Analysis
-
max time kernel
146s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
08-12-2024 02:02
General
-
Target
file.exe
-
Size
3.1MB
-
MD5
1b82d576a24fea9887d2053400b398e1
-
SHA1
c16ed93fa092a43ed3e58cfe67a97cfc2a116fa0
-
SHA256
63dd53f2a2e04de1526484e736943956df062793e16274a8c1460a229d7149af
-
SHA512
5df6454c655b96a7004630123848201e2e43b084b72adf8d97f1e3227bf0f473ed27f49b6edd1f6e2f28dc2937680407bb09dff6c3cf467cb08de31a238928d8
-
SSDEEP
49152:Ao4gSaEAMcmCV75hKOouPdSxTAM3dQsHC:/RSagctZ5hR3SxEMNQsHC
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
lumma
https://impend-differ.biz/api
https://print-vexer.biz/api
https://dare-curbys.biz/api
https://covery-mover.biz/api
https://formy-spill.biz/api
https://dwell-exclaim.biz/api
https://zinc-sneark.biz/api
https://se-blurry.biz/api
https://atten-supporse.biz/api
https://infect-crackle.cyou/api
Extracted
amadey
5.04
397a17
http://89.110.69.103
http://94.156.177.33
-
install_dir
0efeaab28d
-
install_file
Gxtuum.exe
-
strings_key
6dea7a0890c1d404d1b67c90aea6ece4
-
url_paths
/Lv2D7fGdopb/index.php
/b9kdj3s3C0/index.php
Extracted
lumma
https://atten-supporse.biz/api
https://se-blurry.biz/api
https://zinc-sneark.biz/api
https://print-vexer.biz/api
https://infect-crackle.cyou/api
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 16 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 17 IoCs
-
Identifies Wine through registry keys 2 TTPs 8 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Windows directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 6 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 30 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Kills process with taskkill 5 IoCs
-
Modifies registry class 1 IoCs
-
Runs ping.exe 1 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of FindShellTrayWindow 33 IoCs
-
Suspicious use of SendNotifyMessage 31 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1012713001\BY5BeYh.exe"C:\Users\Admin\AppData\Local\Temp\1012713001\BY5BeYh.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1012713001\BY5BeYh.exe"C:\Users\Admin\AppData\Local\Temp\1012713001\BY5BeYh.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 12485⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 12205⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1012982001\qtmPs7h.exe"C:\Users\Admin\AppData\Local\Temp\1012982001\qtmPs7h.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 6 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "word" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\word.exe"4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 65⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "word" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\word.exe"5⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 12 > nul && copy "C:\Users\Admin\AppData\Local\Temp\1012982001\qtmPs7h.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\word.exe" && ping 127.0.0.1 -n 12 > nul && "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\word.exe"4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 125⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 125⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\word.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\word.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"6⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\10000760101\vector.exe"C:\Users\Admin\AppData\Local\Temp\10000760101\vector.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\10000760101\vector.exe"C:\Users\Admin\AppData\Local\Temp\10000760101\vector.exe"8⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\10000760101\vector.exe"C:\Users\Admin\AppData\Local\Temp\10000760101\vector.exe"8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 12729⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 12529⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 12529⤵
- Program crash
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\word.exe"C:\Users\Admin\AppData\Local\Temp\word.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\word.exe"C:\Users\Admin\AppData\Local\Temp\word.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1012992001\7qg0CPF.exe"C:\Users\Admin\AppData\Local\Temp\1012992001\7qg0CPF.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp59.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp59.tmp.bat4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\1013080001\39785ae6d9.exe"C:\Users\Admin\AppData\Local\Temp\1013080001\39785ae6d9.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 15084⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1013081001\fbd2a9c4ce.exe"C:\Users\Admin\AppData\Local\Temp\1013081001\fbd2a9c4ce.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1013082001\6250161932.exe"C:\Users\Admin\AppData\Local\Temp\1013082001\6250161932.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1904 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e6fa85b-9d03-4322-ba74-d928cdf9708c} 4160 "\\.\pipe\gecko-crash-server-pipe.4160" gpu6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2432 -parentBuildID 20240401114208 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cae4e30e-a2b3-44e1-8e2a-5b7c7a0cec62} 4160 "\\.\pipe\gecko-crash-server-pipe.4160" socket6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3300 -childID 1 -isForBrowser -prefsHandle 3044 -prefMapHandle 2752 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {577f3504-af1b-48b2-9264-fcb504006d01} 4160 "\\.\pipe\gecko-crash-server-pipe.4160" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4100 -childID 2 -isForBrowser -prefsHandle 3560 -prefMapHandle 4080 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8cf86858-9122-48e5-9b80-a16e5a6554da} 4160 "\\.\pipe\gecko-crash-server-pipe.4160" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4748 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4768 -prefMapHandle 4764 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {89c8eb37-8130-49fb-90b8-925c0d812e64} 4160 "\\.\pipe\gecko-crash-server-pipe.4160" utility6⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5356 -childID 3 -isForBrowser -prefsHandle 5348 -prefMapHandle 5344 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2263c930-377e-4668-81df-a77b23fdad40} 4160 "\\.\pipe\gecko-crash-server-pipe.4160" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5504 -childID 4 -isForBrowser -prefsHandle 5588 -prefMapHandle 5584 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {68d1e6c2-b014-48c4-b96d-af9f9abc6881} 4160 "\\.\pipe\gecko-crash-server-pipe.4160" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5496 -childID 5 -isForBrowser -prefsHandle 5728 -prefMapHandle 5732 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f198b53e-973a-417a-82d3-bf9dbc9cfe94} 4160 "\\.\pipe\gecko-crash-server-pipe.4160" tab6⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1013083001\9e5c7cb5f1.exe"C:\Users\Admin\AppData\Local\Temp\1013083001\9e5c7cb5f1.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4156 -ip 41561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4056 -ip 40561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4056 -ip 40561⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4292 -ip 42921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4292 -ip 42921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4292 -ip 42921⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Query Registry
6Remote System Discovery
1System Information Discovery
4System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57dca233df92b3884663fa5a40db8d49c
SHA1208b8f27b708c4e06ac37f974471cc7b29c29b60
SHA25690c83311e35da0b5f8aa65aa2109745feb68ee9540e863f4ed909872e9c6a84c
SHA512d134b96fd33c79c85407608f76afc5a9f937bff453b1c90727a3ed992006c7d4c8329be6a2b5ba6b11da1a32f7cd60e9bc380be388b586d6cd5c2e6b1f57bd07
-
Filesize
24KB
MD5fa82c23e8e8060ffb0adf92cae131cdf
SHA15f06bbd0d51907d4e88701dc18e09ab726ac18f9
SHA2564c45609ad82b2a400e2c4048956c98316ef19d622a3cef8bee92920df7e7bf7f
SHA512dff7d9fc642c5402f15aa49c8b772523475a6cc5f09e5bf6b64c2f41cb5148dc2d50d3939ba2ec3d224f80b5ec6931e302d0ca2f3b49477adccf090c5b084027
-
Filesize
15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
5.0MB
MD5b183e5ff29a1532a84e5a38983ab9e4e
SHA1230c9cbd2e14598aaf73ae78c85c998a6b923a51
SHA25681a45f430c102365b46c663203ae5708b6befe2848f01efc7b702aff7170c901
SHA51231be2761821fb6bc81a010a3f68fa6901aa5e9768e9c57db53b52e0495c7340abccc9191500aa39540fef159578403e78d2af31ac364b89774d5f359b54c6c1e
-
Filesize
2.5MB
MD5d1e3f88d0caf949d5f1b4bf4efbb95a4
SHA161ffd2589a1965bf9cb874833c4c9b106b3e43e8
SHA256c505f3b2f40b8a68e7cacfe2a9925498ab0f7ef29aa7023bb472597021066b2e
SHA5125d4c43e858371f24ebafb56388a586c081d7b0289a3b039dbb2b011e9864e8e9f5dc7037fcb3e88f4bec4259a09ce5f3ccdae3161b43dff140e0e4ca7bff96c3
-
Filesize
2.3MB
MD5248f05d3601f7920d63e00e92e9941f1
SHA13fa1cabfd0456199382ed49d27362b846fe5b7af
SHA256cf559eae350d3165aa63d67e5b401aebfc78ab0bfb0bed686aa827cbb977b520
SHA5120e1eb9a8cdca28e52af7d32876be26b59716eb3edb77d8b0ab7787f04c90885b063b24993955297774d0f930342c8ac07becb94cd095c4ce0fa311c424c250ac
-
Filesize
799KB
MD589bd66e4285cb7295300a941964af529
SHA1232d9fee67a3c3652a80e1c1a258f0d789c6a6cf
SHA256a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047
SHA51272d1c8c4b74bacca619a58062441203c6cfea81d064dc1933af7a3cb9758d924b011a6935e8d255aad58159a4ecbb3677cc6a6e80f6daa8b135711195a5c8498
-
Filesize
5.9MB
MD53297554944a2e2892096a8fb14c86164
SHA14b700666815448a1e0f4f389135fddb3612893ec
SHA256e0a9fcd5805e66254aa20f8ddb3bdfca376a858b19222b178cc8893f914a6495
SHA512499aa1679f019e29b4d871a472d24b89adddc68978317f85f095c7278f25f926cbf532c8520c2f468b3942a3e37e9be20aea9f83c68e8b5e0c9adbf69640ad25
-
Filesize
1.7MB
MD506cc1e6cb96567a1c093e5818199c923
SHA1f8088a097de5ba333506b686eaa6aa6bf0f49db4
SHA256fb04fd6f7e99a164af92b5ea236e1c9cc62f6bf842e263dcce45429d3d7068b8
SHA51285f67606ebdde69f3df353da4efb409847e25ad9c6df343171befbfab6e4049898c0cd88f6c7377bd08180f1ae7b76f27753ded56efd46ea8730d8249287e869
-
Filesize
1.7MB
MD57218258407d8eb0196cde40a1c5077ed
SHA194a13e5bedc1f4f68f913e6f8661219d42775d10
SHA256592abfafc316f7bc70f4ba70308b1351438f8a57f20d1e7d092f486076ebec60
SHA51243dbaff962e0b82e19d228e6d72e4241733aab6fdb395b3721b6641e80dd6fb680e1e8375959239a6fd76fa72708864fa85462373980851b3a1286633afdcd0a
-
Filesize
947KB
MD500e85f531dfebf8fa8a4539da21cd8bb
SHA1e872754179cd34ea1a06f1a1793490a55553ae54
SHA256c41bf66d05d11d4c0cd3ef2c245f7647ca64fd99220ac33694a40bd68425b03c
SHA5122b55fa94017c4eb97d72e15fde5e32b922db3cc3d03a98c2ba10d93c3f6d1fc332daae4231809e1253689acc2103cfb151bc87b33f099ad7a6acc7ae84ec286c
-
Filesize
2.7MB
MD536521d750e7fd8ba209fe3efcb1ff687
SHA1214e7fc99702013baeed77d562dcd98353cf2a2b
SHA256d9afb3b438f245aa0f279e1e0a70263080df6fbd4cf134e30356274a287a1463
SHA5123e61d70dc24070cedf3dfbc14d3852ca022a5966d71f9fa189a4fc5d7433d60b11b9937b42b4a4234745a690f1455639e5d6961f36762d7ab3d69b2c0ddf5e88
-
Filesize
1.4MB
MD56f2fdecc48e7d72ca1eb7f17a97e59ad
SHA1fcbc8c4403e5c8194ee69158d7e70ee7dbd4c056
SHA25670e48ef5c14766f3601c97451b47859fddcbe7f237e1c5200cea8e7a7609d809
SHA512fea98a3d6fff1497551dc6583dd92798dcac764070a350fd381e856105a6411c94effd4b189b7a32608ff610422b8dbd6d93393c5da99ee66d4569d45191dc8b
-
Filesize
3.1MB
MD51b82d576a24fea9887d2053400b398e1
SHA1c16ed93fa092a43ed3e58cfe67a97cfc2a116fa0
SHA25663dd53f2a2e04de1526484e736943956df062793e16274a8c1460a229d7149af
SHA5125df6454c655b96a7004630123848201e2e43b084b72adf8d97f1e3227bf0f473ed27f49b6edd1f6e2f28dc2937680407bb09dff6c3cf467cb08de31a238928d8
-
Filesize
186B
MD5790dd6f9aab53b59e358a126dc5d59fc
SHA1ec6bf3eb0fa5d2e37c694bf71254e0ce0be1a5fc
SHA2567ca8c160037742b7da30366775d7aae7882a98e1fbfdbbefb743c2a93d6b1c52
SHA512a9d819b8d771febfa027de6f201d4effaf7bdd3334255707dddceb57b2b322649698903ee5d72f0e431780d29b01abedd5250d372100e6c66c0639965f86c7ef
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
76KB
MD50e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
Filesize
90B
MD5942c5b1f0444c8c3999a78ca1bd0182a
SHA19a010898e0f1d9118019bbd6da5fc35e65bb9529
SHA256933c13084be642624b528ee5716556fa64557b54b71086c08d3df53778b5c730
SHA512790b46d1f97cba9b237e7e4c3e033278dac9dc020e2e65830ba138d2b9b6dc51221b2dc2d112d95fcde3ce759b0ea09414265ac8e9a7b35ce4d0a9857c2eb58a
-
Filesize
90B
MD57882efbe8c2b33386a8d46712aa8e400
SHA107121b5f653be07ea0d4d25abf7e11eb4004178c
SHA256b2ef6b405d67d28f0f9db91b137dd8f0c32d34181aaaba6e702e14b47c750a5f
SHA512b7655cf83f605a0db7bd6796503047d5a07dc2a52c4d9e4fdb816f3a478206bfe479821b6b8b0dac03b566f3f7da5b280994a8b7c72e59569947662cb509136d
-
Filesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
Filesize
7KB
MD55d4d1af8c6c1baa6f976b2feb9b73e17
SHA174d63adb4634583610122038bf275f3d20252ad8
SHA256dae2ce97c3bc74bc47378ce552b85154b4230aeb556da7d1e0d5f33c01b625f5
SHA51209a4b17772ad03e1ae504faab78b1b8b576c96bb1bb3a97e0f7df7de967063cce7e9609b6ec793604cf861706fb1499e8a0fab989f158af4ef5608ec5ad407b0
-
Filesize
10KB
MD543163a4a813c5a41878e0b443bf7b68a
SHA1b881c040aa4e40b37b95f037365acd488a061027
SHA2569707f69274c1a7b10d8610e72f677fed1ad60c9c8579347a393a1b7317c843bd
SHA51257d0165930c1557889f84fa37f2e4f9cdde5e757b3f63df2ee142b1c78d0798af0e7dbca32e715064540d0e23d10b4f1634c4e5666f7e94b10063022f9995862
-
Filesize
17KB
MD52d3acc08b0d451432faf254585beaa17
SHA18edcc0d0d444daf227b59fdd1cdff402b54ab233
SHA256898d4576c9289159c3a6ad6abc7640d99ac150e519f2db9061f0a03b2fea7d2d
SHA51292fed7432a28d2faf9f3c9d9a24e004a2a55e23a03e3976ab360628c73a85244a39600ab247bcd00b7164d5cc8a5a6018142a66ee7c6d1f36eb90b6b96aea976
-
Filesize
21KB
MD545978728d072864319da2aaaa1991bf7
SHA1d0962e8b711e7e7330dff418df39bbbee812fec0
SHA2565f73335f148a23b7db9e9206f7783199ec7a61c832114a8065d9f84e7c9c2814
SHA51218fd72b05c2639b4f12f31fcb44477a9371a7dfec7272670bba555a04506d6abe02b72cc10b66efdb604f253e84a7223e9c7d60c6e717a41d5eb115fe50ad158
-
Filesize
22KB
MD56f6bf9d23f3e2b1bb03c9edce51202f9
SHA1c3f36155ca31de3d15d2bec27ab250579f75aba7
SHA256be2f99f89abb57f806ec0ee8fb1ce234e92ded1c3d454d90578ad27cf44f7160
SHA51216e07fbbc2ee7e00e22e4ad80781fd36db3ba0d7b53e9713cd5b6fb4cc955114fc5688dcaf132d52ddce463bbd1c2d53d854bb19e2c4dceaca5df3496215363c
-
Filesize
22KB
MD54866083440b30a5e221034bdb165d805
SHA1bb29b7aad32c4dcc56e7e7da1b886f60c4469b2a
SHA256a62f965ea013fccb211a1b8599c08a235674cd33ebb7577b5458e2c60156020d
SHA512a11eaf753d8f5a7027aa61c96d493a95a459cebf27f54b163f9ac1d378bdb22edf526e93666e1ab525c6201190d3cd9fef995e6a11368a057c0852dff7603938
-
Filesize
982B
MD5ee99630bdee66393e60489c5b53eb41a
SHA168a72b561fe14f4e56b00a7f2a43ccb5116d343f
SHA256dfe2222359d661a4956cc3b2a481a26fb5ccd3ccbcafc9c779336fd173a9cbe8
SHA512ba02e9404e5fdc535251911bb62180945906bdafa5732b922c10b1abc44e20ca1a7c9caf3a35f85572f241039e664223d0c02d5bdc3e0db16ea7a08064719418
-
Filesize
659B
MD5b1d31a5aa7c80590aee1478d47331888
SHA1058b68a7b26153f2e2dfb1f8911582adf6bbf7ad
SHA256b21125311862abf936ee3e4b85c0d18db1f5e5ed0b1d07c5fe428f803beebd40
SHA5120669977bd28199ffcae70c0348d77ebf05364c9074640286d344244bd7b0cca41b125411f2d0d9c824e64bb8c4298e276381d5e26cefadc5722cdb86acdc9f95
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
Filesize
1KB
MD536e5ee071a6f2f03c5d3889de80b0f0d
SHA1cf6e8ddb87660ef1ef84ae36f97548a2351ac604
SHA2566be809d16e0944386e45cf605eae0cd2cf46f111d1a6fe999fec813d2c378683
SHA51299b61896659e558a79f0e9be95286ebf01d31d13b71df6db4923406e88b3ba72584ef2b62e073b2f5e06901af2c7d1b92d3d12187fe5b4b29c9dd2678444f34e
-
Filesize
10KB
MD5f2688a4d42a81bbb72a0328152d24ba0
SHA1d4a7662153dddb37c29002945678790ddfd5bc19
SHA256a7ba4935e8b7518c9007e27c5b7770e398c02b2c33baffc7c1fdeb6d294cfed2
SHA512f118efa40b721ff146393423805e5fc9fefa67466d17087052a80721b925ab76abd5d7a7ba5d714363aefa465e4e3dbb27a8578aa33b36795d2a2de8847838cb
-
Filesize
11KB
MD538552da24ab549b0756f89ee0c9fec76
SHA173a9b04613a53d762fb0da3466649c17b83f6ddc
SHA2563694b5a0678e7c2aa6c79b1db1710b7e24af12aef04b785b12d84131e639c898
SHA51225358c54a9b7802c952d4c5958ea6664dbc9637166e42329411f130feeef7f71f5e8424a2f4abf357aca2b6a515fb885d33af79bb9b55bdc691b58802387da1c
-
Filesize
12KB
MD5ee561d8373d86c5bab81dd014716f05c
SHA1d4626ec4ccaa56346e4a52bb80cb7e232fb4e41b
SHA256f1a2258721b3a91a558b8e2ccf77f19dedcc2487cfe70e36bd5034016c0bc8a4
SHA512e50fddb7e079a6044cac69a693647ed5f6794f06dc9de3f6f5fcb9e0b802228d00f241c428544ec7bdb8e5f9b75bfcc51c03bb1ac132dde0df12208a63f6e20f
-
Filesize
10KB
MD5dc53f0c1cd2ee57c86602d981244bdbe
SHA19917deb60785302e730fd1680ef06e5cf215d0be
SHA2569a0a8e06d98bf57b3efecacfc80aaa9982ec69486aed06f4039c1065023fee7e
SHA5124eb02474ee12b8ed2c0a0114b94c60084edc7d8318bddf7b650d0a52ca12e70239f66a4dd8ce3c03a4260383374af417d53003c777f0eaa5c3c625e0926954e6
-
Filesize
3.3MB
-
Filesize
9.9MB
-
Filesize
240KB
-
Filesize
132KB
-
Filesize
3.2MB
-
Filesize
408KB
-
Filesize
320KB
-
Filesize
712KB
-
Filesize
424KB
-
Filesize
304KB
-
Filesize
9.9MB
-
Filesize
136KB
-
Filesize
40KB
-
Filesize
472KB
-
Filesize
9.9MB
-
Filesize
72KB
-
Filesize
120KB
-
Filesize
9.9MB
-
Filesize
824KB
-
Filesize
104KB
-
Filesize
24KB
-
Filesize
5.6MB
-
Filesize
824KB
-
Filesize
40KB
-
Filesize
584KB
-
Filesize
152KB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
8KB
-
Filesize
416KB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
416KB
-
Filesize
3.1MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
4KB
-
Filesize
2.3MB
-
Filesize
136KB
-
Filesize
1.3MB
-
Filesize
624KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
4.5MB
-
Filesize
4.5MB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
460KB
-
Filesize
460KB
-
Filesize
460KB
-
Filesize
460KB
-
Filesize
460KB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.5MB
-
Filesize
136KB
-
Filesize
1.6MB
-
Filesize
104KB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB