Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
03/11/2024, 02:48
Static task
static1
Behavioral task
behavioral1
Sample
8945c4b0a22bdc55e7f5d29840908386_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
8945c4b0a22bdc55e7f5d29840908386_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
8945c4b0a22bdc55e7f5d29840908386_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
8945c4b0a22bdc55e7f5d29840908386
-
SHA1
694f666f0b2a93ebc09bbf6c899a59ad66acc9a5
-
SHA256
e1e68a721a56667f51ef35fb963d5c6a048655b1df85f2af1b996896bc232fd0
-
SHA512
9cf9e7cf95a9b6434a793baa2251410ee0603a3b66c1a74d00ec00073bd285051bd235712cafcf1724d1ed65165210d7dcaab17e540576ca76986b8ece13db94
-
SSDEEP
24576:3aUAGNqxJpv5UfpiQtL+PipOYJGQISUn1uu:3NqDprQtL+PipDJsPou
Malware Config
Signatures
-
Detected Nirsoft tools 11 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral1/memory/2656-89-0x0000000000400000-0x0000000000425000-memory.dmp Nirsoft behavioral1/memory/2656-90-0x0000000000400000-0x0000000000425000-memory.dmp Nirsoft behavioral1/memory/2656-91-0x0000000000400000-0x0000000000425000-memory.dmp Nirsoft behavioral1/memory/1400-105-0x0000000000400000-0x000000000043D000-memory.dmp Nirsoft behavioral1/memory/1400-108-0x0000000000400000-0x000000000043D000-memory.dmp Nirsoft behavioral1/memory/1400-111-0x0000000000400000-0x000000000043D000-memory.dmp Nirsoft behavioral1/memory/1528-134-0x0000000000400000-0x000000000041A000-memory.dmp Nirsoft behavioral1/memory/1928-128-0x0000000000400000-0x000000000041D000-memory.dmp Nirsoft behavioral1/memory/1528-137-0x0000000000400000-0x000000000041A000-memory.dmp Nirsoft behavioral1/memory/3004-230-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral1/memory/3004-190-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft -
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/1928-128-0x0000000000400000-0x000000000041D000-memory.dmp MailPassView -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{UI1581R0-W213-7V77-SQ12-RGTNGCUN381Y}\StubPath = "C:\\Windows\\Root\\Root.exe Restart" TestFile1.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{UI1581R0-W213-7V77-SQ12-RGTNGCUN381Y} TestFile1.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2872 netsh.exe -
Executes dropped EXE 14 IoCs
pid Process 2548 TestFile1.exe 2376 TestFile2.exe 1956 TestFile1.exe 2752 TestFile2.exe 2656 TestFile2.exe 1400 TestFile2.exe 1928 TestFile2.exe 1528 TestFile2.exe 1952 TestFile2.exe 1736 TestFile2.exe 3004 TestFile2.exe 2964 TestFile2.exe 444 TestFile2.exe 944 TestFile2.exe -
Loads dropped DLL 16 IoCs
pid Process 2076 8945c4b0a22bdc55e7f5d29840908386_JaffaCakes118.exe 2076 8945c4b0a22bdc55e7f5d29840908386_JaffaCakes118.exe 2548 TestFile1.exe 2076 8945c4b0a22bdc55e7f5d29840908386_JaffaCakes118.exe 2076 8945c4b0a22bdc55e7f5d29840908386_JaffaCakes118.exe 2376 TestFile2.exe 2752 TestFile2.exe 2752 TestFile2.exe 2752 TestFile2.exe 2752 TestFile2.exe 2752 TestFile2.exe 2752 TestFile2.exe 2752 TestFile2.exe 2752 TestFile2.exe 2752 TestFile2.exe 2752 TestFile2.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts TestFile2.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Root = "C:\\Windows\\Root\\Root.exe" TestFile1.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Root Server = "C:\\Windows\\Root\\Root.exe" TestFile1.exe -
Suspicious use of SetThreadContext 12 IoCs
description pid Process procid_target PID 2548 set thread context of 1956 2548 TestFile1.exe 31 PID 2376 set thread context of 2752 2376 TestFile2.exe 36 PID 2752 set thread context of 2656 2752 TestFile2.exe 37 PID 2752 set thread context of 1400 2752 TestFile2.exe 38 PID 2752 set thread context of 1928 2752 TestFile2.exe 39 PID 2752 set thread context of 1528 2752 TestFile2.exe 40 PID 2752 set thread context of 1952 2752 TestFile2.exe 41 PID 2752 set thread context of 1736 2752 TestFile2.exe 42 PID 2752 set thread context of 3004 2752 TestFile2.exe 43 PID 2752 set thread context of 2964 2752 TestFile2.exe 44 PID 2752 set thread context of 444 2752 TestFile2.exe 45 PID 2752 set thread context of 944 2752 TestFile2.exe 46 -
