Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
23-11-2024 22:12
General
-
Target
a052f4b605fadc2246ad4a836475e03a7a0358504444e4d37b789d47846845bb.exe
-
Size
1.8MB
-
MD5
3e44173d762d37bff50d6a472bd04617
-
SHA1
c50b5b123741dc91f509610845740c42a5af879c
-
SHA256
a052f4b605fadc2246ad4a836475e03a7a0358504444e4d37b789d47846845bb
-
SHA512
835ebf204b0b29c7776c0646424cb147c5b638f20af229ad18fd560048ffcb0efe7f259ca95679c75bf1d7e65ce232917cd3e69366817ab89b75422c0e18f37f
-
SSDEEP
49152:ZyST2pW9vXjgaDpedtkXK/C8QTeH+CYM:GEg8pedtka/7QTeSM
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
mars
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Cryptbot family
-
Detects CryptBot payload 1 IoCs
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
-
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 4 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks BIOS information in registry 2 TTPs 18 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 12 IoCs
-
Identifies Wine through registry keys 2 TTPs 9 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 3 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 18 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 5 IoCs
-
Modifies registry class 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 35 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of FindShellTrayWindow 58 IoCs
-
Suspicious use of SendNotifyMessage 30 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\a052f4b605fadc2246ad4a836475e03a7a0358504444e4d37b789d47846845bb.exe"C:\Users\Admin\AppData\Local\Temp\a052f4b605fadc2246ad4a836475e03a7a0358504444e4d37b789d47846845bb.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1008450001\5468191780.exe"C:\Users\Admin\AppData\Local\Temp\1008450001\5468191780.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 10124⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1008496001\rh.exe"C:\Users\Admin\AppData\Local\Temp\1008496001\rh.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 5684⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1008532001\ac5b7e0557.exe"C:\Users\Admin\AppData\Local\Temp\1008532001\ac5b7e0557.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"4⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa81f2cc40,0x7ffa81f2cc4c,0x7ffa81f2cc585⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2016,i,12953060530846746710,9109417581944608396,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2012 /prefetch:25⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1720,i,12953060530846746710,9109417581944608396,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2168 /prefetch:35⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2116,i,12953060530846746710,9109417581944608396,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2540 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3136,i,12953060530846746710,9109417581944608396,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3148 /prefetch:15⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3160,i,12953060530846746710,9109417581944608396,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3320 /prefetch:15⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4284,i,12953060530846746710,9109417581944608396,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4408 /prefetch:15⤵
- Uses browser remote debugging
-
-
-
