Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
archive_30.zip
-
Size
41.1MB
-
Sample
250322-gyt3xsyzhy
-
MD5
6f02cc61cb8945dcee48265ad6916e5a
-
SHA1
eaa411bb33a94ae4615468aa45722835a69babd0
-
SHA256
ec57a5693533b024615c157ec0e3867b2eb73a65a12c20501ef8ff00ffd8f65c
-
SHA512
44a16e25b997d1efb8bcd57d4457da7ef4219be559dcb7d41d2ddd1704442088b43ee38d8a45ba1babd8f5e3893b80b61faa07e57a044d75f97782beb88b0a5f
-
SSDEEP
786432:fbPaTBnwiKgydYEQ//yxNMPaQ7s6uHumHAkX3WfYMKVYFMWIPc8E:fbklDEEaYtgHuoHW+VYruc8E
Malware Config
Extracted
njrat
0.7d
Headr
error86eg.ddns.net:1177
d5c29d22d9fa14b1dd7cfd15d962944d
-
reg_key
d5c29d22d9fa14b1dd7cfd15d962944d
-
splitter
|'|'|
Extracted
quasar
1.3.0.0
Office04
5.178.111.227:1604
QSR_MUTEX_bpq5GgdeRU1mv1bJt5
-
encryption_key
6GhQeBE4Z58goiq8LNT2
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Extracted
mercurialgrabber
https://discord.com/api/webhooks/1288901667378696305/Ld3vx4JK5uthMQySWRKj1BbYyngn7jZHuyKNgQFZYluhp1VI2lWyMrfi3zxaVADYWM2s
Extracted
xworm
<Xwormmm>:22
-
Install_directory
%ProgramData%
-
install_file
taskhostw.exe
-
pastebin_url
https://pastebin.com/raw/PiG09ZD4
-
telegram
https://api.telegram.org/bot7087178461:AAGD_ZY09vmL3W39007S6ZEOLHQ-pPs8p0U/sendMessage?chat_id=7046939751
Extracted
njrat
Platinum
HacKed
127.0.0.1:9509
Client.exe
-
reg_key
Client.exe
-
splitter
|Ghost|
Extracted
xworm
5.0
china-limit.gl.at.ply.gg:4435
142.202.240.81:7232
192.168.100.13:7000
178.173.236.10:7000
JDPgKbiXEJ3NhlvV
-
install_file
USB.exe
Extracted
asyncrat
0.5.8
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
ZMJtqae1O6kd
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
quasar
1.4.1
Office04
137.184.183.22:4782
3531a325-1303-4497-bbea-4f44f2c7a574
-
encryption_key
153F6334E2592BCD4581017D1E90F4A135DE3834
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Extracted
njrat
0.7d
HacKed
hakim32.ddns.net:2000
sun-jpeg.gl.at.ply.gg:6021
9e886a778412862a9d382f947b7bccf8
-
reg_key
9e886a778412862a9d382f947b7bccf8
-
splitter
|'|'|
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
Boy12345#
Extracted
remcos
1.7 Pro
Host
213.183.58.19:4000
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
read.dat
-
keylog_flag
false
-
keylog_folder
CastC
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
remcos_sccafsoidz
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
asyncrat
5.0.5
Venom Clients
147.185.221.27:3368
Venom_RAT_HVNC_Mutex_Venom RAT_HVNC
-
delay
1
-
install
true
-
install_file
Update.exe
-
install_folder
%Temp%
Extracted
vipkeylogger
Protocol: smtp- Host:
mail.vayabattery.com - Port:
587 - Username:
[email protected] - Password:
H@123456 - Email To:
[email protected]
Extracted
Protocol: smtp- Host:
mail.vayabattery.com - Port:
587 - Username:
[email protected] - Password:
H@123456
Targets
-
-
Target
7a78d3faa8bb1e60b3300959a55559c0.exe
-
Size
568KB
-
MD5
7a78d3faa8bb1e60b3300959a55559c0
-
SHA1
62d2bccbe2668f8286c3e39b786891df3c31b2ee
-
SHA256
b68793e923fc0ceeef6836e8af6e3a26b75546c7f37ca8e7711f699a3af1ee51
-
SHA512
1ca46bc1eb1b124b093f4f3af46922c3770fd86a1422b44e0cd72262acd0e42cca5d534d77593d9ecf7039827f4b68ec81806a09121bda33f24f7428ccd2bb2b
-
SSDEEP
6144:4tT/Yq3v9Auky+4dusAIFB++velibxPyp/64wjOjn6cB3rB:s6u7+487IFjvelQypyfy7B
Score10/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
7a8104b16eebe51954a83ce3ee440b125476d3222314a3cbba247ddf77d62b22.exe
-
Size
2.0MB
-
MD5
3f7f44056fd230ba67244b6d62a671cd
-
SHA1
97fefb8a73fdba2833fe8a6a9c20e4fea40c8708
-
SHA256
7a8104b16eebe51954a83ce3ee440b125476d3222314a3cbba247ddf77d62b22
-
SHA512
a78f91e7ff757b4b98120f4c02c11d7cef8c9c181de89b0da000447c1c599e9d5d5baddeccc2ec51d2a62f462109d2a18d4dfa9b0a145ecc0c7a0c4bb99780fa
-
SSDEEP
49152:TrYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:TdxVJC9UqRzsu+8N
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
-
-
Target
7ab705f224e5e7c9426f8602ace00f05.exe
-
Size
23KB
-
MD5
7ab705f224e5e7c9426f8602ace00f05
-
SHA1
75e2590e9533919124a80af6bd9b73a62aef538c
-
SHA256
e371e2c9244e32516ac55ca961b851e201e0f1bc100a4884347646f602438d3f
-
SHA512
f6ebf8a21d373d0cbc506868371057ed9393971a9451d6561bf51d1a19357a085b2ee9877b2cabaab9048ee27beb89f8e0f3b5f84d7f212bb0497d8711d36fa1
-
SSDEEP
384:0wz6+T4IjWZFNwXU0eiNUBdvt6lgT+lLOhXxQmRvR6JZlbw8hqIusZzZnq:PTbC81NgRpcnuF
Score10/10-
Njrat family
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
7adc287e958d5eb62246c2714f59cec9.exe
-
Size
348KB
-
MD5
7adc287e958d5eb62246c2714f59cec9
-
SHA1
abb24b0c9e0b20ca97b5280e92a285cc9df2c04c
-
SHA256
8ae1ebf7431cb437d83619cfb4d991adb87e20f56b20b5e4d0d32e4b219e71c1
-
SHA512
f2afe3bdd87a1a041fd7763a626d46e1597e1f1965695a9a47e516b7383c17f03881f145981abdbeb62f23b50d6cdf4309d4b8b34a32d7b76653710eb2fcc770
-
SSDEEP
6144:F2NHXf500Ma2RNib5h7mubW0pFUoIj7FKJ6Qii/G:8d50xKb5pmBpvFKwQiAG
Score10/10-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
7afc023a5e75b3afa7bbb2091a6170dbc3c895858f38ee5016dc1fa63e71a41f.exe
-
Size
274KB
-
MD5
9aca6f714263d9782126c97d7e0b06e1
-
SHA1
83164afc9af65f2bbac9f11104cd749a0ce4cb38
-
SHA256
7afc023a5e75b3afa7bbb2091a6170dbc3c895858f38ee5016dc1fa63e71a41f
-
SHA512
64d2e0e004e5b767d5b92e5ddc5bdf0c2629b2457ea3e1371999db2b1a38329892dfd120d10579ffc41ec3db92043c80c8435b709791d421f3e6b18d6080a2c4
-
SSDEEP
1536:Jc1C0eQWT+F7EIiXS0UUwfW4Yb/uE7SDhOaa:61ve5T+F7Eri0UUwfW4Yb/uE7SDhOaa
Score10/10-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Mercurialgrabber family
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
-
-
Target
7b5101c9122edf393eb01ae2e8376ff4c068ae90480c777e1d5e671b2d2b61dd.exe
-
Size
1.8MB
-
MD5
3a219547f510eb35578328582fee3d73
-
SHA1
346bbbcff1e8a30cdb4538f1215b1ac45efb4960
-
SHA256
7b5101c9122edf393eb01ae2e8376ff4c068ae90480c777e1d5e671b2d2b61dd
-
SHA512
029b085ac2318bd10058472bbe80f2080a672107a8c9819c1ffc17a63b3035e2821e123a95f4cc48d44ef9fdab7ce8a8e2f0c54bca378925b47481aeee02e8af
-
SSDEEP
24576:ND39dlfGQrFUspugRNJI2DJnUw9W/j+BeKJWqwH67:NF+QrFUBgq25eKu67
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Remcos family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
7b545826d4c80e7dc461ebae6c6dd9a3ddadec34a907d988744a485390bd6d54.exe
-
Size
2.6MB
-
MD5
06d1930575f5e3d2ef24b09275650dd3
-
SHA1
f721980b35e51016f088d394c32df3aaef08e557
-
SHA256
7b545826d4c80e7dc461ebae6c6dd9a3ddadec34a907d988744a485390bd6d54
-
SHA512
4f036899fda417edfd5c82582f4c5abe9790c70d9e009003f039aafffd874353196266d4aca9667913bcc149cd8ed4a488ec7c42fed6b73a2c25f949a80a3205
-
SSDEEP
49152:eapljSe2SpnpDL39r34BR1kg0wQYhD/Nhoa9Tx4gb:eElnp9L39r34BR1kg0wQsDVzTx4gb
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Suspicious use of SetThreadContext
-
-
-
Target
7b61ae4f030c2ff2d514149d23e413fd0ca5044e4330887faebb33446b4e4792.exe
-
Size
2.0MB
-
MD5
47c581f4beadfb88d5c8bff1b15c3d85
-
SHA1
7769ee60673d2816af999760c3d5f963cbd32833
-
SHA256
7b61ae4f030c2ff2d514149d23e413fd0ca5044e4330887faebb33446b4e4792
-
SHA512
66450111504a6af2e104ce2bf35eaf0cf09bd3ef77338a954622b6e41cc7c1106e88408591f872004baf49bb84d2f6ad49e351a11fe29ce685deaf7e948c55c0
-
SSDEEP
49152:7rYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:7dxVJC9UqRzsu+8N
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
-
-
Target
7b7c0c824b8d7f5dcd61ecd49ef48352.exe
-
Size
712KB
-
MD5
7b7c0c824b8d7f5dcd61ecd49ef48352
-
SHA1
0a8ed99d490dd907d89315032a1d261671c28da3
-
SHA256
f54352a0596f8c113076d6fd439b0cac314cc1b409f5d852124abaa22dc5e9b9
-
SHA512
b78b5c46c5c0a06a74625ef57758927b6c7b828f438662e9a915471d0edec5779ae2178dbc0f77a282926cecf1736518b98298250752bc51a1af273146026ce6
-
SSDEEP
12288:dbcQvojtBoxgeRCiFqGJX4txiAiKlSaVjWSPjqVLZ1grAqzt6Mlvr6:dIjtBoGSlFHd4txiqlNjL7q+Htvr6
Score10/10-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
7b9f7b540f1d1f808cab1b3a24e97d84.exe
-
Size
1.4MB
-
MD5
7b9f7b540f1d1f808cab1b3a24e97d84
-
SHA1
e072620b10afc026e5ccd13f417df2014c60175b
-
SHA256
55de2e0c15aeebc7aa585f44ae2010a38eb865d8654ce9bc6b2d6d1e3a004f95
-
SHA512
550034a3f77be490ae5e5c4827b4d101f98fb70795d02fe4209b74210950bf4c2ad0597fb280f64bba591f928bb2f0231038f40bb9737e0638fdd1b21bab2159
-
SSDEEP
24576:48dvIOVmW6AbPsArkueRKmV3sNlHfiqJ7NJn:4owONbkBuyKmBs7V
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
7c24c0692aeb64f8cab8de418247bdea.exe
-
Size
63KB
-
MD5
7c24c0692aeb64f8cab8de418247bdea
-
SHA1
9217b6dbc5bd5befd36aa7aa93b74eb61c876228
-
SHA256
89f222ed48edddaa5f75670110a1803f56026094dd1ad861242d30707edde308
-
SHA512
7de777e4da18487a9ce5e7cf758758ceeb1520ec12d26d8e9e19d545f5c482c3ae6ad1218e553af518f31b97a43c5bb227fbdb8bf3860cb9cc650208c7154d7d