resource yara_rule behavioral1/memory/2656-89-0x0000000000400000-0x0000000000425000-memory.dmp upx behavioral1/memory/2656-88-0x0000000000400000-0x0000000000425000-memory.dmp upx behavioral1/memory/2656-90-0x0000000000400000-0x0000000000425000-memory.dmp upx behavioral1/memory/2656-86-0x0000000000400000-0x0000000000425000-memory.dmp upx behavioral1/memory/2656-83-0x0000000000400000-0x0000000000425000-memory.dmp upx behavioral1/memory/2656-81-0x0000000000400000-0x0000000000425000-memory.dmp upx behavioral1/memory/2656-91-0x0000000000400000-0x0000000000425000-memory.dmp upx behavioral1/memory/1400-105-0x0000000000400000-0x000000000043D000-memory.dmp upx behavioral1/memory/1400-108-0x0000000000400000-0x000000000043D000-memory.dmp upx behavioral1/memory/1400-98-0x0000000000400000-0x000000000043D000-memory.dmp upx behavioral1/memory/1400-96-0x0000000000400000-0x000000000043D000-memory.dmp upx behavioral1/memory/1400-111-0x0000000000400000-0x000000000043D000-memory.dmp upx behavioral1/memory/1528-134-0x0000000000400000-0x000000000041A000-memory.dmp upx behavioral1/memory/1928-128-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral1/memory/1528-137-0x0000000000400000-0x000000000041A000-memory.dmp upx behavioral1/memory/3004-230-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/3004-190-0x0000000000400000-0x000000000041C000-memory.dmp upx -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Root\logs.dat TestFile1.exe File opened for modification C:\Windows\Root\plugin.dat TestFile1.exe File created C:\Windows\Root\Root.exe TestFile1.exe File opened for modification C:\Windows\Root\Root.exe TestFile1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TestFile2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TestFile2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TestFile2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TestFile2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TestFile2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TestFile2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TestFile2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8945c4b0a22bdc55e7f5d29840908386_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TestFile2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TestFile2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TestFile1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TestFile1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TestFile2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TestFile2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TestFile2.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database TestFile2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset TestFile2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage TestFile2.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1956 TestFile1.exe 1956 TestFile1.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 1956 TestFile1.exe Token: SeDebugPrivilege 1956 TestFile1.exe Token: SeDebugPrivilege 1956 TestFile1.exe Token: SeDebugPrivilege 1956 TestFile1.exe Token: SeDebugPrivilege 2656 TestFile2.exe Token: SeDebugPrivilege 1528 TestFile2.exe Token: SeRestorePrivilege 1528 TestFile2.exe Token: SeBackupPrivilege 1528 TestFile2.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 2076 8945c4b0a22bdc55e7f5d29840908386_JaffaCakes118.exe 2548 TestFile1.exe 2376 TestFile2.exe 2752 TestFile2.exe 1736 TestFile2.exe 444 TestFile2.exe 2964 TestFile2.exe 944 TestFile2.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2076 wrote to memory of 2548 2076 8945c4b0a22bdc55e7f5d29840908386_JaffaCakes118.exe 30 PID 2076 wrote to memory of 2548 2076 8945c4b0a22bdc55e7f5d29840908386_JaffaCakes118.exe 30 PID 2076 wrote to memory of 2548 2076 8945c4b0a22bdc55e7f5d29840908386_JaffaCakes118.exe 30 PID 2076 wrote to memory of 2548 2076 8945c4b0a22bdc55e7f5d29840908386_JaffaCakes118.exe 30 PID 2076 wrote to memory of 2376 2076 8945c4b0a22bdc55e7f5d29840908386_JaffaCakes118.exe 32 PID 2076 wrote to memory of 2376 2076 8945c4b0a22bdc55e7f5d29840908386_JaffaCakes118.exe 32 PID 2076 wrote to memory of 2376 2076 8945c4b0a22bdc55e7f5d29840908386_JaffaCakes118.exe 32 PID 2076 wrote to memory of 2376 2076 8945c4b0a22bdc55e7f5d29840908386_JaffaCakes118.exe 32 PID 2548 wrote to memory of 1956 2548 TestFile1.exe 31 PID 2548 wrote to memory of 1956 2548 TestFile1.exe 31 PID 2548 wrote to memory of 1956 2548 TestFile1.exe 31 PID 2548 wrote to memory of 1956 2548 TestFile1.exe 31 PID 2548 wrote to memory of 1956 2548 TestFile1.exe 31 PID 2548 wrote to memory of 1956 2548 TestFile1.exe 31 PID 2548 wrote to memory of 1956 2548 TestFile1.exe 31 PID 2548 wrote to memory of 1956 2548 TestFile1.exe 31 PID 2548 wrote to memory of 1956 2548 TestFile1.exe 31 PID 2548 wrote to memory of 1956 2548 TestFile1.exe 31 PID 2548 wrote to memory of 1956 2548 TestFile1.exe 31 PID 2548 wrote to memory of 1956 2548 TestFile1.exe 31 PID 2376 wrote to memory of 2872 2376 TestFile2.exe 33 PID 2376 wrote to memory of 2872 2376 TestFile2.exe 33 PID 2376 wrote to memory of 2872 2376 TestFile2.exe 33 PID 2376 wrote to memory of 2872 2376 TestFile2.exe 33 PID 1956 wrote to memory of 2764 1956 TestFile1.exe 35 PID 1956 wrote to memory of 2764 1956 TestFile1.exe 35 PID 1956 wrote to memory of 2764 1956 TestFile1.exe 35 PID 1956 wrote to memory of 2764 1956 TestFile1.exe 35 PID 1956 wrote to memory of 2764 1956 TestFile1.exe 35 PID 1956 wrote to memory of 2764 1956 TestFile1.exe 35 PID 1956 wrote to memory of 2764 1956 TestFile1.exe 35 PID 1956 wrote to memory of 2764 1956 TestFile1.exe 35 PID 1956 wrote to memory of 2764 1956 TestFile1.exe 35 PID 1956 wrote to memory of 2764 1956 TestFile1.exe 35 PID 1956 wrote to memory of 2764 1956 TestFile1.exe 35 PID 1956 wrote to memory of 2764 1956 TestFile1.exe 35 PID 1956 wrote to memory of 2764 1956 TestFile1.exe 35 PID 1956 wrote to memory of 2764 1956 TestFile1.exe 35 PID 1956 wrote to memory of 2764 1956 TestFile1.exe 35 PID 1956 wrote to memory of 2764 1956 TestFile1.exe 35 PID 1956 wrote to memory of 2764 1956 TestFile1.exe 35 PID 1956 wrote to memory of 2764 1956 TestFile1.exe 35 PID 1956 wrote to memory of 2764 1956 TestFile1.exe 35 PID 1956 wrote to memory of 2764 1956 TestFile1.exe 35 PID 1956 wrote to memory of 2764 1956 TestFile1.exe 35 PID 1956 wrote to memory of 2764 1956 TestFile1.exe 35 PID 1956 wrote to memory of 2764 1956 TestFile1.exe 35 PID 1956 wrote to memory of 2764 1956 TestFile1.exe 35 PID 1956 wrote to memory of 2764 1956 TestFile1.exe 35 PID 1956 wrote to memory of 2764 1956 TestFile1.exe 35 PID 1956 wrote to memory of 2764 1956 TestFile1.exe 35 PID 1956 wrote to memory of 2764 1956 TestFile1.exe 35 PID 1956 wrote to memory of 2764 1956 TestFile1.exe 35 PID 1956 wrote to memory of 2764 1956 TestFile1.exe 35 PID 1956 wrote to memory of 2764 1956 TestFile1.exe 35 PID 1956 wrote to memory of 2764 1956 TestFile1.exe 35 PID 1956 wrote to memory of 2764 1956 TestFile1.exe 35 PID 1956 wrote to memory of 2764 1956 TestFile1.exe 35 PID 1956 wrote to memory of 2764 1956 TestFile1.exe 35 PID 1956 wrote to memory of 2764 1956 TestFile1.exe 35 PID 1956 wrote to memory of 2764 1956 TestFile1.exe 35 PID 1956 wrote to memory of 2764 1956 TestFile1.exe 35 PID 1956 wrote to memory of 2764 1956 TestFile1.exe 35 PID 1956 wrote to memory of 2764 1956 TestFile1.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\8945c4b0a22bdc55e7f5d29840908386_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8945c4b0a22bdc55e7f5d29840908386_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Users\Admin\AppData\Local\Temp\TestFile1.exe"C:\Users\Admin\AppData\Local\Temp\TestFile1.exe" -s2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Users\Admin\AppData\Local\Temp\TestFile1.exe3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:2764
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\TestFile2.exe"C:\Users\Admin\AppData\Local\Temp\TestFile2.exe" -s2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\netsh.exeC:\Windows\System32\netsh.exe firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\TestFile2.exe" "WinUpdater" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2872
-
-
C:\Users\Admin\AppData\Local\Temp\TestFile2.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2752 -
C:\Users\Admin\AppData\Local\Temp\TestFile2.exeC:\Users\Admin\AppData\Local\Temp\TestFile2.exe /scomma C:\Users\Admin\AppData\Local\Temp\msg.txt4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2656
-
-
C:\Users\Admin\AppData\Local\Temp\TestFile2.exeC:\Users\Admin\AppData\Local\Temp\TestFile2.exe /scomma C:\Users\Admin\AppData\Local\Temp\cho.txt4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1400
-
-
C:\Users\Admin\AppData\Local\Temp\TestFile2.exeC:\Users\Admin\AppData\Local\Temp\TestFile2.exe /scomma C:\Users\Admin\AppData\Local\Temp\mail.txt4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:1928
-
-
C:\Users\Admin\AppData\Local\Temp\TestFile2.exeC:\Users\Admin\AppData\Local\Temp\TestFile2.exe /scomma C:\Users\Admin\AppData\Local\Temp\ie.txt4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1528
-
-
C:\Users\Admin\AppData\Local\Temp\TestFile2.exeC:\Users\Admin\AppData\Local\Temp\TestFile2.exe /shtml C:\Users\Admin\AppData\Local\Temp\ps.txt4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1952
-
-
C:\Users\Admin\AppData\Local\Temp\TestFile2.exeC:\Users\Admin\AppData\Local\Temp\TestFile2.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1736
-
-
C:\Users\Admin\AppData\Local\Temp\TestFile2.exeC:\Users\Admin\AppData\Local\Temp\TestFile2.exe /shtml C:\Users\Admin\AppData\Local\Temp\dial.txt4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3004
-
-
C:\Users\Admin\AppData\Local\Temp\TestFile2.exeC:\Users\Admin\AppData\Local\Temp\TestFile2.exe C:\Users\Admin\AppData\Local\Temp\10#dueisnw1.txt4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2964
-
-
C:\Users\Admin\AppData\Local\Temp\TestFile2.exeC:\Users\Admin\AppData\Local\Temp\TestFile2.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:444
-
-
C:\Users\Admin\AppData\Local\Temp\TestFile2.exeC:\Users\Admin\AppData\Local\Temp\TestFile2.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:944
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
460B
MD58a83f57d4efce4941647c65f50402368
SHA1d5d0e9c550adf30427f13f02a5d71b5e324185db
SHA25658cdc619d8718e92c4ce6f2871bac0908d6e0abde1bdee6f01145605add5868d
SHA51239e0d81d127c9de4e298de7087974c91ae9d959ecfe2cc04c59354986473153ce2416d9436023f7071e3e2cdaefdc81315495b0c7224cc2e7782813d37cd5cf4
-
Filesize
2B
MD581051bcc2cf1bedf378224b0a93e2877
SHA1ba8ab5a0280b953aa97435ff8946cbcbb2755a27
SHA2567eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
SHA5121b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d
-
Filesize
5B
MD5877cea35660add216293137fdac9fcc3
SHA121e965518bb98d4a23743611a4d4b1d1f8f888a6
SHA2569e5c367fa1739722eeb54b6dd4a330eb01149089e2725f3800577b0889f2514d
SHA512955b7de37446df48369232283ecf0407bc6c810034a7811bda17a04316af2d6a494566d572370c2bc38bcc9bc5158ee67259d0bed1847d4bdbe66993581934c5
-
Filesize
325B
MD5a58b5941ab25b596b96eac942697eccd
SHA1b1e3a60665e914bcaa746ce1c20fc120845123b3
SHA256905f66cbd81fbac6a9aba22c604d3057a4cc755fbcbe11941baa728dc1a236d2
SHA51267675bce2bf3aabc7dfe8ae0ebe61907930c8da8ec13543a94d0318c0e94edb48363f26964b2937bbf94199270a135555cfd2bf651b61c7a311975a2f6f611ed
-
Filesize
294KB
MD567f60ac93ff2f08809bf9ea3c9596fc2
SHA1cc4807e4070bf5fbcfa0db89e4fe9aee86b06f22
SHA256a37b026fa4b0399494a2fc95e925cabbee4ce401a14278e56876d15e2fa1d7ad
SHA512dbf727e4d3866813fb7e747d21ef3fb19d8d1d1b929ea07f088e9b49a3ffa44f133a2a04224c8d34085431aa99924d2c270cad62205be340c5c3931acdf172e1
-
Filesize
716KB
MD5e37ffd8b73109c6759098d9e8c2f7654
SHA1dd5f7ee81fd5fdd16aa1a36ea80d34f82c55b069
SHA256a0eaba7f47b5508d2eb6a8e870c966e4a94041d82b594b8841ef3d9ca0efbcca
SHA512ba0c634b561decbe7c2ba0825cefb13d26bfb121c8b0528a4cdc946b9b80b5ccffb7a3a938d691c70c0ea8b040144e7b4ee0d5e733780ea6129c6a1991f3481f