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 12804⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1008533001\6c20cb5c39.exe"C:\Users\Admin\AppData\Local\Temp\1008533001\6c20cb5c39.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1008534001\f4715eb79f.exe"C:\Users\Admin\AppData\Local\Temp\1008534001\f4715eb79f.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1008535001\70825e46b8.exe"C:\Users\Admin\AppData\Local\Temp\1008535001\70825e46b8.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1980 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1900 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {596d18e4-b854-47ef-8ba4-d34f32af1e49} 4540 "\\.\pipe\gecko-crash-server-pipe.4540" gpu6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fcf87d6c-53ef-4334-9c22-478352dd5b50} 4540 "\\.\pipe\gecko-crash-server-pipe.4540" socket6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2988 -childID 1 -isForBrowser -prefsHandle 3008 -prefMapHandle 2600 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5c44f612-eb9c-41a3-8ddf-ce04f85ef67c} 4540 "\\.\pipe\gecko-crash-server-pipe.4540" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3728 -childID 2 -isForBrowser -prefsHandle 3712 -prefMapHandle 3700 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {67051c22-6eb9-4941-aa69-7bb4a4f2c278} 4540 "\\.\pipe\gecko-crash-server-pipe.4540" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4704 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4752 -prefMapHandle 4748 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b10bcef-dfae-4d30-a4e4-1261247dfbc8} 4540 "\\.\pipe\gecko-crash-server-pipe.4540" utility6⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5396 -childID 3 -isForBrowser -prefsHandle 5404 -prefMapHandle 5328 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {84fce242-8cb9-49aa-8ce2-2fe6b9ef6a3c} 4540 "\\.\pipe\gecko-crash-server-pipe.4540" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5532 -childID 4 -isForBrowser -prefsHandle 5540 -prefMapHandle 5544 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {47d4ab23-8913-4f42-b8eb-3712d669f4d4} 4540 "\\.\pipe\gecko-crash-server-pipe.4540" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5736 -childID 5 -isForBrowser -prefsHandle 5652 -prefMapHandle 5656 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5bab04d-f63b-40ef-9631-810271b5a506} 4540 "\\.\pipe\gecko-crash-server-pipe.4540" tab6⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1008536001\8dff107561.exe"C:\Users\Admin\AppData\Local\Temp\1008536001\8dff107561.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3160 -ip 31601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1128 -ip 11281⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2096 -ip 20961⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
19KB
MD5c63f706f9f00be93bea2b4fa8da7b082
SHA181101f45cd4fc4a3416f0810fec1743ee59bedbb
SHA256d265e1a5c14a8ff36d126425dced840532577f6721afa5de629206a72f9d64cc
SHA51274d931bf5dd09820b368fb225b475ddc47a6d0e9b4caa2e09d6c824d75cae8892fee74a914bdb54c0fd56f071d117c06e1aeabda7aaca2b2ff3363f2bd7fa884
-
Filesize
13KB
MD57e2494a61cee3f824eaa0849df876162
SHA180446445b687582a85bd9375e1d9e31cd8a9c239
SHA2565849e490139252617d5d283cd77050c664158b5f7b20c538d827eee53d54832e
SHA512f0b41d5bd59473026b883c5c0bc1bb7231cd25fec1098e6b1c8f64795013a4d029e9d39bd51153744d0a9ce06188647a9001ad74eb39b7ca731f15cf66673597
-
Filesize
649KB
MD5e7aa83909ace3906ec75144cc33e024c
SHA1333ee9d7f4c683d8e0ed05bdadfbd2baade379e3
SHA25624443cd457177eeed9c584e5d5ad194303fd94269fdb0d72e0db598215a5c826
SHA512508fd7984ea8b9d8c8b2cd3c7c3587941a6ee4627c7cf54fe56db7db75dbff0abdaf0db1b0c46876dc6ad0cc21735bd7a2f0351d5edeb735b2de796beef2ea72
-
Filesize
1.9MB
MD54cecb04d97630cc2d5cce80368b87fdd
SHA14f693736497e06c820b91597af84c6fece13408b
SHA25651698570a9c637ec0c9bc2b3ca6acb7edf3d7804c49b8eed33e82573950877dd
