787a8a14c9ce0ceeed9ff63c45ad2
-
SSDEEP
24576:iNg+tKkEYA7Gmvv/HGsvPw9vz/DrELE7VUH:0g4K7YA7vvRMbcLa
Score10/10-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main payload
-
Masslogger family
-
ReZer0 packer
Detects ReZer0, a packer with multiple versions used in various campaigns.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
oof.exe
-
Size
662KB
-
MD5
0760d43d4adebe20fa0b5e5a7bca1714
-
SHA1
a0a9dae5e9be39bca31021dd9cf565fcdefb8474
-
SHA256
8f9067f2bd4a374539a40fddb8915600c9fd6ba3e5db20cbddcb3c5f22d9da44
-
SHA512
7e60c2726711bb8e822375f93cfb9ced7d172f3f0ae07041cbeea8c4cdb45488d1de90ee77dfef52aa86722a5dcbe521d1affeace3aec8811e851f693d74ef77
-
SSDEEP
12288:9TEUsvsVEcwaFNaxr7IwFnm1p7BmC10sHo0AhHL:9oBvRcxuxrksqRNI0i
Score3/10 -
-
-
Target
openme.exe
-
Size
756KB
-
MD5
d6408ae6bf86b97eadfb3f15bbfd7933
-
SHA1
dd877b59c9acd80535ad22bdc07525d536a41139
-
SHA256
4ee11bd54d2f1dc61467de3f71bb6b9f01bfdd35df8fe586fa556f2383c96b21
-
SHA512
f97da566db808c31ef9813124a7555ce35d3ead23238911935aa85845374dead962587cb252b7fda05c94c9b54b4555ec953e2d31316d2495c73aab148e88dec
-
SSDEEP
12288:Gh6IrzSS5jAVxdzI/YraGvkDbjjiraX2u:66IHS0ePk/oaDSaX
Score10/10-
Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
-
Trickbot family
-
-
-
Target
ou55sg33s_1.exe
-
Size
609KB
-
MD5
347d7700eb4a4537df6bb7492ca21702
-
SHA1
983189dab4b523e19f8efd35eee4d7d43d84aca2
-
SHA256
a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8
-
SHA512
5efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9
-
SSDEEP
12288:Y71ezsKspcx7aSekHeX/BoVrWyrl/XYUx58wT7tRw:IYzsDyAS/HeyWql/XYUz8wTDw
Score10/10-
BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
-
Betabot family
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies firewall policy service
-
Modiloader family
-
ModiLoader Second Stage
-
Event Triggered Execution: Image File Execution Options Injection
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Indicator Removal: Clear Persistence
remove IFEO.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
senate.m4a
-
Size
575KB
-
MD5
8bdb30d9f3c697d3f12aea9dd3d83a60
-
SHA1
f89fc63457ce4914b5e41ed0b17af0a9e1ac6119
-
SHA256
3bc843b534c96a38ab8f4b785f902f70dc8ebd48164aa0870562da285c49a9ec
-
SHA512
bc7f688736b607baea107ea20d1e6686aed9619b7f10b81b95a74ac652c09696a83160f603c5b106498643c10c8eb60572ffbdcd23db6c12e68c15d9dec5f905
-
SSDEEP
3072:1YkPy807G4DQRGSiZ+LwbUcsNTJiFJwjjeh2ULOgKNIfvqoaAUk/vQExVxynJf0m:FPyH7l+4sdJeJoW4gO6q2vfLxyZ
Score10/10-
Zloader family
-
Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
-
-
-
Target
starticon3.exe
-
Size
725KB
-
MD5
e8bbb6d921b79101aea7d906a1798f3d
-
SHA1
4fd59822cdedd1b194d27d2c01a9cde6222de1bb
-
SHA256
7bc2928ce06e7db7bfe0bf3f2c2d2ff9df7f0a8041ea8c593dd0b912c1c3d3fd
-
SHA512
c525e07c65c7be43aa90568f98253b397919cd0f597b1ba446fed51a578ca1aae4c93fa59e1345b20e3216a676ba35c89c67d6ced6bea68da44a53989fa4d656
-
SSDEEP
12288:O7q+wuEST6sxwGCwuwn5vE2nyrJppqrNSP9kdrzA9PpXtuRt2BoivOnJztu3vdyB:CqrFvGjF5iZqrQag1t7+nJztuHi
Score10/10-
Detected Djvu ransomware
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Djvu family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Modifies file permissions
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
str.dll
-
Size
536KB
-
MD5
bfd5e43617896f082948b3fcbc4839f8
-
SHA1
0304d3a521a791359b16813df513feb891167e5a
-
SHA256
467ea1ab80fb43e2d59cdf16480ed80d0edd43a3a0baa4748300be7024d2b92e
-
SHA512
ec7392577b8f67f6e248b81b6d8d1333d7a15c9b7b957862b4b7c39e59e7b2849ad026850b78fd629f31a5e2287702a0a1486335d7f7f3dc356861cdf5056ab1
-
SSDEEP
12288:0bLgn0PC6NT4OhLPkjXhgECrfobaQsdqO76Qa+OCQkkkkkksk0vk2kkvBrZupk9J:0bNqCTrIzhb0omQsqO7mSuZBk
Score10/10-
Zloader family
-
Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
svchost.exe
-
Size
31KB
-
MD5
49b8f905867aded45f1f5b3c9bd84209
-
SHA1
0a87788428778dba567623ccc9be6825eba4b7c7
-
SHA256
02883009e7e310bf670bff6336cb6c05c5ecfe0b40274a99b769e8fbfae19ad3
-
SHA512
1c9d2b7bb3948ad8f3cae541602575b9eacc2a212ab0a6e7c148a24a72e36986e4c46d646244837dc3ea7c71f3db90629f7ee68ef18565d67f93d1f801308361
-
SSDEEP
768:cLQBlGFnf6zxV+NKPkvJfbv6/QmIDUu0ti7NAj:dIqsb8QVkzj
Score10/10-
Njrat family
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies Windows Firewall
-
Drops startup file
-
Adds Run key to start application
-
-
-
Target
update.exe
-
Size
12.0MB
-
MD5
c5c8d4f5d9f26bac32d43854af721fb3
-
SHA1
e4119a28baa102a28ff9b681f6bbb0275c9627c7
-
SHA256
3e32145dca0843c6d5258129821afaaeb653ddef7982912fe85ad4b326807402
-
SHA512
09f39bccb210f96788193d597463c75d3213afd21ed93ac8c843f150d7cb8630f941f54cd8737cc88177dadeb479e8181b40a7f5219e40c948ff18d1955b4828
-
SSDEEP
196608:/CKcbhJ7Th2zINlZGI4KXt8ioZR4KVl8e/BGZfsKu97K1RdF4N/55H+oHVdxv:6f/xG+ifj4KVBZGZfKMP4X5eGXxv
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
Modifies visiblity of hidden/system files in Explorer
-
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
-
Rms family
-
Windows security bypass
-
XMRig Miner payload
-
Xmrig family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Grants admin privileges
Uses net.exe to modify the user's privileges.
-
Remote Service Session Hijacking: RDP Hijacking
Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.
-
Blocklisted process makes network request
-
Blocks application from running via registry modification
Adds application to list of disallowed applications.
-
Drops file in Drivers directory
-
Modifies Windows Firewall
-
Server Software Component: Terminal Services DLL
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Stops running service(s)
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
ASPack v2.12-2.42
Detects executables packed with ASPack v2.12-2.42
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Modifies WinLogon
-
Password Policy Discovery
Attempt to access detailed information about the password policy used within an enterprise network.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
Hide Artifacts: Hidden Users
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
vir1.xls
-
Size
303KB
-
MD5
f5ec41ec42ebdec9404692dde8fb9d15
-
SHA1
39f10e1ea5153fa70be025a2d392dcf62966412e
-
SHA256
7a5d5f4ceb3c815d6fb882777d0859b9757e27edd5a95eb1c2b88dc438d09c92
-
SHA512
359fddc66f069137e030d2a039ddcfc76ab0e22769ff58f3a0571bae81fb94f87aed23c995eeab545c578e065339f3c1ea2b0623d33835f44054672f717f9952
-
SSDEEP
6144:4ZOljkO5kq4v/+4K+B0H4SJQ7CAW/H/E1P3zTscM:4ZOWOP4OB+B0YyozTscM
Score1/10 -
-
-
Target
wwf[1].exe
-
Size
2.3MB
-
MD5
f18334d87221ecb0fb12405814c21912
-
SHA1
2875140558c0c17a259ff2d731e5e4a0a823108a
-
SHA256
0263c76856472535f8441f582dac011dbf52f965086f9e59a6930c00b2106073
-
SHA512
fa96425f2402803b7c34ea27211c33257224f65966cb42c651fa688bc131bbae6dbf7fc743eb055398fc2e4a0841a17ff31097346c4666ba39607e974c22ae2d
-
SSDEEP
49152:jUEJpE+TT7TDGBcuHsi7Ly2Cr2SRtgbR9iTp1woifnUWtMbuIJ0y:jBnE+TT/DGTHs8yVr2n99iTpiXfnUWtS
Score10/10-
Zloader family
-
Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
xNet.dll
-
Size
99KB
-
MD5
bf1f76644bddd20339548ebacf7a48eb
-
SHA1
38114702114105eb3df3f74bf4c68ef7db436f47
-
SHA256
5d9c2b1822bcaa71ddeaa5426d4312d8e174766ae8864c7add29d7f44cea87f2
-
SHA512
76132c9e29a0a3054cd41c56d5184951d392a2abd1995e14b34c40f14b154914a6990c107e7fcf4139344759ae6048e9ecf0bdaf0447c1cd589dfacbf901b7c5
-
SSDEEP
3072:sCMhzHWHfyqxjqCgRGAQIO7ScwpY3wisz0YsXhqnV+xnEd4:sCM52n4RSVPwIhqnV+xnEd
Score1/10 -
-
-
Target
전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요.exe
-
Size
545KB
-
MD5
54bef758433c98353b61bf1e2aecefb2
-
SHA1
06feb43c6d58eab893396f63aa2e1d0e4542f7d1
-
SHA256
291f381da3286ea93c38bb325e19f35744349c3543708135d8be731f4bafb6e2
-
SHA512
3bfb51f9bee7033ebde0f418b88327b7c7a322b3e0572d92ad4cdf37c9fbed22d518c9ce2d8d5638381542bef83077d8054184b9f613b815df6906a99fd4526f
-
SSDEEP
12288:fPT9h+l+ofoa/sHoNFU9Zd1jWOYE9QjmJl/2hgDMjhP:fPT9hifJKZd1jWOY2emPOuDMd
Score10/10-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar family
-
Vidar Stealer
-
Reads local data of messenger clients
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe
-
Size
228KB
-
MD5
8399865e44e7d6a193f8c8acf547eb31
-
SHA1
17e3bee5debada69dadec0b748256925a1a8b1ac
-
SHA256
aaf7bb9ad358726ca367f1827686dc15fea925f26ab1e201a2768c67472e8890
-
SHA512
bf9ceb3a36ca874dceb9ccfec8e7635f5f11f83f04226ceb4e2b4b2548dbcecf2618fe5063bec068b1571867984d0beece6b5f9be0747a13ddb53f9a09aa4d61
-
SSDEEP
3072:tPTcPP3LvQjfIY9Spek01stm+XIm1EWaVw3ItNVFZUyfUNjhb+P0I1fcj:tPTcPfL43SW1stDXaXw3ItNVTUVjhGy
Score10/10-
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Makop family
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (8081) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes backup catalog
Uses wbadmin.exe to inhibit system recovery.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
4JavaScript
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Windows Management Instrumentation
1Persistence
Account Manipulation
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
4Windows Service
4Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Account Manipulation
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
4Windows Service
4Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Direct Volume Access
1File and Directory Permissions Modification
1Hide Artifacts
4Hidden Files and Directories
3Hidden Users
1Impair Defenses
6Disable or Modify System Firewall
2Disable or Modify Tools
3Indicator Removal
4Clear Persistence
1File Deletion
3Modify Registry
10Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
4Credentials In Files
4Discovery
Browser Information Discovery
1Password Policy Discovery
1Peripheral Device Discovery
2Permission Groups Discovery
1Local Groups
1Query Registry
8System Information Discovery
9System Location Discovery
1System Language Discovery
1