Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
07-12-2024 22:01
General
-
Target
file.exe
-
Size
3.1MB
-
MD5
27f6676a8ae816b6c71525fd308839d9
-
SHA1
4a0f006bfce61c3f2cd3e4f3dbc2eb8d412da98e
-
SHA256
98ea4a9cdbdf2dcc03136492255195ab2d50008ef5f59473e2614ee5731fc35d
-
SHA512
d6e698af88577ddc27410dcd3a478bfae90e971208e732cbbaafc51c7ed949298ac85aacd3acf2122871f46f4f644608acf1d32dd80683a38331c181e1c9faf3
-
SSDEEP
24576:XuTenIA34uWe2r4P5fEwhsmEkm/j+g9nQTfg+jN3CXWns9G4ZUrkGybZuz5khTaJ:fSe2qfEwhHIxQkz1d+5khTa2aGabik
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://impend-differ.biz/api
https://print-vexer.biz/api
https://dare-curbys.biz/api
https://covery-mover.biz/api
https://formy-spill.biz/api
https://dwell-exclaim.biz/api
https://zinc-sneark.biz/api
https://se-blurry.biz/api
https://atten-supporse.biz/api
https://infect-crackle.cyou/api
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
amadey
5.04
397a17
http://89.110.69.103
http://94.156.177.33
-
install_dir
0efeaab28d
-
install_file
Gxtuum.exe
-
strings_key
6dea7a0890c1d404d1b67c90aea6ece4
-
url_paths
/Lv2D7fGdopb/index.php
/b9kdj3s3C0/index.php
Extracted
lumma
https://print-vexer.biz/api
https://atten-supporse.biz/api
https://se-blurry.biz/api
https://zinc-sneark.biz/api
https://infect-crackle.cyou/api
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 16 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 17 IoCs
-
Identifies Wine through registry keys 2 TTPs 8 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Windows directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 6 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 30 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Kills process with taskkill 5 IoCs
-
Modifies registry class 1 IoCs
-
Runs ping.exe 1 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of FindShellTrayWindow 36 IoCs
-
Suspicious use of SendNotifyMessage 34 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1012713001\BY5BeYh.exe"C:\Users\Admin\AppData\Local\Temp\1012713001\BY5BeYh.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1012713001\BY5BeYh.exe"C:\Users\Admin\AppData\Local\Temp\1012713001\BY5BeYh.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 12445⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 12765⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1012982001\qtmPs7h.exe"C:\Users\Admin\AppData\Local\Temp\1012982001\qtmPs7h.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 7 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "word" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\word.exe"4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 75⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "word" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\word.exe"5⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 12 > nul && copy "C:\Users\Admin\AppData\Local\Temp\1012982001\qtmPs7h.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\word.exe" && ping 127.0.0.1 -n 12 > nul && "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\word.exe"4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 125⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 125⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\word.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\word.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"6⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\10000760101\vector.exe"C:\Users\Admin\AppData\Local\Temp\10000760101\vector.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\10000760101\vector.exe"C:\Users\Admin\AppData\Local\Temp\10000760101\vector.exe"8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 12689⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 12489⤵
- Program crash
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\word.exe"C:\Users\Admin\AppData\Local\Temp\word.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\word.exe"C:\Users\Admin\AppData\Local\Temp\word.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1012992001\7qg0CPF.exe"C:\Users\Admin\AppData\Local\Temp\1012992001\7qg0CPF.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp270B.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp270B.tmp.bat4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\1013035001\XfpUz7y.exe"C:\Users\Admin\AppData\Local\Temp\1013035001\XfpUz7y.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\1013040001\270ed14b4c.exe"C:\Users\Admin\AppData\Local\Temp\1013040001\270ed14b4c.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 14804⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 15284⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1013041001\6193e0de33.exe"C:\Users\Admin\AppData\Local\Temp\1013041001\6193e0de33.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\1013042001\a8471d7cca.exe"C:\Users\Admin\AppData\Local\Temp\1013042001\a8471d7cca.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1960 -parentBuildID 20240401114208 -prefsHandle 1876 -prefMapHandle 1868 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {26e2a7ac-db61-4032-b922-afd18a5a71a9} 216 "\\.\pipe\gecko-crash-server-pipe.216" gpu6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2436 -parentBuildID 20240401114208 -prefsHandle 2412 -prefMapHandle 2400 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {51fef044-49c0-452e-b3e9-7706bee267b7} 216 "\\.\pipe\gecko-crash-server-pipe.216" socket6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2988 -childID 1 -isForBrowser -prefsHandle 1444 -prefMapHandle 1520 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {66d86451-2398-4eee-a827-d108a8027bbc} 216 "\\.\pipe\gecko-crash-server-pipe.216" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3864 -childID 2 -isForBrowser -prefsHandle 3884 -prefMapHandle 3880 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {73c1ba6e-9945-4100-a6e6-d56658f2c979} 216 "\\.\pipe\gecko-crash-server-pipe.216" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5016 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5008 -prefMapHandle 5004 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aaa4394b-49e1-430c-b782-ad055775bc52} 216 "\\.\pipe\gecko-crash-server-pipe.216" utility6⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5476 -childID 3 -isForBrowser -prefsHandle 5464 -prefMapHandle 5444 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ca20353-1e87-4712-a488-4076775c676a} 216 "\\.\pipe\gecko-crash-server-pipe.216" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5608 -childID 4 -isForBrowser -prefsHandle 5616 -prefMapHandle 5620 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d2c57a31-78e1-41e9-bd89-9f84f586e91f} 216 "\\.\pipe\gecko-crash-server-pipe.216" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5796 -childID 5 -isForBrowser -prefsHandle 5804 -prefMapHandle 5808 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {871ae274-6485-46ca-94fa-7393ae738b91} 216 "\\.\pipe\gecko-crash-server-pipe.216" tab6⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1013043001\da0f8cb9d3.exe"C:\Users\Admin\AppData\Local\Temp\1013043001\da0f8cb9d3.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1280 -ip 12801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1280 -ip 12801⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2860 -ip 28601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2860 -ip 28601⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3980 -ip 39801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3980 -ip 39801⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Query Registry
6Remote System Discovery
1System Information Discovery
4System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57dca233df92b3884663fa5a40db8d49c
SHA1208b8f27b708c4e06ac37f974471cc7b29c29b60
SHA25690c83311e35da0b5f8aa65aa2109745feb68ee9540e863f4ed909872e9c6a84c
SHA512d134b96fd33c79c85407608f76afc5a9f937bff453b1c90727a3ed992006c7d4c8329be6a2b5ba6b11da1a32f7cd60e9bc380be388b586d6cd5c2e6b1f57bd07
-
Filesize
19KB
MD50e502f1d547dc372c8fd0ef95fae00af
SHA14543d840efb5818899f16ea1ab17a95035ca27ad
SHA256fa399bc9cd33d2a5336c6e97f18c6c993bfdb5b51eea90b692f78ff05f8fb93d
SHA512067a332e21fc65cc20d960c036181dd3060b97f48295c2b546240053adb8703d1135791bf417c0ad28053146bc8ed07de870c4873d230388d61d406aef904e31
-
Filesize
13KB
MD57fb4eb5bd1378a6a37b6335e5c9f1619
SHA17ab2c38356d389a3b14ad595fcb910eb68ceb63e
SHA256572fa3ff4167a2183a6e37d36802a9529926bd8bc6fcac2896a0cb9e2d6707e2
SHA512157fcad58a8b107882ac5cc4ecfaafcc42e5612210f7704f575cca7ec0cee27086a98a51693273463874fe5ea78b2a262dc21022cf00de8f3d74114a8e42ebdf
-
Filesize
15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
5.0MB
MD5b183e5ff29a1532a84e5a38983ab9e4e
SHA1230c9cbd2e14598aaf73ae78c85c998a6b923a51
SHA25681a45f430c102365b46c663203ae5708b6befe2848f01efc7b702aff7170c901
SHA51231be2761821fb6bc81a010a3f68fa6901aa5e9768e9c57db53b52e0495c7340abccc9191500aa39540fef159578403e78d2af31ac364b89774d5f359b54c6c1e
-
Filesize
2.5MB
MD5d1e3f88d0caf949d5f1b4bf4efbb95a4
SHA161ffd2589a1965bf9cb874833c4c9b106b3e43e8
SHA256c505f3b2f40b8a68e7cacfe2a9925498ab0f7ef29aa7023bb472597021066b2e
SHA5125d4c43e858371f24ebafb56388a586c081d7b0289a3b039dbb2b011e9864e8e9f5dc7037fcb3e88f4bec4259a09ce5f3ccdae3161b43dff140e0e4ca7bff96c3
-
Filesize
2.3MB
MD5248f05d3601f7920d63e00e92e9941f1
SHA13fa1cabfd0456199382ed49d27362b846fe5b7af
SHA256cf559eae350d3165aa63d67e5b401aebfc78ab0bfb0bed686aa827cbb977b520
SHA5120e1eb9a8cdca28e52af7d32876be26b59716eb3edb77d8b0ab7787f04c90885b063b24993955297774d0f930342c8ac07becb94cd095c4ce0fa311c424c250ac
-
Filesize
799KB
MD589bd66e4285cb7295300a941964af529
SHA1232d9fee67a3c3652a80e1c1a258f0d789c6a6cf
SHA256a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047
SHA51272d1c8c4b74bacca619a58062441203c6cfea81d064dc1933af7a3cb9758d924b011a6935e8d255aad58159a4ecbb3677cc6a6e80f6daa8b135711195a5c8498
-
Filesize
5.9MB
MD53297554944a2e2892096a8fb14c86164
SHA14b700666815448a1e0f4f389135fddb3612893ec
SHA256e0a9fcd5805e66254aa20f8ddb3bdfca376a858b19222b178cc8893f914a6495
SHA512499aa1679f019e29b4d871a472d24b89adddc68978317f85f095c7278f25f926cbf532c8520c2f468b3942a3e37e9be20aea9f83c68e8b5e0c9adbf69640ad25
-
Filesize
13.3MB
MD55122e07da6c4389fbd0b811d41b18ae0
SHA1fa33ca1356b54c8c2d2f564a49754ed6104e0fd5
SHA256dc36cd245d0aa5750724ac2dc74d5368b9c06a6281b8082d682d3741185e18bf
SHA5121d1bd90f9c1adcd326911f4956661a21e20453eda601c05b741cc4859b5c182290b2830451a387d737eaefd4d2eedcfbc9a84892bb38b604f2900e4bd7d66753
-
Filesize
1.8MB
MD51c7e55011639d177aa09f698d2712ad3
SHA1ffd3fac2ffc86c41b9604b9593776f7c26a5434a
SHA256ef0eed5c8f78fcd9add4868d81725fd28ff7bbb41c0986d0e4c183c44d242b40
SHA5128cc544c3b265d9f3041011927ff533a5c8e2d2ab7c3bc56bf3e5b6e03be3c401f7afe1e8eeffebf5705162385588587c364503ab3fc71a1b686a7e0baf6a33a0
-
Filesize
1.7MB
MD5ba177a2ef8336daa29fcb4302054eb37
SHA1944701f5db900b06c1df014df31b0beba772468b
SHA2563e0ac437238d31e092b17484d03555f2501f761e4d1fdee138f848e3c41e3aa9
SHA51220371383668eea7a021b3b38db05f4c90263b2b34cec9298abe78b91d0d836f15d9068a0abf3ba96d8f2e25b43028e1955c3766c22210794e970c9fda00f75c1
-
Filesize
944KB
MD5617688e85f5e25d3810c268ccafa6003
SHA15bb6f69f4ae386782d57530c072e76858e4e9b76
SHA2566e9da9cf0287137a7d6cfbc785487fdd2bc48c06ce9bc64330c4877ce062ba30
SHA5121e855d06334464fbe31a6664cabc1288de80f2aca870ffe5dc990d702f001436a549d076b1c11139086fe9e21e436fcc6c5dbe567f7a2bd7f0bb796c1194d872
-
Filesize
2.7MB
MD5e547c0d626331bed2a56ad9e340f42e1
SHA1ad1d9dbf29bd5196b793c30fb837808495e3d936
SHA2563c5e8c0a96b2b185387fe3f4a30e67f9317ea122e0de6f8fa636e5d53a148b3b
SHA512cf61ae1425340fbcf8c93f980e80a7faeda20e3bfd1e2b382333c9a8ae75f6ae950aa2b908e5cb4b1663ec2a40bd727cabff71079afe501875bc6958f9553ba2
-
Filesize
1.4MB
MD56f2fdecc48e7d72ca1eb7f17a97e59ad
SHA1fcbc8c4403e5c8194ee69158d7e70ee7dbd4c056
SHA25670e48ef5c14766f3601c97451b47859fddcbe7f237e1c5200cea8e7a7609d809
SHA512fea98a3d6fff1497551dc6583dd92798dcac764070a350fd381e856105a6411c94effd4b189b7a32608ff610422b8dbd6d93393c5da99ee66d4569d45191dc8b
-
Filesize
3.1MB
MD527f6676a8ae816b6c71525fd308839d9
SHA14a0f006bfce61c3f2cd3e4f3dbc2eb8d412da98e
SHA25698ea4a9cdbdf2dcc03136492255195ab2d50008ef5f59473e2614ee5731fc35d
SHA512d6e698af88577ddc27410dcd3a478bfae90e971208e732cbbaafc51c7ed949298ac85aacd3acf2122871f46f4f644608acf1d32dd80683a38331c181e1c9faf3
-
Filesize
186B
MD5790dd6f9aab53b59e358a126dc5d59fc
SHA1ec6bf3eb0fa5d2e37c694bf71254e0ce0be1a5fc
SHA2567ca8c160037742b7da30366775d7aae7882a98e1fbfdbbefb743c2a93d6b1c52
SHA512a9d819b8d771febfa027de6f201d4effaf7bdd3334255707dddceb57b2b322649698903ee5d72f0e431780d29b01abedd5250d372100e6c66c0639965f86c7ef
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
76KB
MD50e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
Filesize
91B
MD59909cd0b8b9560be4a4af0a1441e3615
SHA11ef176ea52cbeebd2f0023117c1caedd7eb30feb
SHA25673e10527f1a99504589c3208810ad85535e5b0da8ef5d0affb5e69e054853351
SHA51284bf5e45c26e6570e8244443290a88cead1d5c606827a8c403b6e81d6fac9e599742353c2739534046e76992ab8c180f8b6fbfb4ee4941bf3addd27f1b20fd14
-
Filesize
91B
MD539804a5d04e887a2a695790dc9e2ef56
SHA1da45af16722543182edaefbd3d9e079826679715
SHA256fb30614111b5e1bebdf3c2e171b033b19e83cdf23efda084726aa4f885b58f7f
SHA512e84d8b9dfd7abccd8c26eba528ee5e3470f0ed6ee6971d2f0cd95d44d10b66b8dcac38a8225da98e0ef2003a97ce435b96ea812053adebf65e8664c122b240f4
-
Filesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
Filesize
6KB
MD56bb6c42ffd9ab0a9ba8e0eaf0271211b
SHA1f8ea5217bc106acf501e13bf1109857eac3535c2
SHA25679034ccc9477a16fd5a5c8b8f8eedbc121e17f9bf2f198909d3d34c7157e9854
SHA51287ec6bcfeda745e859c939172351c08527ea200918c339543163948c51699a5f095ebd31b2e5441d9334eff36e044b43c2a2165ff8b986d4f3e132471917517c
-
Filesize
7KB
MD554c8b355e2bf3082e572c5089b6436be
SHA1cba79b344b4caa881d19dc48dc1d7a287f51cc17
SHA25617bec9d4f5cab323dca06d4c3ae6a3a5150045155b221aa0b53a6346f9bd1529
SHA5123998ca44a03b9da7246a77637af61b4c8a89e96bb44e278f0bcd1401d3e6007452055af717953899ee4c3354bb2844c4ef0b057775c596942431a150d5a3d1d5
-
Filesize
15KB
MD50ddee1f3b6430ff208f44be02283dc27
SHA1b1bc8492d6f43347e569767c8a707e1c66eab49e
SHA2567274add30dd6d0657866f127537753449e27f23f7af6b8d98fba6200059e6c2f
SHA512c73a8b58bc7a8ca5cb7ef984f8b234b643a5ddc40a38b1f62a548727ce7f59ff7ed4e01794b6c6e234174dae224ac505d423105dff099e872ef873e74f15b9d4
-
Filesize
5KB
MD5aa9d145aca10d23b0857ba7bf17d8865
SHA16f7155dc62dd43131e4e532b347dbfddb64336ca
SHA2565c95d658acdbf4a9662bd484cde0775a6f80eddb65707e0c8fb674157347c0b9
SHA512f17408425fb05723a49f98dc94cb9acf14914ecd772dfe523cbcc514cf6e405529efde0855fa7a5f75abe843374cada6aa18e7264d61f80e9b8b7f3f1d34099c
-
Filesize
6KB
MD56b5042bad0ee2b520bc115b3218be41f
SHA1442c119c2bd2974c2a9d80b0e7dec0a5f0cd9061
SHA25623f1651c4d3ded032f24138d906ab321b746b6f52aff11223ef68149d855df2f
SHA512a9674336778639f61df36bc5a723a665f088c3cb4a02f4c5baa76ca8b68ddaa2afdeb962e57338ae6368239b17ccc896a9216536653203a905c763903aaf611d
-
Filesize
982B
MD5704f5ca55c62957b5d3fd61ae4d16347
SHA13173b07d74b9854b261f2e5457b67f3be16b752e
SHA256f4fd65dcb37b16bdeba7388cff19fe0c15bfd83043039d64a5d8c17f8f0de2ef
SHA512628440d28d92790e14c77977d0fc4d6141177cac96bff965d42918fb6138cd8ba0574cf78d94e4e8e5b51b237b1a5e07f18a5c46a95714a8f00d626451c5b268
-
Filesize
25KB
MD508f2834303a94c9c57dcdbe10eca9a46
SHA1b557db382156e7e6eb06729eacc89b0396582422
SHA256505251c82da527419c007c890d65f51012e23bc5a237a4084c340719cf836a27
SHA512fba0d7f21ab264d0d3d6c4076a5f5b578e146d98065d64f52a4f3fa08cf6a079dbea943a4ddbba314ff96d3576de6ac46773e0c4d5bc3cfa202b352461faeef7
-
Filesize
671B
MD5de723230def9afa319a96d79311810c6
SHA1ddba686558fe20f4bd6e62556a0193eed6182899
SHA256630dcfbf9958ec2e8a70c43c333315d0e2b3852fbe23b4209d7e59aaf9142345
SHA512ab6702923ed4bb64bce284cbac6ce128672657cb57a5a43e3d93c7cc1733988c6e0645518ff0a68aff07b44cc720aa0f61bad6064211c9d07cf85fd5cd44a4da
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
11KB
MD5427c2761f4e0b663cd76f633e169e092
SHA113a2420d4b08e59e96ab90863ce0280ee65a265b
SHA2562518d88135b97698001bceaa61d93a2422750e03135acf27e48041bad7db92a3
SHA51285d9cf0e7048146937d1fe4a716a6de0b6be974e1302e47f5f77f721b1b865cbc007c7ba2f2b95bce5ef34084d7a52f75921abbd00f88eccdffa428c8ddd4897
-
Filesize
15KB
MD5e96b39a5a9a117a98cc99145e2e44660
SHA1745c3dbe1bd85044aee9bb98032bca8b71cd18ed
SHA256dcb52683ea89e41e9f9ab871e84f76e87cf002dac91615866667801c219ceafb
SHA512eb3fca579c2c3f09416e44468267a66858f1663a70f45613be4273774405a7e5e81fd75574c02196dc4cf11118351691a7c0faa683e7298646ac3ac50eaeaf28
-
Filesize
10KB
MD510690d490f42986c58fea3d49c152d0b
SHA1bf8b4b6b78163b26bf52ff67b5fa87a412b6d647
SHA256467bb091cebecef225f69a101439500f79741ad34ceacc1bd0f3b8818c75423b
SHA512b159a0b3a6def42d6a902a5fde8d1c5669b5dbb2feaeaa16b7c64475957b35e64d639724fa36ef57155e8e9511dc517d66a98368515f46dc5b7e57a94acafadd
-
Filesize
15KB
MD553f29126eeb38e0603b1e429d375fcf3
SHA1530c0766c9919e4f0e764968818199cbd1097f28
SHA2560194229c8a3e39746e92024c50b2fc99a25e0d165af10a1bd5964084a98b5489
SHA5128d0d22448eb42eb174f28e487dfa822afc135996791e8eb6e777f4bc412082633f16f0ec4125f9c365230873764f05a23f1daec70a178aa025fc5f288583b825
-
Filesize
10KB
MD5f4bc1878937c03dc653bf0cba6bf98b1
SHA13cc7d2c012ba6df4490093cd2f8ce81b8c369214
SHA256805f6b44e5a1c446eb2769fe39559af3a24e7baca428022b13a7a7ad098f60b4
SHA512eb6e88c9be0bfe18ef01f302bc48f15f41816fb43791d2fa507d397679fd41871ea1dcd41da7485fb3123c0120f026e8550190c2b3f01ad4d10923e3a9d0e69c
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
416KB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
416KB
-
Filesize
8KB
-
Filesize
3.1MB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
104KB
-
Filesize
824KB
-
Filesize
24KB
-
Filesize
136KB
-
Filesize
2.3MB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
624KB
-
Filesize
4KB
-
Filesize
1.3MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
104KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
460KB
-
Filesize
460KB
-
Filesize
460KB
-
Filesize
460KB
-
Filesize
460KB
-
Filesize
9.9MB
-
Filesize
320KB
-
Filesize
40KB
-
Filesize
408KB
-
Filesize
120KB
-
Filesize
424KB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
9.9MB
-
Filesize
72KB
-
Filesize
9.9MB
-
Filesize
3.2MB
-
Filesize
132KB
-
Filesize
240KB
-
Filesize
9.9MB
-
Filesize
136KB
-
Filesize
472KB
-
Filesize
712KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
152KB
-
Filesize
584KB
-
Filesize
824KB
-
Filesize
40KB
-
Filesize
5.6MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
1.6MB
-
Filesize
136KB
-
Filesize
2.5MB