Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250211-en -
resource tags
-
submitted
14-02-2025 03:45
General
-
Target
2d89f1c873f9c04f773f309eb3b6a8ed32881868bfab3f4273f7e9c2db322fc1.exe
-
Size
244KB
-
MD5
0c8d0933037436b674f2b8478ec5baba
-
SHA1
e8a7034c43d84b18fb93dc02e8a0b818a645ece1
-
SHA256
2d89f1c873f9c04f773f309eb3b6a8ed32881868bfab3f4273f7e9c2db322fc1
-
SHA512
305050c391f443007e3f6e2e4ec60997da69db406b6d85efd19ed9f71683dbc9697280307867237b24034ebe9d99e8f249fc5fc75cb5bfe55721c283261ab144
-
SSDEEP
6144:Cy9v17kwzsoL9M7df4cqT/4rrUVkg0cDuolN0Ytb4Ra:z97kDo2ffxcP7Dlvs4
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\# DECRYPT MY FILES #.txt
cerber
http://cerberhhyed5frqa.wewiso.win/8EBA-0ECC-FE83-0072-8E1C
http://cerberhhyed5frqa.m5gid4.win/8EBA-0ECC-FE83-0072-8E1C
http://cerberhhyed5frqa.we34re.top/8EBA-0ECC-FE83-0072-8E1C
http://cerberhhyed5frqa.cneo59.win/8EBA-0ECC-FE83-0072-8E1C
http://cerberhhyed5frqa.sdfiso.win/8EBA-0ECC-FE83-0072-8E1C
http://cerberhhyed5frqa.onion/8EBA-0ECC-FE83-0072-8E1C
Extracted
C:\Users\Admin\Downloads\# DECRYPT MY FILES #.html
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Cerber family
-
Contacts a large (2066) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
-
Downloads MZ/PE file 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 9 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Windows directory 3 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 2 IoCs
-
Modifies Control Panel 4 IoCs
-
Modifies registry class 1 IoCs
-
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d89f1c873f9c04f773f309eb3b6a8ed32881868bfab3f4273f7e9c2db322fc1.exe"C:\Users\Admin\AppData\Local\Temp\2d89f1c873f9c04f773f309eb3b6a8ed32881868bfab3f4273f7e9c2db322fc1.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2d89f1c873f9c04f773f309eb3b6a8ed32881868bfab3f4273f7e9c2db322fc1.exe"C:\Users\Admin\AppData\Local\Temp\2d89f1c873f9c04f773f309eb3b6a8ed32881868bfab3f4273f7e9c2db322fc1.exe"2⤵
- Adds policy Run key to start application
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{C861201E-33A0-5580-075B-8D71AEE1E70D}\eudcedit.exe"C:\Users\Admin\AppData\Roaming\{C861201E-33A0-5580-075B-8D71AEE1E70D}\eudcedit.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{C861201E-33A0-5580-075B-8D71AEE1E70D}\eudcedit.exe"C:\Users\Admin\AppData\Roaming\{C861201E-33A0-5580-075B-8D71AEE1E70D}\eudcedit.exe"4⤵
- Adds policy Run key to start application
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd33b446f8,0x7ffd33b44708,0x7ffd33b447186⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,13522154841925027869,2798144556725117480,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:26⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2232,13522154841925027869,2798144556725117480,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:36⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2232,13522154841925027869,2798144556725117480,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,13522154841925027869,2798144556725117480,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,13522154841925027869,2798144556725117480,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,13522154841925027869,2798144556725117480,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4024 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,13522154841925027869,2798144556725117480,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4316 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,13522154841925027869,2798144556725117480,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3560 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,13522154841925027869,2798144556725117480,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4356 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,13522154841925027869,2798144556725117480,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4356 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,13522154841925027869,2798144556725117480,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,13522154841925027869,2798144556725117480,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,13522154841925027869,2798144556725117480,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,13522154841925027869,2798144556725117480,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,13522154841925027869,2798144556725117480,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3064 /prefetch:16⤵
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt5⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://cerberhhyed5frqa.wewiso.win/8EBA-0ECC-FE83-0072-8E1C?auto5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd33b446f8,0x7ffd33b44708,0x7ffd33b447186⤵
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"5⤵
-
-
C:\Windows\system32\cmd.exe/d /c taskkill /t /f /im "eudcedit.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{C861201E-33A0-5580-075B-8D71AEE1E70D}\eudcedit.exe" > NUL5⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\taskkill.exetaskkill /t /f /im "eudcedit.exe"6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /t /f /im "2d89f1c873f9c04f773f309eb3b6a8ed32881868bfab3f4273f7e9c2db322fc1.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\2d89f1c873f9c04f773f309eb3b6a8ed32881868bfab3f4273f7e9c2db322fc1.exe" > NUL3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im "2d89f1c873f9c04f773f309eb3b6a8ed32881868bfab3f4273f7e9c2db322fc1.exe"4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7OUYxNjUzNzItMUZBMy00Mjk5LUI4N0YtQzM1NTgzNUU1NjdFfSIgdXNlcmlkPSJ7RDY1NzJFRjctNTE5NC00Q0I2LUEwREUtODNDRTlFNkQyNjRBfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NzgyRTk0QzYtQkI2Ny00ODAwLTlCMUQtOUIxRDlCRTJGMzY5fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIyIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMzNzEiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDE5Mjc1MzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NDcyODA5NzUzIi8-PC9hcHA-PC9yZXF1ZXN0Pg1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Users\Admin\AppData\Roaming\{C861201E-33A0-5580-075B-8D71AEE1E70D}\eudcedit.exeC:\Users\Admin\AppData\Roaming\{C861201E-33A0-5580-075B-8D71AEE1E70D}\eudcedit.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{C861201E-33A0-5580-075B-8D71AEE1E70D}\eudcedit.exeC:\Users\Admin\AppData\Roaming\{C861201E-33A0-5580-075B-8D71AEE1E70D}\eudcedit.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x520 0x5141⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Network Service Discovery
2Query Registry
2Remote System Discovery
1System Information Discovery
3System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD519a7f42782b4e728bb12731ff9a460f6
SHA1495d51f1a8fa8b55063f307f919f3bc6d67af241
SHA256126eee474c67271293ded1ff06e56bab87c21c0884d22a419fb40e4bc87cacba
SHA51250f21223f1b013c727b26327976f74faa11ec830f6d540eee02d728d9d7b9b617e0b48b63c7b9ebf248d818e5c65bd6e4007e2352f9f59e182c4625a28b28f0f
-
Filesize
152B
MD508edd5c04b02f0b7175bcda703fd0f38
SHA1d4f1968dd481ea01a4023b1ad333e16115cb0e18
SHA256afbae8fd296e93092ced684ac3683e56b28a3e809fe952fab4c9116995dfec09
SHA512474dbd8d089b549cb68585a2657486f35b8aff0b644bceca10714077c4149b84e5d910d4fda400beca016ac83620d8627d2b0ce7cac292fda7c45f3abaea1379
-
Filesize
6KB
MD59d5a5967f483f4f844f4d68981e0f961
SHA18969ba7b26d3c76aecc535214c27c10759679f61
SHA25634384afe8e49b042296ea3043d11e3b83a2ca7314576319534ad164e5a40d00b
SHA5122e07d7acd79c80deae7befdb1b0732120b0b72fd9a403b6b90dcbebbd0e4a3361c87491e7a6b6d599badcdc94e1c649f5c1caa36c0aa2cb0e2e5a08c34f3c802
-
Filesize
6KB
MD584821a73497d55de3265f504689ce64a
SHA16eee1266fa551cd3aea1a889a799f7771e51bece
SHA256e45c90c0aa8fd05cf9120e16cbd8dc025bdc447e2d6bd19520999aeddd910bae
SHA512fa6697c348997072a66389d72e85b041b46fe58816865e1fc06d86f55baff4a5465801fc2b4e25b37fdef29404a5cf07c073bd9035a65ae698154f521176acfc
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5a241169991788aedb0f6b46fb7be65ee
SHA1d1d6cad1d8ec2544a5b698777975bae9460f80a9
SHA256bbcbd0daa8bd01c608376e910832ff1fdce894108c35d8afce1b8ef5a6e7ba99
SHA51254438271cb3cab3d4840ab20cb69d4c0e882c9c978aaaf2df41f88012447024c3497d01ee83120c54feb044f61803184dc617d238ea2d11516ffd4ae43f32113
-
Filesize
11KB
MD5ca332bb753b0775d5e806e236ddcec55
SHA1f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f
SHA256df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d
SHA5122de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00
-
Filesize
10KB
MD5ff3a21e91a62a5301eebc946ba7c64b7
SHA18c1aa80cb6cc02e133d5621791875003bcc731a0
SHA256e0d0fd1f37bc726ec9093def8f9fdf8e513d8faef48bdc07dfc266ebd94cf40f
SHA51285e20c95d7c6adea9a0a22376c63454a2927e50bc5cf48ba5dae5ec57af66870a37f2aa391b99b89e395e13f678e41d098a9390f11daba1eaeebcdf4ed6c73ec
-
Filesize
90B
MD5efbcd20915477ec71504758ac2b89ef4
SHA1b808a6093333e754e5bd64116b4e57184bb2a6f4
SHA256c169c011effd53250f952506b06cbde514ffe0b0eb05ba8ba8487b8f9f8d6c9e
SHA512c2b54f00390227d5420120ac7d965f528252d4f314d5943ce47d3ae4487172c283b2312749536f7e5367442119aadac767bbd527af33002ae131029632603e2a
-
Filesize
231B
MD59d8c4bfbd009c4d6001e2125abaa8b02
SHA1cd040558172b5fca5b200447a281843956243741
SHA256a652297987f14317100f8c5f7eb26d1bc67eb8a64f0b39b72b5fd5046a9f29b0
SHA512c4c84f43642b805a105acce9ebc9f01aa0e6ef553ea32be3f8b890fc7440f0b7d3ddf99b9336bce20ce7a3d9b9f6434a704651a8af425ffc8407ba39d5de735f
-
Filesize
1KB
MD5c971329597cf88d8b5e87cf5557067d4
SHA17fc2be6bf2920d5d34c3bd7318288c4aa12c6c88
SHA256e1fda58d0d4eeb62eb790f7e23594eac460db03a2d2373bfd13e94860dcf38b7
SHA512045b48c780d3482bee79cecb372f36cb1e705eeda37c6130dd12dbd432bce1fcf04a9b3c68618a9c9995c29c7f93314cd8d2fc6f6c6d44ac150c556926307577
-
Filesize
922B
MD5b327f714f4ca746733f335129136f01e
SHA19e73ebaf229d43dba61da0fba7392039d99cde0b
SHA256e1fa52366cfb7518c1269a6d52de74b567a0c352a141725a7f35abca022dee1b
SHA51286cd7acd2e692ddd4f07073b973b4ff18cc4d31faff54d320a8421eeb265059279f7c28a22112e23cee03e1d2cb37b9a1a329a2b21df7d89acfe9a842c320d69
-
Filesize
4KB
MD52ffc46a244c8c828e352ff00ecd1998d
SHA1027361be101f81885d640bdc37f1d570ae7641ae
SHA2560bbdb01bac6545d87b2dc2fe5d198ff8120ef7c642a11b554a66bfe0a34e7a17
SHA512d09fef8fcb254157faef211e2133184f8e6d1e4a33b0074b74fd762c8f4b1881ef1af2b839a1df9cb427c774a3be9f94f12faa7a8f25002d6b1c292f73e6657e
-
Filesize
3KB
MD5781ccb2bc5b2617ee1b745cfaed84147
SHA1afdcb2f84a6333341615a0f4ad3a0b6b093d12ab
SHA2568e5cb4e664b24787bc83420da55594088bb080a4461ae818a5ab5727d5f678bb
SHA51287722978ab8fd9c26ea6cd79b177a402a73ae74fd46bf670dd324ac7b8f1ef1899017b9822eadec991958cba5a197acdf25bdfe2348157bd47a73b6b97b471ae
-
Filesize
1KB
MD5ad50b0f6ed4782e60822c8d1abba7363
SHA1a167ba44366dd1cfd7b532a686885ec9ea1ce18c
SHA25612050432abe192ad58ab204a8da8026a67c51f1d10f3cc8806751b9126873836
SHA512d2a16e875126da763d4e2e5dda4a62dc4e6388f48778359726fa30976d8dd4ba9fc124f9753f8c166b304fa0d426ed8bc9c308a8fda6bdfc95674dfbfedf8d28
-
Filesize
65B
MD5e3c4113fe252d3c46dbaa35eef7f02f4
SHA1265bd42d836078f774b7a6f58fb965935b78c578
SHA25659ef2c2a894a1dbf1114e63e99edac386a023ae32c6ec9588951ddbe8debd676
SHA512b3e54a6af4471de2ff59c2c4295e3681b13e1418017e14ed152c791e4aafe7cbb18a608b7c9a6b485d3a063bf9eb64a9b74248733e9286a83c869a12d3d17482
-
Filesize
65B
MD56dfc97c20597bdd8f62955bf1ed3a6ed
SHA1137177304be17a23b467db93935347a0b9996ab8
SHA256885dec56791f6ddd711930b61b2ed390066ea3b676e26a7f42681cf52277660d
SHA5128c82f0bd3a69a80131f5ab0cd4b6a7d2a3698687f1d34a04ad7615be8ec990911b23749d54c039d4dfebeb2880c05f1122e6fb43adcf33d9955926c23b58560a
-
Filesize
22KB
MD5abf22a87e1a591a9c3a868bd68b90c25
SHA1c4554798997aa1762a7606d6ec8c8449acac6a6d
SHA256c27579fc470d0e6ddd80dc010df6efb4f269d07d8881e8286717fd6b5eb5fafc
SHA512781a7893bd7ae9521024e40793e31c67bb132d9b66e3de230a593be200a14d2f307e28ee684d537b74ae58c403808f099ff25a4d84b24936f01a881890d0e110
-
Filesize
100B
MD548d5dff58272563763841b8331e1f3a9
SHA14744d508450a84cdb940e382a849d595c93bbe60
SHA256d700cdbaca0f987fae58df3a380f8d7aa54eb7241fb0ec66e98d2d5dd2a1ac2d
SHA51222550cedea6c85b509df4636785e8644f88a235dd1e84df4665364d47af55cfeedb2872e3d58adde73513f9cf86520ec7c27694922b3a65bc37bc29b8965fc87
-
Filesize
2KB
MD519a74bea22187f281d461ec524873074
SHA1d1659d5793f093ea36d15567b04a19ce831b4a99
SHA256b644fab6da0fcf708d0d9961eaca2a71ae485474037bb697e098f91659c43db1
SHA5120584e5822d2543d2227b31f9a1bbbd18d74f80202f2d7a438f4980c93f0316abe4de4a16298e00f13646d3698705dbd74d897a1f064ee91afe2868ec22dfe2a6
-
Filesize
377B
MD5b6e775115b2708ec3df5686e5569b0e5
SHA12b346e081509c77a44be5b8c513b401fe4462249
SHA256710bca1ee537bb94ce42502053561946cbbde7bb0eee46b4939cfd771cbbdc1c
SHA51229c6cd9ac77c00d0e71e3d7ac21bda53ae07921cda92d3c94c8dd72dbd987c69df3b162efa85959fb5626840f4b213ebc5ae9079951e51ce0c4ddfd113e94d96
-
Filesize
1KB
MD51cce87ca891f858873df3581d53080db
SHA1bb1f732f8dc8dcfe5674f583b76adb1acba26cd1
SHA2568415d196c71520811cf5245e00fa5e94ebdec10345ec38ba5a4070f3b0d76105
SHA512226923f64dcbcecb13240bdb9898bdea0f6ecc33b73c7b79fa8324c6cbe09957bca4f945765753d9017da126a974217bd6e0de1ed8c38b955800c2425f941ff7
-
Filesize
3KB
MD53208a159b7bfb1182051612c4b7ba741
SHA171fb6f812050cc9bf4a69dec19299c230cf7dc34
SHA25653bf82856ce97e30b156b964b6345c62e383a4f20bc84ddaff1e4396824bcb10
SHA512a2924fcf2a341cb754e7d9a85e9a8ed6e7030634a894fe84c0eb43d121fb5f4bf0540b541bc50261de008c5b7c4dcfb78fd0be2c4de3ad8f078ff75088f5cf87
-
Filesize
1KB
MD5714b5ba5556a3a378f1301370f55e7b1
SHA116565507a0babb3bc2a2523354f3a991698fb6f4
SHA256cc330351fa93222e3f8b1d8db800a724586388448da10b61e82d12954055d27a
SHA5124409d5f45a492c115025fbba64edacfa6f80fe4e2a71045975c5ba0b350c48b581a19b141ef685b08a59cdd53eced08c25859ae954c17b24e3ea6a35cfe7e64b
-
Filesize
129KB
MD5f580b0eaf84d48c12bd41bd69f4f9afc
SHA1668af376385b795ac186f678f0bb4ed8dc26df68
SHA256a57ce86f238509a59b85e8ab170466c233d80fb0f0171d32f7c6a5d1753cf5fa
SHA512aa694d31935e710b5b87292a04c450b1403423dbed1ebfefd2747f144639906441e5bb813cbbd28165209b90ea3b45e7751815b0bc276d49457c8e960f2af90e
-
Filesize
3KB
MD5ee605850778b585f63c6382ab05e8112
SHA14463ca8edb3c221fd0bec825822d0f77b71d2e10
SHA256583e9114740dd5e71aec0a4bab86d644c1856a3008d248f41502fc4368b62398
SHA512ab521ba8d4b06b0d440d80a50b2439ec983a26df943021c82a9cabf931c352e11e6f8e12c5b97ffaed30ea60bf989c04fe5e96237cab6dc06241c19a4464e50b
-
Filesize
2KB
MD54e7a4217392410d55c48d1dabae0cb38
SHA17173d944ffb06977e8f7b8b214ecd4142ed3b9b7
SHA256aca70b5b238f37c84fa9a3b6db39d56abf120629e4ded88b5270987bc7eeaf96
SHA512034b581edc5d3cc810394e8a61460c0613553f2f379c62c036659e862c27cc42d8ad6f4c366bd2133a5ea53c4ee3c748839accb6755e9f9100107e5d305665e5
-
Filesize
4KB
MD5ccc85d0cd50498698b6884b0c01eceb5
SHA1500c60fb341f8834ee26bb5ada33f22dcfffbda7
SHA256e3bde6b2633f4f8f1482bd24394b70a9510df849ec912c76f7a68be867a0cb7a
SHA512e4892b9d6a4d6b2008052d9a53b1ca04185f26ca710e0cab6e4bc0deaba28efba6dc3664bbe6267c0f4a2c888fed8ecc3eef19ae1e6a019ac81cac0f5d4ee893
-
Filesize
524B
MD5f149b2ba2027e4023f5c77af4c3a87a0
SHA1b345e170c51b10af093984932eea53f4ae73d106
SHA256b7d7d04467e439cacd5d52d515b8d3d75ea9d27370808da0b6bc1d3f641be5ea
SHA51255703f521c008e8c9da345493584568f923acda7f34b831ef8c51a8247a9d1cd3fa8065d061ed796d60e456d7141c88555bba8cea61e6d3c230576f9d6f21f9e
-
Filesize
3KB
MD581e9e2761a1abaa59f61881664ce5a88
SHA1049529b80a5bb5b7ab4e1b3e7c519bd4a833243f
SHA2565aefe8f5e8ef8c6d9b68ddd22b530b0971c867d3d48bc30a5269ceaf2274901a
SHA51262d773f2ee5678e978c4bfb249f3b043c9c777eb45a6d9891e27eb7ab80f1c2bc05993329a3f88c1370f19d31819471a32e27db116b9f7a19d70690b6e6d0179
-
Filesize
887B
MD5c81b5317d4908545f44864fce61f1851
SHA12845725264796608d781187d95d7d41ab872dea5
SHA256e9faf89885257ccdf9b9cdea3c4104079977d43d907fd948f4c1526aee0c923a
SHA512f1cfa4d3aaa99bfcd51fd39314b75547e5ba26df5daf3ca432d95941e42099b5e429367ee80caae0f4e00ce5a62a4e5c4eea9e7b4deddc82c68ba7fe382a51e8
-
Filesize
1KB
MD5671026e8f81a523575b346275f619ea7
SHA1974512f4dbd74248120922478d01ffba73ce44ea
SHA256ff9bd1b23341b5ef229ce7b706842db6b2f6691fc5f7df31ba49b13e0c26d3d7
SHA512bc8a89eff659242a8af09003c99bf1f469123e35612cf48215dae1f53680bad4f438764d230c6f2c9f3da21831706fa82f1b6843edb52b2cbc0fc25801b93eef
-
Filesize
4KB
MD521ddceeb0c385676eb35365c4ff1d24d
SHA19cbcd87590720bf2ce80304d0b298fbb44cb61e3
SHA25682a9d562fac82452d5a767c2d0355e2e8f2d8550b62091522ab3985f6ec7ed0f
SHA51215e115831e4ba38e8d73044cf50de8f8777faba3d1d099dc5eaba7af53ff87cb7c752f708b25aee35e1a416cac9debcf4f94e85d45a58ab109ac45d435c22840
-
Filesize
1KB
MD5ca0b373b889e605d1b85dde93f301e63
SHA1a72b53f9f77f979bde20247b331b1809b58e1cba
SHA2567e1958d6db091553d31366647375ddf1b9a3a747dfbbeb067b51d3b04be97f6f
SHA5124adeaabb6f75859d686d88089b3be8ebe81a973aaf73fa28571961599f70143f356460ec4e10054c8864f0a15418ab1797f0418a4bbe16e68f6ae8cec7d37944
-
Filesize
967B
MD581a14090a89ea84f314bb42c45978088
SHA16eed3a6053cb148bda8bc91997fc72217d53b24a
SHA256b33347a75bba19d1832ac914dae86097b9485ff3d64c33741522c7f28c349c39
SHA51200b77fd31a1cdb04adb57db4dbe15e2640f0ba411667378fed197ecc49d2af86e23b37cfb99b1006fca177ddd7362cf5cce0c5ec8646d63c10dbb4a22b846525
-
Filesize
1KB
MD5802d14c8b7994818f8da8d3c16ceca0c
SHA19405d119653f03bbdf9a12df89e66476b26810d6
SHA256739a7e4c197fc12287217eab7e52ed30a2b50cff7ac1905bfa62e4ded8d37b35
SHA5120889bdedfb4cf54eb2bb1eb3be6398d9c7bdbbc6b005522a7487c99c70908ee2cb9b954a523f16693ead2dc932028c051088faca1a6a56d89a0a764047da29ff
-
Filesize
1KB
MD580b1c409a323cd8dcab67dc9c60e1e99
SHA1b49eb838cfc8d6ff86dacea72214b9b8449afd23
SHA256eac261c67395603917c6e5a1ee8b9787897d027c7c31b6ede2568eb15c1ee214
SHA512505eed0c9fceb7bed7f5cb11b41363ddb55eeb232a54a0e803007c8968fd84fdcf3c721d4ef541dc41696eab1d1de6de8bafdcc2667dacdb76aa4600f8452ab7
-
Filesize
881B
MD5e586476b3a6efc0756e821207fa287c1
SHA1b146c212391eda28e0d7325ebb2c79d357023ef6
SHA2564fb548b7299ec5169152b442f494e458298e3897c98f29a48145768b40d07bb9
SHA512f4866ac94712bd47f187df835ebfe5543e55d8879c305715ceaab47b2bc08fdce658b6e24f59ed82a78ca8ff4bdb13f63475a8a1e030a8ec97326f1f719dcf3a
-
Filesize
1KB
MD58caf19a4defdf0503c9586e272e88b3d
SHA17448169d23bce710bb687eaf10da08119bfe7ac2
SHA25677ce6bd5a30454e48f216d504f592f84d18fe59d0b52cd89787b4cdb06420be8
SHA512d4c5dc1eaed5fa90cc0d2c269bab99bb55f25eaa81cd7a5a894745b8ee349fc4e9db837072800ce3fec6f16d794e4e11f336c488bbbc0c5f011176ee705e626a
-
Filesize
244KB
MD50c8d0933037436b674f2b8478ec5baba
SHA1e8a7034c43d84b18fb93dc02e8a0b818a645ece1
SHA2562d89f1c873f9c04f773f309eb3b6a8ed32881868bfab3f4273f7e9c2db322fc1
SHA512305050c391f443007e3f6e2e4ec60997da69db406b6d85efd19ed9f71683dbc9697280307867237b24034ebe9d99e8f249fc5fc75cb5bfe55721c283261ab144
-
Filesize
12KB
MD5b8716caba5407aabf8d98d2d31a57bcc
SHA18320281aa17ebc234bf92d1864c6be5ab04a1d0a
SHA256b983256011f742a14dba9b89e7b2c6c3c354b3e925dea02e482a65b5189a0872
SHA512684473a0d990b780bd832716bec8b74dc9a7f8a7c159b6d4e49ff74e192ce59bce35c9c42072f4b24853227891c287908fd8c97405130a3fa106fe7ceeea3547
-
Filesize
56KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