SHA512acdf93d12791a6a11b307fbbdc6df2b27a6e8de6b8cc015c4892304d4653e79ac58351600b53c7ea78d285d69df8e8f2e270cf9a168b187d372a3de17e84ec66
-
Filesize
4.2MB
MD5e4ce436577c61894061cb66d79ff104c
SHA1f9fefdd313f0418ddf9d143bf66566c2932cc0b5
SHA256f9445c47bc1b7580e4a81cda77fe412ffad705411ab1cc28d164250d275a3017
SHA5126d3ead9324b8061e32f1e4dc133e6a1e129d24cd17d147595fe8aeb445c462b39a696edb5c4fa005d4fb86113b7183f37103b0e10648490ed87302fc423fb222
-
Filesize
1.8MB
MD5ace99b08916d1db23e510939aa97ab49
SHA13891ed604b6265e288bb1cfa5f1c952d12e15bb6
SHA2568682c013ec1c703d754770792b7229d40ab863d7e5c2f2e953be152b57ad138c
SHA512cca1590d65e0d32ef3c2acc5159436140cef2ab48ad7bc827176daeb503af1343d50d0fc1e946add3f9c5a98c4362284fdea42fa5616967bf49355327037c619
-
Filesize
1.7MB
MD56fe3130fbf57b8dfe19158188df1e915
SHA1ff0e2328c167f39bab919190099086312150ff31
SHA256d31217975514e9ecb073887fad050b7455c43a746a5ee3273368f48ba106d56f
SHA512bbca47bf611131d0041ebd05f1758d524bbe568b28a09514afa4402c53ad009f08011f79092e8d6116895e3165bf9e584f29926bed725e3e46048dc1be44ebc0
-
Filesize
901KB
MD54c4eb739fcbfa409e50878b57d82c424
SHA13caa458a9d00da3dcedf459d45ca927348e3f8bd
SHA256452c647c3a33b28a82330b450c78cf0e18d862a2c7aa756e730ba4a9859d44a3
SHA51268f9216799874f0ebe61253448d26e5c5b26b67ba13db096b7f8e713d26b87a386aa6e9c0111dd07edd7bab33e86ba55f296eb8d532a691baab077a3be568dcb
-
Filesize
2.7MB
MD55d3609d2ec83d15d87b45ca4c6333659
SHA1d4fcc48c2f86e794bab06294a70b30133eda409d
SHA25601d17f2ada1b93d1d5af1aa0b16af5eb328d4bdb68ddb137167fe26a7ee83c2b
SHA512423cf45f27f3ee3976694fab7aab03f81f76c61c52c468f555edb1660a260e8d63099135d73aa6f784798dab6af5de2b5796861c56bcfa592c48348ad2cf2753
-
Filesize
1.8MB
MD53e44173d762d37bff50d6a472bd04617
SHA1c50b5b123741dc91f509610845740c42a5af879c
SHA256a052f4b605fadc2246ad4a836475e03a7a0358504444e4d37b789d47846845bb
SHA512835ebf204b0b29c7776c0646424cb147c5b638f20af229ad18fd560048ffcb0efe7f259ca95679c75bf1d7e65ce232917cd3e69366817ab89b75422c0e18f37f
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
6KB
MD55c1cee479ee16476dac5bd4c18b39256
SHA1220c1d15462c3b3ecae718434b23bbef2e6df239
SHA2561456d6cfce36afef44bfa1f2d562e67586d41b7f831fef206a5d12c98af265c6
SHA5126f2d5b54f9e58cf50175e65e4c25f9ef9affb37776e79ec177cbd45dedbbc032f812475d9d87083e0ac649b510c2631be2bf5d1d744cdde0f87bb54f87f77e59
-
Filesize
10KB
MD549b4c71024bd35e31187f187f6c9357e
SHA1d3fa9354422909845ec603fe5f73c024f5c46294
SHA2566ef53e5da1ee8bf264d63d3435cb3c89de287458304d9ae7d9a2909e3713e52a
SHA5123b1f72c4379de2f5123a8084d68061d5e198a565f0e9f351bae9a6e6ca3264f808e60e5ed348c1b79c9d27ebd9b3c81556abbdd862be4f6d37c4fdb10b959705
-
Filesize
13KB
MD55a30ce483ff18d74d2dfb9f25506c3cb
SHA1933dc34c77d7ea2cb898a48b3818511928d9af61
SHA256cc312bc1d6c084ee62732bc100a964e147ef1ef03867b0c6651da28fd468e2dc
SHA512aa11a9ba6f137324d38328371b7334438337ac68d0d148d4e13451733e09fd06b7714766611b7aba06e2e640c14366a99c7557a6da09620bb2ac4226e4fadccb
-
Filesize
5KB
MD584858c3b3375a1f9102597654648d742
SHA1348909dbcc767f739990c1a05ffaf5ebc50f990c
SHA256923bc11807702566fa6f6053706300582e9fdd509c3ab554e7bdf98aefc8edef
SHA5122695e59b9a91a1eee1f2d805319558c3984660f01f81ef104f5ee3c149f0316e2e209ef7fe307b423a24198f9f05fb26106f543c6bbcada31b05464c02cd8327
-
Filesize
6KB
MD54fddbd13496bc7e8038021c3fc9a5986
SHA1722ca20f803ac039654ebf44df21e99cb1e38ac8
SHA256373bcaa3dd99d2aafd13372d4e30027a846d45054066fece41d466fbd4863f0b
SHA51283b89f3793d079c8d21a6e46e0fa37d028fa7eabb2fe66bb5093ad8cf871b2ecf83c83acef4c034f5571bcec9d8adc9e160110b020b617de766957f4d911ed48
-
Filesize
15KB
MD5987c5759f3a0fffa0cfcfd9743e83c50
SHA1b2bc6db4d693fa6370e4cf58e8f15c827fd6b0d7
SHA25661fee4af155577e81bb7a7ee52df66296e4a81333fec0b2f92672ff51b948c58
SHA51294e89428bd9a683e99f139c7d6e7548f1afd7245a1ebe40a2c401fea426347c8cd3b73595272ec9753cc16d021a0b28fadb5944b624ac010ee53982aaa414d4a
-
Filesize
15KB
MD5f1d33af086f33a793b4f41117885611a
SHA18bfe06150c493ff5d2f3209c0841bc3472694131
SHA2564ba3f88da1ba4725933b3c2ff60fa8ad61372173c58c7a158e85eb745ff91f59
SHA5121aa95f3bad4be82f66c12b0c0b875e92fd1a6cac1c4e7a748d66ae4ceb3fd2bf6fa72d6c59c6efb4f126b889a30305858a4d8cb14db4f67e221b80e3494a2296
-
Filesize
671B
MD59f3e75b8b1365efa7522520954c74270
SHA1968be8cabd26ab9fe52be676634f0e858bd6c27a
SHA25634c7bdbf2de4f9998026a0cef6b380eec8f26e7cf89b6c83e5c1536255ba0193
SHA512ac5487e29eb32dd3ce19fed7fc604291466e7d42d9d3de4d9b80fd8e9d051aaf15a5faebcb2547a312c8681442a06a7027866a9661b51b470ad1bb26071e5a9a
-
Filesize
27KB
MD5c9904677b9dd75b8f5f9ec97a2ef768e
SHA1ae629be093a366fd7757509f45d6e3038218a349
SHA25633bbc7b145dead4f4193cfb2d093e4a2bc871ef8504b7f92f356629ce648d3ba
SHA5128e1d5c670d97d62b424710d678d905f8deae57b3cd9da9f08b8cf20dd608db507ec29b52d16999e7d0e95308205883f336c8ea1017bef6271ca26ed468a19c44
-
Filesize
982B
MD54e105b60be1ccd6f8348ccedc7700f15
SHA1df87741ee6f2cd4fe545f9d871fcaaa5e737179e
SHA25650479155933fcab7a6fc2d74d3218248b9681802c17606040fc728ad497e9e82
SHA51219a8615d49e1ab0de0d71d9c4f1100773f91cffbfe642b5a8f55c2225e939a31253a5152050b79f98e06bad4e41873013e644fff3c29c804de893c304b763276
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
10KB
MD517e97c74180eaa411177f997d9915116
SHA15b6e6c66f8b526590e71ac0e0591ee2afea106d9
SHA25629abc0d9e4e70973aa509302376093700a77c7596c3ef2fe62670810852e4ec5
SHA512cde3b4cdc96078b6c53f8d19ca49603ea21b103229901e72b45e84d1cbcd19ce2705fd3ecb2778d6aab0f9d749ee18dcba8da67c69f539fe30d407b37667dcea
-
Filesize
11KB
MD527c3e554b969b19a9a55e101efea9443
SHA13766f544bf9a5d8f0729e960aa9e78bcd0f1f23f
SHA2568258ef70fb41f546d3c6248127befbe2e7a1094cf5c428a73c15268d093b6088
SHA512d2f96f3a9592e124b7c59b8c59f7f64ed61db952c292de14e22aa87ecb116760e2d12e65aa92eca89562b2991319380c5103682bb1b82fc0770fd2029767a59d
-
Filesize
10KB
MD59f2cf8e8c9530e0a9c9ad5b4034a33f1
SHA1a2948f86a8c9789a92f3e59c9dd5ccb198ee433e
SHA2569f32f6550a5ebb20dc80c9afb024eec62e5836e2af4364455168f4296b49e045
SHA5122c59c240e8a0c8ce0d88020e94ce54b5b0dc7bd5e51f62b922eb13f14cf5d4889f5cc16eb521a0fad50157757ab791ede19b489ad74d1ae47d939da02d82117d
-
Filesize
2.1MB
MD5987f6e02a83fce5f136c05143c30cc98
SHA111027330b2d7eb96df28c9818a3de6d195f96d7d
SHA256e7dabe548fad8cf44a3654295ac47f3a475ba39425a926b1a99216f487ff7d79
SHA512addea2a0a6a69006a41d54263df0bb8e8a2603a0aa4fc9bd446ee0bcb83b9eb8cb07d80a20e484f20ddd4bc9f776d233dacf6a5f2c1c98f5da28e9a35b5364f7
-
Filesize
401KB
MD53535fcd3063a2965f1dd8f9b65ca8355
SHA11f5c89caf911a08415d55ce1687101b65871b122
SHA256086057602eec63ed064bd97c1643b20c727aa4a557d16bd26a763716414620fe
SHA5129b623500ffbe25d6dc08c3c90aeb8c123e9fc2841f0962b6fe57ca1d2ab44fb1062352e1d5ab1d506b156c0b25aaf96ca6267a36fd064c97c12df965bcd66929
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
2.0MB
-
Filesize
4.0MB
-
Filesize
2.1MB
-
Filesize
4.7MB
-
Filesize
4.0MB
-
Filesize
4.7MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
10.4MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
4.6MB
-
Filesize
368KB
-
Filesize
368KB
-
Filesize
368KB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
4KB
-
Filesize
688KB
-
Filesize
24KB
-
Filesize
8KB
-
Filesize
4.6MB
-
Filesize
184KB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.0MB
-
Filesize
40KB
-
Filesize
2.1MB
-
Filesize
2.0MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
1.2MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB