Resubmissions
26-07-2024 23:18
240726-3ac1dsthre 1011-06-2024 01:50
240611-b9q8hszbqh 1009-06-2024 15:53
240609-tbyttach24 10Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
26-07-2024 23:18
Static task
static1
Behavioral task
behavioral1
Sample
Dexis Setup.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Dexis Setup.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
Dexis Setup.exe
Resource
win10v2004-20240709-en
General
-
Target
Dexis Setup.exe
-
Size
64.6MB
-
MD5
168e953440d699dc30a39402b4f6e625
-
SHA1
66efd121a3fdd79b3443f1204fc3a8a8e8d76d12
-
SHA256
c0d694f24002c77382adfeaa0f3b9c28d93e2c07d761ccaa5fc9644389031c39
-
SHA512
0dd0edd1b6cb1e1a5c0c39975dc11a2b85c2cdc3b1f0e476b1d867d2519f37e07fb3aec6e0ab4ea2b6370281434541aa010cfa21a07543ca00edfb47dbbbc7d2
-
SSDEEP
1572864:sQsJjyxAAJXIUEqFGX6xJU2ii8FStoKNSKqh4DFC2EPc4iUb/++O2g9mju:sQ+jyZLEqFC602h86Dc2EE4Fe9mS
Malware Config
Extracted
stealc
dex23
http://45.156.27.196
-
url_path
/4c7ef30d4540070f.php
Signatures
-
Detects HijackLoader (aka IDAT Loader) 1 IoCs
resource yara_rule behavioral1/files/0x000900000001adaf-346.dat family_hijackloader -
HijackLoader
HijackLoader is a multistage loader first seen in 2023.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1820 powershell.exe 1808 powershell.exe 2052 powershell.exe 2704 powershell.exe -
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Downloads MZ/PE file
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 560 set thread context of 1584 560 snss1.exe 42 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Dexis\locales\cs.pak Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\locales\mr.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\zh-CN.pak Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\locales\zh-CN.pak Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\resources\app.asar.unpacked\node_modules\better-sqlite3\build\Release\test_extension.node Dexis Setup.exe File created C:\Program Files (x86)\Dexis\version Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\locales\lv.pak Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\locales\ta.pak Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\locales\te.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\uk.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\fa.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\it.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\pl.pak Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\snapshot_blob.bin Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\lt.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\nb.pak Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\locales\ru.pak Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\locales\zh-TW.pak Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\resources\app.asar.unpacked\node_modules\better-sqlite3 Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\af.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\de.pak Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\locales\el.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\resources\trayIcon.ico Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\version Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\locales\th.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\resources\app.asar.unpacked\node_modules\better-sqlite3\build\Release\test_extension.node Dexis Setup.exe File created C:\Program Files (x86)\Dexis\ffmpeg.dll Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\libEGL.dll Dexis Setup.exe File created C:\Program Files (x86)\Dexis\LICENSE Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\locales\he.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\pt-BR.pak Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\locales\pt-BR.pak Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\chrome_100_percent.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\en-GB.pak Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\locales\tr.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\v8_context_snapshot.bin Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\v8_context_snapshot.bin Dexis Setup.exe File created C:\Program Files (x86)\Dexis\icudtl.dat Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\locales\fi.pak Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\locales\it.pak Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\locales\kn.pak Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\locales\ko.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\mr.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\te.pak Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\resources\trayIcon.ico Dexis Setup.exe File created C:\Program Files (x86)\Dexis\chrome_100_percent.pak Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\locales\bn.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\ca.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\es-419.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\resources.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\snapshot_blob.bin Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\vk_swiftshader.dll Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\locales Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\locales\ar.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\fi.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\zh-TW.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\en-US.pak Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\locales\pt-PT.pak Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\LICENSES.chromium.html Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\locales\lt.pak Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\vk_swiftshader_icd.json Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\ms.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\chrome_200_percent.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\LICENSES.chromium.html Dexis Setup.exe -
Executes dropped EXE 3 IoCs
pid Process 1712 Dexis.exe 1192 Process not Found 560 snss1.exe -
Loads dropped DLL 3 IoCs
pid Process 2192 Dexis Setup.exe 1164 explorer.exe 1164 explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dexis Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language snss1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Dexis.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Dexis.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Dexis.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 1820 powershell.exe 1808 powershell.exe 2052 powershell.exe 2704 powershell.exe 560 snss1.exe 560 snss1.exe 1584 cmd.exe 1584 cmd.exe 1164 explorer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 560 snss1.exe 1584 cmd.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1820 powershell.exe Token: SeDebugPrivilege 1808 powershell.exe Token: SeDebugPrivilege 2052 powershell.exe Token: SeDebugPrivilege 2704 powershell.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2192 wrote to memory of 1712 2192 Dexis Setup.exe 31 PID 2192 wrote to memory of 1712 2192 Dexis Setup.exe 31 PID 2192 wrote to memory of 1712 2192 Dexis Setup.exe 31 PID 2192 wrote to memory of 1712 2192 Dexis Setup.exe 31 PID 1712 wrote to memory of 1820 1712 Dexis.exe 32 PID 1712 wrote to memory of 1820 1712 Dexis.exe 32 PID 1712 wrote to memory of 1820 1712 Dexis.exe 32 PID 1712 wrote to memory of 1808 1712 Dexis.exe 34 PID 1712 wrote to memory of 1808 1712 Dexis.exe 34 PID 1712 wrote to memory of 1808 1712 Dexis.exe 34 PID 1712 wrote to memory of 2052 1712 Dexis.exe 36 PID 1712 wrote to memory of 2052 1712 Dexis.exe 36 PID 1712 wrote to memory of 2052 1712 Dexis.exe 36 PID 1712 wrote to memory of 2704 1712 Dexis.exe 38 PID 1712 wrote to memory of 2704 1712 Dexis.exe 38 PID 1712 wrote to memory of 2704 1712 Dexis.exe 38 PID 1712 wrote to memory of 560 1712 Dexis.exe 40 PID 1712 wrote to memory of 560 1712 Dexis.exe 40 PID 1712 wrote to memory of 560 1712 Dexis.exe 40 PID 1712 wrote to memory of 560 1712 Dexis.exe 40 PID 560 wrote to memory of 1584 560 snss1.exe 42 PID 560 wrote to memory of 1584 560 snss1.exe 42 PID 560 wrote to memory of 1584 560 snss1.exe 42 PID 560 wrote to memory of 1584 560 snss1.exe 42 PID 560 wrote to memory of 1584 560 snss1.exe 42 PID 1584 wrote to memory of 1164 1584 cmd.exe 44 PID 1584 wrote to memory of 1164 1584 cmd.exe 44 PID 1584 wrote to memory of 1164 1584 cmd.exe 44 PID 1584 wrote to memory of 1164 1584 cmd.exe 44 PID 1584 wrote to memory of 1164 1584 cmd.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\Dexis Setup.exe"C:\Users\Admin\AppData\Local\Temp\Dexis Setup.exe"1⤵
- Drops file in Program Files directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Program Files (x86)\Dexis\Dexis.exe"C:\Program Files (x86)\Dexis\Dexis.exe"2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1820
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1808
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2052
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2704
-
-
C:\Users\Admin\AppData\Local\Temp\7ba77e13-c4ed-4614-a06b-a6eb89354b79\snss1.exe"C:\Users\Admin\AppData\Local\Temp\7ba77e13-c4ed-4614-a06b-a6eb89354b79\snss1.exe"3⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe5⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1164
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
899KB
MD53066c555c2b5e296b6078d6427c80d67
SHA155e8ad27e108da8086cc1a5c33eeb88515b5b8c7
SHA2569f17da2819bd3963a5275453c9c2a26449537a65872f71c29749086c4b6e2acd
SHA5128901a7bb9d291922a385ee92f92fd998816a5ef0d8216f5575cc87fce091d0fe44800c7bc823354dfcf82d6841412e8741830178952a0f948b4c4685d916f28f
-
Filesize
1001KB
MD54ccd18f6c7aa9498fd47d7da126209a2
SHA12e79a313f0b5613ce98e6ca9f490e553b0536513
SHA2565dbe678474b396f5edc307d96d3f83fba693d33c41f361e850bb91e98529f9b2
SHA51245b7e8acdb077f1c2861417d446624cf22b80488bfc86c92a629b37a35b9ed7793a6a99869befeb395ce913304558029a373f6adcc04758a080210b368c46206
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5df42ca18eebbab7429eb34e42efd888f
SHA19b6ddeb3bf3039af0a90f086200415923cfd0d03
SHA256696e87b01651179ac2beee90cca039a9b33c4e86769a204e4eba36969edb2947
SHA5120db6fb34cc6c11e4c8a2fed31a3764f8f9a3d6ef69ac90daf9fd3856acf93f51b084bd250cc001bcfd73a608f87d98138bd404b66607a3598afab2f046266d9e
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571