Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
08/10/2024, 13:22 UTC
General
-
Target
U prilogu je predracun.exe
-
Size
600KB
-
MD5
7805af2fe70854ae49f57b6d3a95e59e
-
SHA1
541d0eb275873c736eb7b80ab1b3619c8c2024dd
-
SHA256
b498a3f4967ef692a331633708f10ac8bbe57579957102bfe751cd479a4cc92f
-
SHA512
031ae4fa84f65a56494cd142163c1ec169b2d6ab347433cbf686e7c31058d2951748c3bc15c5458e02f5153922e062e5dc21334cc9a08421b394772139bc285e
-
SSDEEP
12288:znC0w99+n4+7zVlsIML0qv3V5X1TnluGvy7Y1/xy1q5mE+:Rwyn4YRlsZ5v/XRlutcysEE
Score
10/10
Malware Config
Extracted
Credentials
Protocol: smtp- Host:
mail.pishgamsanaat.com - Port:
587 - Username:
info@pishgamsanaat.com - Password:
Pishgam123456
Extracted
Family
snakekeylogger
Credentials
Protocol: smtp- Host:
mail.pishgamsanaat.com - Port:
587 - Username:
info@pishgamsanaat.com - Password:
Pishgam123456 - Email To:
nwekej772@balteko.lv
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 5 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 25 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\U prilogu je predracun.exe"C:\Users\Admin\AppData\Local\Temp\U prilogu je predracun.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\VbAPDfoDcfwBL.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VbAPDfoDcfwBL" /XML "C:\Users\Admin\AppData\Local\Temp\tmp11CC.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Local\Temp\U prilogu je predracun.exe"C:\Users\Admin\AppData\Local\Temp\U prilogu je predracun.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\U prilogu je predracun.exe"C:\Users\Admin\AppData\Local\Temp\U prilogu je predracun.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
-
-
Network
-
DNScheckip.dyndns.orgRemote address:8.8.8.8:53Requestcheckip.dyndns.orgIN AResponsecheckip.dyndns.orgIN CNAMEcheckip.dyndns.comcheckip.dyndns.comIN A193.122.130.0checkip.dyndns.comIN A193.122.6.168checkip.dyndns.comIN A132.226.247.73checkip.dyndns.comIN A132.226.8.169checkip.dyndns.comIN A158.101.44.242 -
GEThttp://checkip.dyndns.org/Remote address:193.122.130.0:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Tue, 08 Oct 2024 13:23:27 GMT
Content-Type: text/html
Content-Length: 105
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 7c51a98d221085e2d02f8fd59cf6d85b
-
GEThttp://checkip.dyndns.org/Remote address:193.122.130.0:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Date: Tue, 08 Oct 2024 13:23:30 GMT
Content-Type: text/html
Content-Length: 105
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: ed5308d5e77c0888137d10c35ba43578
-
GEThttp://checkip.dyndns.org/Remote address:193.122.130.0:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Date: Tue, 08 Oct 2024 13:23:36 GMT
Content-Type: text/html
Content-Length: 105
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: b0e4da4fe5cbb423fcc2062522a8b92c
-
GEThttp://checkip.dyndns.org/Remote address:193.122.130.0:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Date: Tue, 08 Oct 2024 13:23:38 GMT
Content-Type: text/html
Content-Length: 105
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 6d8cb7e7c149f71ab956d5bfbd783a8f
-
GEThttp://checkip.dyndns.org/Remote address:193.122.130.0:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Date: Tue, 08 Oct 2024 13:23:41 GMT
Content-Type: text/html
Content-Length: 105
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: cb0a26d3b95294443c993164df265583
-
GEThttp://checkip.dyndns.org/Remote address:193.122.130.0:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Date: Tue, 08 Oct 2024 13:23:44 GMT
Content-Type: text/html
Content-Length: 105
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: f663f196c15c7d76fb63195b2c685892
-
GEThttp://checkip.dyndns.org/Remote address:193.122.130.0:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Date: Tue, 08 Oct 2024 13:23:47 GMT
Content-Type: text/html
Content-Length: 105
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 5f9aaead548264598bac97a76bbed7b0
-
GEThttp://checkip.dyndns.org/Remote address:193.122.130.0:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Date: Tue, 08 Oct 2024 13:23:50 GMT
Content-Type: text/html
Content-Length: 105
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 086f029c77f26140b7fadaf936b84156
-
GEThttp://checkip.dyndns.org/Remote address:193.122.130.0:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Date: Tue, 08 Oct 2024 13:23:52 GMT
Content-Type: text/html
Content-Length: 105
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 4f6413bfe286592203fde5e9f7119d43
-
DNSreallyfreegeoip.orgRemote address:8.8.8.8:53Requestreallyfreegeoip.orgIN AResponsereallyfreegeoip.orgIN A104.21.67.152reallyfreegeoip.orgIN A172.67.177.134
-
GEThttps://reallyfreegeoip.org/xml/138.199.29.44Remote address:104.21.67.152:443RequestGET /xml/138.199.29.44 HTTP/1.1
Host: reallyfreegeoip.org
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Tue, 08 Oct 2024 13:23:33 GMT
Content-Type: application/xml
Transfer-Encoding: chunked
Connection: keep-alive
access-control-allow-origin: *
vary: Accept-Encoding
Cache-Control: max-age=86400
CF-Cache-Status: HIT
Age: 74142
Last-Modified: Mon, 07 Oct 2024 16:47:51 GMT
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RjcGAJQdwWibUsqI2rMYo7zFA%2BGIyxHlKtphcadIa2Wc08DAzdOogCporDnr%2Bl8XR6%2BKBlpaqoAmt5JyMGpkRMYlG9nPgEw%2BIb%2BIhA%2Bn2MXr3WXRLdWvsPZLaRQPyDz0GUq90Mwy"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8cf67235add8419b-LHR
alt-svc: h3=":443"; ma=86400
-
GEThttps://reallyfreegeoip.org/xml/138.199.29.44Remote address:104.21.67.152:443RequestGET /xml/138.199.29.44 HTTP/1.1
Host: reallyfreegeoip.org
ResponseHTTP/1.1 200 OK
Date: Tue, 08 Oct 2024 13:23:36 GMT
Content-Type: application/xml
Transfer-Encoding: chunked
Connection: keep-alive
access-control-allow-origin: *
vary: Accept-Encoding
Cache-Control: max-age=86400
CF-Cache-Status: HIT
Age: 74145
Last-Modified: Mon, 07 Oct 2024 16:47:51 GMT
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=H7woH8yB70Z6mmEc5w8wforN%2FCfEmgVmWLY9POVeAbP9UuDbPaZcsmaGyKBbqw%2B8rkEMl1Ask6AUVSLG2RZYtGd1NI4gtb7zUJWpfUq8I13iPq8bZT2P0y%2F1kPKXOHViIHrxHEte"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8cf672474f0b419b-LHR
-
GEThttps://reallyfreegeoip.org/xml/138.199.29.44Remote address:104.21.67.152:443RequestGET /xml/138.199.29.44 HTTP/1.1
Host: reallyfreegeoip.org
ResponseHTTP/1.1 200 OK
Date: Tue, 08 Oct 2024 13:23:39 GMT
Content-Type: application/xml
Transfer-Encoding: chunked
Connection: keep-alive
access-control-allow-origin: *
vary: Accept-Encoding
Cache-Control: max-age=86400
CF-Cache-Status: HIT
Age: 74147
Last-Modified: Mon, 07 Oct 2024 16:47:51 GMT
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wzgdP8af6aDkA%2Fvive1WPVUtC0POaIWEcQ5AwbjmZQLHCW4gbeTc5jcAOLh2%2BORHAIKwbcu7YP6e3HrFQUH%2BbpQF%2FycLYbgUi%2Bn2SQrh0G3ExwKF%2BjOIiy0c8P4LkYmW1oIHpyeB"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8cf672589a8b419b-LHR
-
GEThttps://reallyfreegeoip.org/xml/138.199.29.44Remote address:104.21.67.152:443RequestGET /xml/138.199.29.44 HTTP/1.1
Host: reallyfreegeoip.org
ResponseHTTP/1.1 200 OK
Date: Tue, 08 Oct 2024 13:23:41 GMT
Content-Type: application/xml
Transfer-Encoding: chunked
Connection: keep-alive
access-control-allow-origin: *
vary: Accept-Encoding
Cache-Control: max-age=86400
CF-Cache-Status: HIT
Age: 74150
Last-Modified: Mon, 07 Oct 2024 16:47:51 GMT
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dcJffspY4Vh4uWRRbcGJAy2LndRicwxeVdvEKhizOTQ8P8pRrPtBdFAyg7SG3iozTsWGo%2FSIiXwnafR52TlzTW6gBhvZRnLcvxP8dIgs%2FWMjWkHxxTgb04Q%2BvOW71Y%2F2H%2FunT%2FqR"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8cf67269fbfc419b-LHR
-
GEThttps://reallyfreegeoip.org/xml/138.199.29.44Remote address:104.21.67.152:443RequestGET /xml/138.199.29.44 HTTP/1.1
Host: reallyfreegeoip.org
ResponseHTTP/1.1 200 OK
Date: Tue, 08 Oct 2024 13:23:44 GMT
Content-Type: application/xml
Transfer-Encoding: chunked
Connection: keep-alive
access-control-allow-origin: *
vary: Accept-Encoding
Cache-Control: max-age=86400
CF-Cache-Status: HIT
Age: 74153
Last-Modified: Mon, 07 Oct 2024 16:47:51 GMT
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4TWCNHX0ezfRouiZ9n%2FjMfir5opLDh7T7Dk3QN3URXzyTNMDQ5u8eqKaE42YTDbjraxUGIGeQ7cO%2BtnpJSL7fFEJtsW0COB6KapPVIpYj%2BueTOe0rGp1OrWbLewWt6blg97OaGHi"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8cf6727b6d18419b-LHR
alt-svc: h3=":443"; ma=86400
-
GEThttps://reallyfreegeoip.org/xml/138.199.29.44Remote address:104.21.67.152:443RequestGET /xml/138.199.29.44 HTTP/1.1
Host: reallyfreegeoip.org
ResponseHTTP/1.1 200 OK
Date: Tue, 08 Oct 2024 13:23:47 GMT
Content-Type: application/xml
Transfer-Encoding: chunked
Connection: keep-alive
access-control-allow-origin: *
vary: Accept-Encoding
Cache-Control: max-age=86400
CF-Cache-Status: HIT
Age: 74156
Last-Modified: Mon, 07 Oct 2024 16:47:51 GMT
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wLKK1MRsD2Cw10zEi4s%2BO3K1f8r1Lkg8UIbCQ1GLpwyI1w5BnwhqWyunvnBBPnzjdLYXEAeiazFqk5Kj6iYcjdtt975%2BKOUF7ca0p2wp4C1PvDExTTCulBgCKM0I6d8cjvXv2Pgf"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8cf6728ceeb3419b-LHR
-
GEThttps://reallyfreegeoip.org/xml/138.199.29.44Remote address:104.21.67.152:443RequestGET /xml/138.199.29.44 HTTP/1.1
Host: reallyfreegeoip.org
ResponseHTTP/1.1 200 OK
Date: Tue, 08 Oct 2024 13:23:50 GMT
Content-Type: application/xml
Transfer-Encoding: chunked
Connection: keep-alive
access-control-allow-origin: *
vary: Accept-Encoding
Cache-Control: max-age=86400
CF-Cache-Status: HIT
Age: 74159
Last-Modified: Mon, 07 Oct 2024 16:47:51 GMT
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bIJ%2FAULcg38u6u0Dz4RE73Uay6Wu1G8dRS1LbjOBG4ClQ1dYHt3J7QNzWbCGzt6RxGbhxXIUTfIAKgqQ2rvh%2BVgGoaVjoRrwVMkUUbjl8h1g6rcKeoCm%2Fa%2Bz0dxHhmzOSZXxGmwv"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8cf6729e5d19419b-LHR
-
GEThttps://reallyfreegeoip.org/xml/138.199.29.44Remote address:104.21.67.152:443RequestGET /xml/138.199.29.44 HTTP/1.1
Host: reallyfreegeoip.org
ResponseHTTP/1.1 200 OK
Date: Tue, 08 Oct 2024 13:23:52 GMT
Content-Type: application/xml
Transfer-Encoding: chunked
Connection: keep-alive
access-control-allow-origin: *
vary: Accept-Encoding
Cache-Control: max-age=86400
CF-Cache-Status: HIT
Age: 74161
Last-Modified: Mon, 07 Oct 2024 16:47:51 GMT
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NHBrppCWFiws%2FdltVv43VjyfaDhHH7OL%2FOOMKRgJe0dq7NPIgc2QC6FcH3wyzxJR5DAiwKwSyC%2F30A7GYEn22d01lhSk7CB82yj5qfAxoQuXfcHQvEeyWK4RQR2qN7nevyhZOCPH"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8cf672afdcb8419b-LHR
-
DNSmail.pishgamsanaat.comRemote address:8.8.8.8:53Requestmail.pishgamsanaat.comIN AResponsemail.pishgamsanaat.comIN A217.144.104.62
-
193.122.130.0:80http://checkip.dyndns.org/http
HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200 -
104.21.67.152:443https://reallyfreegeoip.org/xml/138.199.29.44tls, http
HTTP Request
GET https://reallyfreegeoip.org/xml/138.199.29.44HTTP Response
200HTTP Request
GET https://reallyfreegeoip.org/xml/138.199.29.44HTTP Response
200HTTP Request
GET https://reallyfreegeoip.org/xml/138.199.29.44HTTP Response
200HTTP Request
GET https://reallyfreegeoip.org/xml/138.199.29.44HTTP Response
200HTTP Request
GET https://reallyfreegeoip.org/xml/138.199.29.44HTTP Response
200HTTP Request
GET https://reallyfreegeoip.org/xml/138.199.29.44HTTP Response
200HTTP Request
GET https://reallyfreegeoip.org/xml/138.199.29.44HTTP Response
200HTTP Request
GET https://reallyfreegeoip.org/xml/138.199.29.44HTTP Response
200 -
217.144.104.62:587mail.pishgamsanaat.comsmtp-submission
-
8.8.8.8:53checkip.dyndns.orgdns
DNS Request
checkip.dyndns.org
DNS Response
193.122.130.0193.122.6.168132.226.247.73132.226.8.169158.101.44.242
-
8.8.8.8:53reallyfreegeoip.orgdns
DNS Request
reallyfreegeoip.org
DNS Response
104.21.67.152172.67.177.134
-
8.8.8.8:53mail.pishgamsanaat.comdns
DNS Request
mail.pishgamsanaat.com
DNS Response
217.144.104.62
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD531de45bd84250484766e3a27b28ebf12
SHA1208d18555be616a28985ea161ca7dca4d92a5c37
SHA256836ee723285e36ebcaa11d96d0166e27ee2e2c5ae731b5d2db05b57ee8194875
SHA5126d1589d2ac51bf9cc19f018adb3cd98f661e900d7f8f30b4061eff7815edefe38c8f9fe6a8e559d68e2a98b0a6d2d3b4dac6f500597373830342baa3aaa04323
-
Filesize
6.9MB
-
Filesize
624KB
-
Filesize
6.9MB
-
Filesize
96KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
416KB
-
Filesize
4KB
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
4KB
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
152KB