-
SSDEEP
768:mNKircLy8/3U066TUgcWjEJBVa10SEbi/ba5RigCUckiz4eKhzV9ZqdjhqO0Bd:mVP+xX4nYba5jC9kBeKhzV96wpd
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
7c2f113ba8a501582e5be7ba0c0bf0fb.exe
-
Size
5.9MB
-
MD5
7c2f113ba8a501582e5be7ba0c0bf0fb
-
SHA1
ff9cf8d30af6127eb666f6beef694468aa4635e9
-
SHA256
de9937ea08cc871fea712bab7d3206d845f302b33cf1c469ec57f26017abf196
-
SHA512
86cb31695c72d27f26acfa889726be42a24fe8e4ea63b18b6c6d485ea4a0a26199b8dced77fb2dea3da10643307cf11ab5abd52f8b8b85a3e70bb121f037b7b8
-
SSDEEP
98304:RyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4j:RyeU11Rvqmu8TWKnF6N/1wW
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Checks whether UAC is enabled
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
7c8b7f048ddf08182db2824fff38e73e.exe
-
Size
65KB
-
MD5
7c8b7f048ddf08182db2824fff38e73e
-
SHA1
06426325c605afd5fa123d9c68d8c8af32ce6b56
-
SHA256
7fcac21f046d9490d9b97aa9fbc30cd0a8d64348eb0911d1b90ebbbea15d87fa
-
SHA512
8f98d7ad8ba08d1b136e3dd97fb19670c58fa79dad4a82eb293b24f2898b9c952a8247527a95e40a38418994f966d79d1c93521bf6bd69332fb91af9b5b02c33
-
SSDEEP
1536:/vY8boN36tdQviFw1awamBnvbrfLteF3nLrB9z3nwaF9bt4S9vM:/vY8boN36tdQviFC19BnHfWl9zgaF9b+
Score10/10-
Njrat family
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
7ca42dc286ca99ecb75ab26cc68042f04556b199feb0ecdece718faf13b8de36.exe
-
Size
2.0MB
-
MD5
f21def2cacce9d2149abd673f344fbc0
-
SHA1
ea64f2a295933c32fd01ce7ac91cf5e9cdaeb491
-
SHA256
7ca42dc286ca99ecb75ab26cc68042f04556b199feb0ecdece718faf13b8de36
-
SHA512
8d731bd745723001bed0796ea31751a90bc926a562e7ac6d315623c376e1ce6da03d648d35147571c3905180c9927f3d23ef3e017a3d4907e6e22b60103837a9
-
SSDEEP
49152:7rYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:7dxVJC9UqRzsu+8N
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
-
-
Target
7ce67df193db91ca606ca62cfd5ffef2.exe
-
Size
2.5MB
-
MD5
7ce67df193db91ca606ca62cfd5ffef2
-
SHA1
f02ff6e498478d340865f7f4626ec0485d091b0c
-
SHA256
7b562c692b687673085ad7a1d3a85ce903c930d8b17da8a09cdfc7e382b5f719
-
SHA512
5aa42516fe917bed086d7e89d691c01cff876cc4fe50756c4e8bdd899511b04deccb5ecd5f980ea7843f63e4547093b81a892762da17119762f20a960a9e76a2
-
SSDEEP
49152:KGVFTkAxSKOfsx79ZnGGHMgVj2x+0XrSqWsn+fz+pV6ZKvTYnp:KGVyWNGGN2sqWs+fz+pVZTYp
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Drops file in System32 directory
-
-
-
Target
7cebdbe487a669e8a1bbd5c09ed5721d.exe
-
Size
2.1MB
-
MD5
7cebdbe487a669e8a1bbd5c09ed5721d
-
SHA1
354f2575c983e428a6ca1a4f0c4d15f69722a225
-
SHA256
42561b0c7f8a631b2046c23005aa5af7425e83c550973f80c306146a878edb20
-
SHA512
6818edd60d2ec2595e1115961862c509f9e8ba6f4a07f3fe2cabf154fc29a4992f1043b7774b0f317ebb2a7d4e40cd2aaae40ebda4127db0c1c53dcc310d7698
-
SSDEEP
49152:Q/FBVWix5TC0/5ljAhscAWlMym/HXR1supwJ4CfS:I
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1