strela | a8982034b8745ca1dc3b8816b16961bf4e996c911c6411bca8530d8aea7e0610

Analysis

max time kernel
96s
max time network
125s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
02-09-2024 20:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Gross Beat 1.0.7/setup.exe
Size

11.7MB
MD5

1287223e90507c1ac0bc0b60f1b039e9
SHA1

7853f575349907eabb0dcd190fe746eb1c1c8d01
SHA256

b13ade9fa58f96d8f03e4e241455c1af226d6b654e2ad48a8ae7d3a61f7ad64d
SHA512

b90117cee136da27aefe612c73284a9977fe836ac364afc68d7bb78ca6828efd21b60b2c9ba866a6bcf0479db1c64eef6fe06b4ca0ccb0f2d8a3e3b333361d2e
SSDEEP

196608:uRRS34smUEH4IXhxpMzHQCMFGfDQ5jSajl3clBg3j/cWnoCfrR1:uq/fRI9MzaGf0nl3cli3J/

Score

10^/10

strela discovery stealer

Malware Config

Signatures

Detects Strela Stealer payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0006000000018f8c-29.dat	family_strela
behavioral1/memory/2884-30-0x0000000004110000-0x00000000046DD000-memory.dmp	family_strela

Strela stealer
An info stealer targeting mail credentials first seen in late 2022.
stealer strela

Executes dropped EXE 1 IoCs

pid	Process
2420	shareddlls_install.exe

Loads dropped DLL 15 IoCs

pid	Process
2884	setup.exe
2884	setup.exe
2884	setup.exe
2884	setup.exe
2884	setup.exe
2884	setup.exe
2884	setup.exe
2884	setup.exe
2884	setup.exe
2420	shareddlls_install.exe
2420	shareddlls_install.exe
2420	shareddlls_install.exe
2420	shareddlls_install.exe
2420	shareddlls_install.exe
2884	setup.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\gdiplus.dll	setup.exe
File created	C:\Windows\SysWOW64\msvcr71.dll	setup.exe
File created	C:\Windows\SysWOW64\mfc71.dll	setup.exe

Drops file in Program Files directory 33 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Image-Line\Shared\Elastique.dll	shareddlls_install.exe
File created	C:\Program Files (x86)\Image-Line\Shared\oggio.dll	shareddlls_install.exe
File created	C:\Program Files (x86)\Image-Line\Shared\Uninstall.exe	shareddlls_install.exe
File created	C:\Program Files (x86)\Steinberg\Vstplugins\Image-Line\Gross Beat\uninstall.exe	setup.exe
File created	C:\Program Files (x86)\Steinberg\Vstplugins\Image-Line\Gross Beat\Artwork\TB Small.bmp	setup.exe
File created	C:\Program Files (x86)\Steinberg\Vstplugins\Image-Line\Gross Beat\Data\Maps\Env filter - small knee.fnv	setup.exe
File created	C:\Program Files (x86)\Steinberg\Vstplugins\Image-Line\Gross Beat\Presets\Momentary.fst	setup.exe
File created	C:\Program Files (x86)\Steinberg\Vstplugins\Image-Line\Gross Beat\Presets\Turntablist.fst	setup.exe
File created	C:\Program Files (x86)\Steinberg\Vstplugins\Image-Line\Gross Beat\Artwork\TB Btn.bmp	setup.exe
File created	C:\Program Files (x86)\Steinberg\Vstplugins\Image-Line\Gross Beat\Gross Beat.chw	setup.exe
File created	C:\Program Files (x86)\Steinberg\Vstplugins\Image-Line\Gross Beat\Presets\Stutter.fst	setup.exe
File created	C:\Program Files (x86)\Image-Line\Shared\REX Shared Library.dll	shareddlls_install.exe
File created	C:\Program Files (x86)\Steinberg\Vstplugins\Image-Line\Gross Beat\Data\Maps\Env filter - asymmetry.fnv	setup.exe
File created	C:\Program Files (x86)\Steinberg\Vstplugins\Image-Line\Gross Beat\Presets\Default.fst	setup.exe
File created	C:\Program Files (x86)\Steinberg\Vstplugins\Image-Line\Gross Beat\Presets\Patterns.fst	setup.exe
File created	C:\Program Files (x86)\Image-Line\Shared\SG.dll	shareddlls_install.exe
File created	C:\Program Files (x86)\Steinberg\Vstplugins\Image-Line\Gross Beat\Data\Maps\Env filter - default.fnv	setup.exe
File created	C:\Program Files (x86)\Steinberg\Vstplugins\Image-Line\Gross Beat\Data\Maps\Env filter - flat.fnv	setup.exe
File created	C:\Program Files (x86)\Steinberg\Vstplugins\Image-Line\Gross Beat\Gross Beat.chm	setup.exe
File created	C:\Program Files (x86)\Image-Line\Shared\LAMEenc.dll	shareddlls_install.exe
File created	C:\Program Files (x86)\Steinberg\Vstplugins\Image-Line\Gross Beat\Artwork\Back.bmp	setup.exe
File created	C:\Program Files (x86)\Steinberg\Vstplugins\Image-Line\Gross Beat\Artwork\Demo.bmp	setup.exe
File created	C:\Program Files (x86)\Steinberg\Vstplugins\Image-Line\Gross Beat\Artwork\TB WP.bmp	setup.exe
File created	C:\Program Files (x86)\Steinberg\Vstplugins\Image-Line\Gross Beat\Artwork\TB PrevNextBtn.bmp	setup.exe
File created	C:\Program Files (x86)\Steinberg\Vstplugins\Image-Line\Gross Beat\IL Gross Beat.dll	setup.exe
File created	C:\Program Files (x86)\Steinberg\Vstplugins\Image-Line\Gross Beat\Artwork\About.png	setup.exe
File created	C:\Program Files (x86)\Steinberg\Vstplugins\Image-Line\Gross Beat\Data\Maps\Default.fnv	setup.exe
File created	C:\Program Files (x86)\Image-Line\Shared\Reverb.dll	shareddlls_install.exe
File created	C:\Program Files (x86)\Image-Line\Shared\wavpackdll.dll	shareddlls_install.exe
File created	C:\Program Files (x86)\Steinberg\Vstplugins\Image-Line\Gross Beat\Artwork\skin.ini	setup.exe
File created	C:\Program Files (x86)\Steinberg\Vstplugins\Image-Line\Gross Beat\Presets\Flanging.fst	setup.exe
File created	C:\Program Files (x86)\Steinberg\Vstplugins\Image-Line\Gross Beat\Presets\Pitch shifter.fst	setup.exe
File created	C:\Program Files (x86)\Image-Line\Shared\dsp_ipp.dll	shareddlls_install.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shareddlls_install.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x000500000001a2f4-149.dat	nsis_installer_1
behavioral1/files/0x000500000001a2f4-149.dat	nsis_installer_2

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
864	chrome.exe
864	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2884	setup.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: 33	3040	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3040	AUDIODG.EXE
Token: 33	3040	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3040	AUDIODG.EXE
Token: SeRestorePrivilege	2420	shareddlls_install.exe
Token: SeBackupPrivilege	2420	shareddlls_install.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe
Token: SeShutdownPrivilege	864	chrome.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe
864	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2884	setup.exe
2884	setup.exe
2884	setup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 2420	2884	setup.exe	30
PID 2884 wrote to memory of 2420	2884	setup.exe	30
PID 2884 wrote to memory of 2420	2884	setup.exe	30
PID 2884 wrote to memory of 2420	2884	setup.exe	30
PID 2884 wrote to memory of 2420	2884	setup.exe	30
PID 2884 wrote to memory of 2420	2884	setup.exe	30
PID 2884 wrote to memory of 2420	2884	setup.exe	30
PID 864 wrote to memory of 744	864	chrome.exe	32
PID 864 wrote to memory of 744	864	chrome.exe	32
PID 864 wrote to memory of 744	864	chrome.exe	32
PID 864 wrote to memory of 2608	864	chrome.exe	34
PID 864 wrote to memory of 2608	864	chrome.exe	34
PID 864 wrote to memory of 2608	864	chrome.exe	34
PID 864 wrote to memory of 2608	864	chrome.exe	34
PID 864 wrote to memory of 2608	864	chrome.exe	34
PID 864 wrote to memory of 2608	864	chrome.exe	34
PID 864 wrote to memory of 2608	864	chrome.exe	34
PID 864 wrote to memory of 2608	864	chrome.exe	34
PID 864 wrote to memory of 2608	864	chrome.exe	34
PID 864 wrote to memory of 2608	864	chrome.exe	34
PID 864 wrote to memory of 2608	864	chrome.exe	34
PID 864 wrote to memory of 2608	864	chrome.exe	34
PID 864 wrote to memory of 2608	864	chrome.exe	34
PID 864 wrote to memory of 2608	864	chrome.exe	34
PID 864 wrote to memory of 2608	864	chrome.exe	34
PID 864 wrote to memory of 2608	864	chrome.exe	34
PID 864 wrote to memory of 2608	864	chrome.exe	34
PID 864 wrote to memory of 2608	864	chrome.exe	34
PID 864 wrote to memory of 2608	864	chrome.exe	34
PID 864 wrote to memory of 2608	864	chrome.exe	34
PID 864 wrote to memory of 2608	864	chrome.exe	34
PID 864 wrote to memory of 2608	864	chrome.exe	34
PID 864 wrote to memory of 2608	864	chrome.exe	34
PID 864 wrote to memory of 2608	864	chrome.exe	34
PID 864 wrote to memory of 2608	864	chrome.exe	34
PID 864 wrote to memory of 2608	864	chrome.exe	34
PID 864 wrote to memory of 2608	864	chrome.exe	34
PID 864 wrote to memory of 2608	864	chrome.exe	34
PID 864 wrote to memory of 2608	864	chrome.exe	34
PID 864 wrote to memory of 2608	864	chrome.exe	34
PID 864 wrote to memory of 2608	864	chrome.exe	34
PID 864 wrote to memory of 2608	864	chrome.exe	34
PID 864 wrote to memory of 2608	864	chrome.exe	34
PID 864 wrote to memory of 2608	864	chrome.exe	34
PID 864 wrote to memory of 2608	864	chrome.exe	34
PID 864 wrote to memory of 2608	864	chrome.exe	34
PID 864 wrote to memory of 2608	864	chrome.exe	34
PID 864 wrote to memory of 2608	864	chrome.exe	34
PID 864 wrote to memory of 2608	864	chrome.exe	34
PID 864 wrote to memory of 2664	864	chrome.exe	35
PID 864 wrote to memory of 2664	864	chrome.exe	35
PID 864 wrote to memory of 2664	864	chrome.exe	35
PID 864 wrote to memory of 840	864	chrome.exe	36
PID 864 wrote to memory of 840	864	chrome.exe	36
PID 864 wrote to memory of 840	864	chrome.exe	36
PID 864 wrote to memory of 840	864	chrome.exe	36
PID 864 wrote to memory of 840	864	chrome.exe	36
PID 864 wrote to memory of 840	864	chrome.exe	36
PID 864 wrote to memory of 840	864	chrome.exe	36
PID 864 wrote to memory of 840	864	chrome.exe	36
PID 864 wrote to memory of 840	864	chrome.exe	36
PID 864 wrote to memory of 840	864	chrome.exe	36
PID 864 wrote to memory of 840	864	chrome.exe	36
PID 864 wrote to memory of 840	864	chrome.exe	36

C:\Users\Admin\AppData\Local\Temp\Gross Beat 1.0.7\setup.exe
"C:\Users\Admin\AppData\Local\Temp\Gross Beat 1.0.7\setup.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Users\Admin\AppData\Local\Temp\nse1575.tmp\shareddlls_install.exe
  "C:\Users\Admin\AppData\Local\Temp\nse1575.tmp\shareddlls_install.exe" /S
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2420

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x464
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6699758,0x7fef6699768,0x7fef6699778
  2⤵
  PID:744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1172 --field-trial-handle=1380,i,850117062889699637,8302336693852464178,131072 /prefetch:2
  2⤵
  PID:2608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1520 --field-trial-handle=1380,i,850117062889699637,8302336693852464178,131072 /prefetch:8
  2⤵
  PID:2664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1624 --field-trial-handle=1380,i,850117062889699637,8302336693852464178,131072 /prefetch:8
  2⤵
  PID:840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2128 --field-trial-handle=1380,i,850117062889699637,8302336693852464178,131072 /prefetch:1
  2⤵
  PID:3008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2140 --field-trial-handle=1380,i,850117062889699637,8302336693852464178,131072 /prefetch:1
  2⤵
  PID:2956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1168 --field-trial-handle=1380,i,850117062889699637,8302336693852464178,131072 /prefetch:2
  2⤵
  PID:2384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3360 --field-trial-handle=1380,i,850117062889699637,8302336693852464178,131072 /prefetch:1
  2⤵
  PID:996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3692 --field-trial-handle=1380,i,850117062889699637,8302336693852464178,131072 /prefetch:8
  2⤵
  PID:2292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3688 --field-trial-handle=1380,i,850117062889699637,8302336693852464178,131072 /prefetch:1
  2⤵
  PID:1256

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\712ebe44-f909-4237-a0d6-a161e3e24600.tmp

Filesize
319KB

MD5
909500255be6da47759d8fa22a89fc3d

SHA1
4428db02216978a70e540b06f67a7620267cf150

SHA256
9d3f0115397f536da4192ecc8fb0f35a1fc8c83001393df7b80f8d0c042d62f4

SHA512
5ecfedb7ddb6ff5e47ca7ec0ee87f4b100a2a68bfb2dfeef56ceb5b6b460a631b2841a732d300962c4c69df093199236e5f0dc07e6b18085b13e6e44d4aa96fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
211KB

MD5
e7226392c938e4e604d2175eb9f43ca1

SHA1
2098293f39aa0bcdd62e718f9212d9062fa283ab

SHA256
d46ec08b6c29c4ca56cecbf73149cc66ebd902197590fe28cd65dad52a08c4e1

SHA512
63a4b99101c790d40a813db9e0d5fde21a64ccaf60a6009ead027920dbbdb52cc262af829e5c4140f3702a559c7ac46efa89622d76d45b4b49a9ce01625ef145

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
a63ba19c8c577667aa69604cf04a3ce7

SHA1
c1c160da9e3449f42f2e9a75e583494ce401b1b5

SHA256
53dc3597babcd4c1cd0f4ff9abdfe29279aa3782b0166ee8b1ca9185292b3efe

SHA512
d990b85ccb3676e42eefd5496e314d4dfe69617ba279191faa94f73cf85da38b4b2cc09bf9b727c34c9fd6c47201bae32cd1a0c945599748e45cb603e8f01828

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
1431d9c82f26bb6fe0ea69353a903eec

SHA1
4f7c077b5933af7948329a607b43566aa475a491

SHA256
9faa0031fe12e8cef4e5395d4e016aec94a837d3e8ae4a4c7a8578a227ea91a6

SHA512
ab00c041c3398b5e46fdf3ad8da2363edd7238d0c3a8f5429dc23c289ea8722151745b8ff456301e59200c1c018c35a236e67e36e2a810cfefc796cf0d493335

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
319KB

MD5
4a5197b35a5ecb2da6ffd9f9c20ae570

SHA1
6cabc0ccb10652bd881855edd3bc00b355f51f04

SHA256
b6d99f892a6d3838fa8822838cc26c8c959f9a79dbef17d17e6144c8c5d0b73d

SHA512
056fed4ccc6e32915da67852cdc76c34f1f473ae9408a23619cbbf32b335c82d7787a6bf294dd9169ebed79999fc85e13e608f09c51599838c90206d26f69400

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse1575.tmp\ioSpecial.ini

Filesize
564B

MD5
20dd35ff504888bcb2d25643ffba23b9

SHA1
b00cf4acc046bf76be4b59886b6929de24ac3308

SHA256
ace5a5ae73a0e1678c271fb258dad8214b2484d6370af17cd42bf6dec548d98c

SHA512
476ec3dc28762c2ddcf86b374b3a4f4cc5cbebfb61339f6635bec3cebae69fdadec23d2e4f7b410159eb3b428d4644a5c7e5d1010f64404cbd2967531259de44

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse1575.tmp\ioSpecial.ini

Filesize
702B

MD5
77de047797b730a7972a22434432b9fe

SHA1
7be02cddcf942059a894612ec65ea9776d351aae

SHA256
a584f110a386350d00bc4014dce1b90e4e5d00123bdb39b3cfe7bf929e33598e

SHA512
d918e3ddd8caba8d3ec868340f37ad73803a6c1e45feb30e452aa480442a08270e8e25bd8cb22c21e2334eb8a9ea7bab2702a9e6ee18424dca8b6022f33c9402

Download Submit
\Users\Admin\AppData\Local\Temp\nse1575.tmp\AdvSplash.dll

Filesize
6KB

MD5
13cc92f90a299f5b2b2f795d0d2e47dc

SHA1
aa69ead8520876d232c6ed96021a4825e79f542f

SHA256
eb1ca2b3a6e564c32677d0cdc388e26b74ef686e071d7dbca44d0bfa10488feb

SHA512
ff4e6e6e7104568fc85ef3a3f0494a5c7822a4ceaf65c584ad534f08f9a472a8d86f0a62f1f86343c61e2540b2254714b7ea43e4b312ff13d8271ff069386fa3

Download Submit
\Users\Admin\AppData\Local\Temp\nse1575.tmp\Bass.dll

Filesize
101KB

MD5
a8af308ff01b4477657955fbf0cc8408

SHA1
0794c059f0326e4a71be8a3ee4ac17a657d90d88

SHA256
14a38f56be50a3829eb1eda2a908da2de5913f81d5cb01d8b668593d0fc36594

SHA512
9e221967db95d4b86bf311891193dfd1515806aa0d43198d3bc26a17d77f06f212ab9dba1ca8575f50d224380e8b109529faccf2f56daac834da83a83677a0fd

Download Submit
\Users\Admin\AppData\Local\Temp\nse1575.tmp\GetVersion.dll

Filesize
8KB

MD5
e013b625f5ae1e2f0b442cf39c0069df

SHA1
9ec785b63279144c091366badda65278c4cdee20

SHA256
16dd6da98b7e53d374830cd4c644c01b112955f8487a285f34dc0353e9cfac15

SHA512
306f7e674d119d129db48012c43f825bffabd078fac8518aea9d514b0787752a2e876bda2ad15df7332bfc8cfba38a0d1be17ee7c58a27e09678fce9aec58418

Download Submit
\Users\Admin\AppData\Local\Temp\nse1575.tmp\InstallOptions.dll

Filesize
14KB

MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit
\Users\Admin\AppData\Local\Temp\nse1575.tmp\NSIS_SkinCrafter_Plugin.dll

Filesize
5.8MB

MD5
028251654a4d65509aa8ccb5f2ee284a

SHA1
4a4ad468a86df6b903002be4f8919017fea0c152

SHA256
8b25cf3f7aa82fadccb2ce615ce0e40c5a8a3ea7bc51180a92173ee113a0ccfe

SHA512
f252670bca0da9e8e2c519a6ef4ad6dd0c4e548aeb7566693a7d203e73e63345fc58683072020ef771d836429bed1d7b4fdf105aa3e62a969e9c8d39556e1d2d

Download Submit
\Users\Admin\AppData\Local\Temp\nse1575.tmp\SkinCrafter.dll

Filesize
792KB

MD5
8fea8fd177034b52e6a5886fb5e780bd

SHA1
99f511388a2420d53b8406baed48ba550842eaad

SHA256
546dddc7a31609b5bc3dc8ecef6f6782b77613853c54171fc32314c08a69e8de

SHA512
5d82a3b9cf9d69049e6278a6d835b8a9a386c97ae9a69cf658675b0a8751a344d0da1ee704e9bb9023dab7cd77fdca684bdc90837960b583eef0bb4324498696

Download Submit
\Users\Admin\AppData\Local\Temp\nse1575.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nse1575.tmp\shareddlls_install.exe

Filesize
2.8MB

MD5
4fe8ff7f02020ea655944db5541722f3

SHA1
b5ff619c215529a4531337eef36167051cded658

SHA256
599c63aa0d0496363c7c99217e6c3d941125907cc4ea4c7d5d73c9b54e3deaee

SHA512
f4802d00d46c59882a1e1d3b8c0a43fd2ba4b22819d5417ad81cf4522e796176a920f81a6753e8297d49b3b0e60f3e1c27e4fbff2a6cc100d01cd0a39a75b4e3

Download Submit
\Users\Admin\AppData\Local\Temp\nsz8661.tmp\AccessControl.dll

Filesize
10KB

MD5
055f4f9260e07fc83f71877cbb7f4fad

SHA1
a245131af1a182de99bd74af9ff1fab17977a72f

SHA256
4209588362785b690d08d15cd982b8d1c62c348767ca19114234b21d5df74ddc

SHA512
a8e82dc4435ed938f090f43df953ddad9b0075f16218c09890c996299420162d64b1dbfbf613af37769ae796717eec78204dc786b757e8b1d13d423d4ee82e26

Download Submit
\Users\Admin\AppData\Local\Temp\nsz8661.tmp\ILInstallUtil.dll

Filesize
94KB

MD5
e331583b908a92193e0be215611c7309

SHA1
937106392134173fa3cd640c66ceea5152028e3a

SHA256
be44e27e8b1c78a2696451c8afa21412136bea12bc033ff9d0251922b4c97631

SHA512
35602924859dd83f23c728446b84e2c89fe4fa83a33842e50e96b7442ab16205ce634643185d13e086253e79685f0fbbb6c474c057b061f566ff763cbbc7d240

Download Submit
\Windows\SysWOW64\mfc71.dll

Filesize
1.0MB

MD5
1fd3f9722119bdf7b8cff0ecd1e84ea6

SHA1
9a4faa258b375e173feaca91a8bd920baf1091eb

SHA256
385ea2a454172e3f9b1b18778d4d29318a12be9f0c0c0602db72e2cce136e823

SHA512
109d7a80a5b10548200d05ab3d7deb9dc2ae8e40d84b468184895eb462211078ecdcb11f01eb50c91c65a924f8e592cd63b78e402dcaea144ff89c11f2ab07d6

Download Submit
\Windows\SysWOW64\msvcr71.dll

Filesize
340KB

MD5
ca2f560921b7b8be1cf555a5a18d54c3

SHA1
432dbcf54b6f1142058b413a9d52668a2bde011d

SHA256
c4d4339df314a27ff75a38967b7569d9962337b8d4cd4b0db3aba5ff72b2bfbb

SHA512
23e0bdd9458a5a8e0f9bbcb7f6ce4f87fcc9e47c1ee15f964c17ff9fe8d0f82dd3a0f90263daaf1ee87fad4a238aa0ee92a16b3e2c67f47c84d575768edba43e

Download Submit
memory/2420-163-0x00000000004C0000-0x00000000004E1000-memory.dmp

Filesize
132KB

Download
memory/2884-122-0x0000000002CB0000-0x0000000002CFD000-memory.dmp

Filesize
308KB

Download
memory/2884-262-0x0000000002CB0000-0x0000000002CFD000-memory.dmp

Filesize
308KB

Download
memory/2884-176-0x0000000002CB0000-0x0000000002CFD000-memory.dmp

Filesize
308KB

Download
memory/2884-38-0x00000000046E0000-0x00000000047AC000-memory.dmp

Filesize
816KB

Download
memory/2884-30-0x0000000004110000-0x00000000046DD000-memory.dmp

Filesize
5.8MB

Download
memory/2884-24-0x0000000002CFC000-0x0000000002CFD000-memory.dmp

Filesize
4KB

Download
memory/2884-23-0x0000000002CB0000-0x0000000002CFD000-memory.dmp

Filesize
308KB

Download
memory/2884-22-0x0000000002CB0000-0x0000000002CFD000-memory.dmp

Filesize
308KB

Download
memory/2884-14-0x0000000002CFC000-0x0000000002CFD000-memory.dmp

Filesize
4KB

Download
memory/2884-13-0x0000000002CB0000-0x0000000002CFD000-memory.dmp

Filesize
308KB

Download