Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

613c8540d1...9a.exe

windows7-x64

10

613c8540d1...9a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    27/10/2022, 04:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    613c8540d116ee2b43a99067e04fa79a.exe

  • Size

    2.9MB

  • MD5

    613c8540d116ee2b43a99067e04fa79a

  • SHA1

    9cb122624c4e81615e1e7c7b1210a2d6d0dc6840

  • SHA256

    f19bfa53dd35f17d71e2c3771b2160a2799216c8e7b6a5b5bc1253c4d12a37e7

  • SHA512

    0a53ef3bbeccdea1382dc461307da17905861977ab7d6faa6b7339d64464b4fccb36c1d418f52d7453c84d4fcf98aab7e85d3eeea4b0dd00a4ec153d7da3a3c1

  • SSDEEP

    49152:MQ00xeGLcCrbIF1T1TcRPKlQp4z8mlraJafgtHOpaAl+mx0flF640Sya:MQ0FCrbG9VcRilQpkFrpxaAl+m4Asy

Score
10/10
dcratevasioninfostealerpersistenceratspywarestealertrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Modifies WinLogon for persistence 2 TTPs 15 IoCs
    persistence
  • Process spawned unexpected child process 45 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 30 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 25 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 45 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs
  • System policy modification 1 TTPs 6 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\613c8540d116ee2b43a99067e04fa79a.exe
    "C:\Users\Admin\AppData\Local\Temp\613c8540d116ee2b43a99067e04fa79a.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1184
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1216
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1796
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1992
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2016
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1996
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:612
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1352
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1684
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:692
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1112
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1292
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1572
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JUCZMD8jrG.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2140
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:2180
        • C:\Program Files (x86)\Adobe\Reader 9.0\Esl\wininit.exe
          "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\wininit.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2220
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0944b749-af75-464e-a8f2-411b33512fdf.vbs"
            4⤵
              PID:2924
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3845205b-45d3-4c87-99d1-8e1e00b83c17.vbs"
              4⤵
                PID:2980
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\wininit.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1680
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\wininit.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1712
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\wininit.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1740
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\System.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2000
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\System.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1292
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\System.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:860
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\spoolsv.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:268
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\spoolsv.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1968
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\spoolsv.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1744
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\csrss.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1988
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1464
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1528
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\lsass.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:524
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\lsass.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1628
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\lsass.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2008
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\winlogon.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:308
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\winlogon.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:920
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\winlogon.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1608
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\explorer.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1956
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\explorer.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:900
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\explorer.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1488
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1068
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2024
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2004
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1352
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1996
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1496
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\lsass.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1148
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\lsass.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1060
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\lsass.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1648
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\explorer.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2028
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:592
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:864
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\lsm.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1064
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\lsm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1252
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\lsm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1740
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\Default\My Documents\sppsvc.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1196
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\My Documents\sppsvc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1108
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Users\Default\My Documents\sppsvc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:524
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\services.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2008
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\services.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1148
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\services.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:900
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\services.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:544
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\services.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2028
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\services.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1144
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:928

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Adobe\Reader 9.0\Esl\wininit.exe
          Filesize

          2.9MB

          MD5

          5b3a6d2cc35af159c38df5dd2975e369

          SHA1

          65fa9ac787a948c606cb298b9b8f0a174fd337c3

          SHA256

          8180208a7a154aa068d05eff33fd9b32dd87a6f6ae8b8ff4424a15c8e3d05f6f

          SHA512

          4b4b0e232454f4547d4b8ecb60eb3d945ff3a400c57ae1078630f08aa58400ed2172c8b4e83558a7820e25105846958271e76724c9becf48db71ea395a6ea532

          Download Submit

        • C:\Program Files (x86)\Adobe\Reader 9.0\Esl\wininit.exe
          Filesize

          2.9MB

          MD5

          5b3a6d2cc35af159c38df5dd2975e369

          SHA1

          65fa9ac787a948c606cb298b9b8f0a174fd337c3

          SHA256

          8180208a7a154aa068d05eff33fd9b32dd87a6f6ae8b8ff4424a15c8e3d05f6f

          SHA512

          4b4b0e232454f4547d4b8ecb60eb3d945ff3a400c57ae1078630f08aa58400ed2172c8b4e83558a7820e25105846958271e76724c9becf48db71ea395a6ea532

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\0944b749-af75-464e-a8f2-411b33512fdf.vbs
          Filesize

          731B

          MD5

          4e0230e4cc2aee66c3e4d0c1a8e2e021

          SHA1

          c89be3eb9a7db8746c88930a76699fa111c9e150

          SHA256

          bd6d47a1d8597ee6cad01492edcdbc11402cf192cc8551170282b2a717f26cb5

          SHA512

          354c28e7e4c8dbefdf30e701e596723f7ea76cb02ecfd6ce81870523e2fb9b2647b64cf62bf0f60503b194fee5a502d875d58f8358f9af58b22f7e604a9bd9c5

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\3845205b-45d3-4c87-99d1-8e1e00b83c17.vbs
          Filesize

          507B

          MD5

          f52956829513ac8c3b5ead04b3e021e1

          SHA1

          1e3d5962e26c99e418641396e8d5b400065f03ab

          SHA256

          0e89c81b781e30bf64c6b842dc14414a12a6a87ca148795497fecfb017f2ae96

          SHA512

          b6a93377b7bd498c698a4ee6038f9135e0798cfe14efedaf434aba7310463f53f46d4760f4f9a54b040b61b38f2e90102065681f55665961dd4bf71a74581483

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\JUCZMD8jrG.bat
          Filesize

          220B

          MD5

          89dc30ee3e64d92480bfabbae97ead33

          SHA1

          58482fab6c3de0bfa7f71b4dbad0fc6c8c690057

          SHA256

          60c1d6eaa9fd0de767055307a16477bba8bf7c864faa4af1aab7b8e4aeae2805

          SHA512

          38d935cd30567cfad513732fdafa6c9133765abd2451cae9a25e9cb40768e9e77f57d33368f837d9ab9a2b32fbda1f6e0bf9dd0442163bc13c4bd3f12cdc9869

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\tmp01599.tmp
          Filesize

          1KB

          MD5

          edc2400a729fd24de59adc3f30316d23

          SHA1

          d488e59137596e26c2672abe2a2d3507212b2d60

          SHA256

          052ef7825d69502e423177a815a1a9a53ca41e9e9ef00ef1fdedc6f49521d340

          SHA512

          b7bc88e6cb813360347aa683e1a76231b7d95920d5f1a45cbc46e8edd1d475dee4947803c1aa0dacc6604da3408b1d825ebadb4cf20a31eadd64be77aedc1511

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          7KB

          MD5

          1b14e3aa99b3cad488c235660b47cef0

          SHA1

          4e9d6ada0dfda789311b01c018067c53ab0d29c1

          SHA256

          ca0e6386e9788b4889e04fdca4430bee19e62c0ba1f63f1f2e48f653e666f707

          SHA512

          2df69ce96421e927863551e2e7151cdc17698f4e9458c1e0e84f0eb845d68a0047ac659adac58933aa5e5a66dbbcdf737eba43c8c2833a153cd7ff25f6812287

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          7KB

          MD5

          1b14e3aa99b3cad488c235660b47cef0

          SHA1

          4e9d6ada0dfda789311b01c018067c53ab0d29c1

          SHA256

          ca0e6386e9788b4889e04fdca4430bee19e62c0ba1f63f1f2e48f653e666f707

          SHA512

          2df69ce96421e927863551e2e7151cdc17698f4e9458c1e0e84f0eb845d68a0047ac659adac58933aa5e5a66dbbcdf737eba43c8c2833a153cd7ff25f6812287

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          7KB

          MD5

          1b14e3aa99b3cad488c235660b47cef0

          SHA1

          4e9d6ada0dfda789311b01c018067c53ab0d29c1

          SHA256

          ca0e6386e9788b4889e04fdca4430bee19e62c0ba1f63f1f2e48f653e666f707

          SHA512

          2df69ce96421e927863551e2e7151cdc17698f4e9458c1e0e84f0eb845d68a0047ac659adac58933aa5e5a66dbbcdf737eba43c8c2833a153cd7ff25f6812287

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          7KB

          MD5

          1b14e3aa99b3cad488c235660b47cef0

          SHA1

          4e9d6ada0dfda789311b01c018067c53ab0d29c1

          SHA256

          ca0e6386e9788b4889e04fdca4430bee19e62c0ba1f63f1f2e48f653e666f707

          SHA512

          2df69ce96421e927863551e2e7151cdc17698f4e9458c1e0e84f0eb845d68a0047ac659adac58933aa5e5a66dbbcdf737eba43c8c2833a153cd7ff25f6812287

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          7KB

          MD5

          1b14e3aa99b3cad488c235660b47cef0

          SHA1

          4e9d6ada0dfda789311b01c018067c53ab0d29c1

          SHA256

          ca0e6386e9788b4889e04fdca4430bee19e62c0ba1f63f1f2e48f653e666f707

          SHA512

          2df69ce96421e927863551e2e7151cdc17698f4e9458c1e0e84f0eb845d68a0047ac659adac58933aa5e5a66dbbcdf737eba43c8c2833a153cd7ff25f6812287

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          7KB

          MD5

          1b14e3aa99b3cad488c235660b47cef0

          SHA1

          4e9d6ada0dfda789311b01c018067c53ab0d29c1

          SHA256

          ca0e6386e9788b4889e04fdca4430bee19e62c0ba1f63f1f2e48f653e666f707

          SHA512

          2df69ce96421e927863551e2e7151cdc17698f4e9458c1e0e84f0eb845d68a0047ac659adac58933aa5e5a66dbbcdf737eba43c8c2833a153cd7ff25f6812287

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          7KB

          MD5

          1b14e3aa99b3cad488c235660b47cef0

          SHA1

          4e9d6ada0dfda789311b01c018067c53ab0d29c1

          SHA256

          ca0e6386e9788b4889e04fdca4430bee19e62c0ba1f63f1f2e48f653e666f707

          SHA512

          2df69ce96421e927863551e2e7151cdc17698f4e9458c1e0e84f0eb845d68a0047ac659adac58933aa5e5a66dbbcdf737eba43c8c2833a153cd7ff25f6812287

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          7KB

          MD5

          1b14e3aa99b3cad488c235660b47cef0

          SHA1

          4e9d6ada0dfda789311b01c018067c53ab0d29c1

          SHA256

          ca0e6386e9788b4889e04fdca4430bee19e62c0ba1f63f1f2e48f653e666f707

          SHA512

          2df69ce96421e927863551e2e7151cdc17698f4e9458c1e0e84f0eb845d68a0047ac659adac58933aa5e5a66dbbcdf737eba43c8c2833a153cd7ff25f6812287

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          7KB

          MD5

          1b14e3aa99b3cad488c235660b47cef0

          SHA1

          4e9d6ada0dfda789311b01c018067c53ab0d29c1

          SHA256

          ca0e6386e9788b4889e04fdca4430bee19e62c0ba1f63f1f2e48f653e666f707

          SHA512

          2df69ce96421e927863551e2e7151cdc17698f4e9458c1e0e84f0eb845d68a0047ac659adac58933aa5e5a66dbbcdf737eba43c8c2833a153cd7ff25f6812287

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          7KB

          MD5

          1b14e3aa99b3cad488c235660b47cef0

          SHA1

          4e9d6ada0dfda789311b01c018067c53ab0d29c1

          SHA256

          ca0e6386e9788b4889e04fdca4430bee19e62c0ba1f63f1f2e48f653e666f707

          SHA512

          2df69ce96421e927863551e2e7151cdc17698f4e9458c1e0e84f0eb845d68a0047ac659adac58933aa5e5a66dbbcdf737eba43c8c2833a153cd7ff25f6812287

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          7KB

          MD5

          1b14e3aa99b3cad488c235660b47cef0

          SHA1

          4e9d6ada0dfda789311b01c018067c53ab0d29c1

          SHA256

          ca0e6386e9788b4889e04fdca4430bee19e62c0ba1f63f1f2e48f653e666f707

          SHA512

          2df69ce96421e927863551e2e7151cdc17698f4e9458c1e0e84f0eb845d68a0047ac659adac58933aa5e5a66dbbcdf737eba43c8c2833a153cd7ff25f6812287

          Download Submit

        • memory/612-113-0x000007FEEA270000-0x000007FEEAC93000-memory.dmp

          Filesize

          10.1MB

          Download

        • memory/612-130-0x00000000027B4000-0x00000000027B7000-memory.dmp

          Filesize

          12KB

          Download

        • memory/612-172-0x00000000027B4000-0x00000000027B7000-memory.dmp

          Filesize

          12KB

          Download

        • memory/612-174-0x00000000027BB000-0x00000000027DA000-memory.dmp

          Filesize

          124KB

          Download

        • memory/612-127-0x000007FEE9710000-0x000007FEEA26D000-memory.dmp

          Filesize

          11.4MB

          Download

        • memory/612-151-0x000000001B8A0000-0x000000001BB9F000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/612-157-0x00000000027B4000-0x00000000027B7000-memory.dmp

          Filesize

          12KB

          Download

        • memory/692-136-0x00000000029A4000-0x00000000029A7000-memory.dmp

          Filesize

          12KB

          Download

        • memory/692-184-0x00000000029A4000-0x00000000029A7000-memory.dmp

          Filesize

          12KB

          Download

        • memory/692-183-0x00000000029AB000-0x00000000029CA000-memory.dmp

          Filesize

          124KB

          Download

        • memory/692-119-0x000007FEEA270000-0x000007FEEAC93000-memory.dmp

          Filesize

          10.1MB

          Download

        • memory/692-168-0x000000001B810000-0x000000001BB0F000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/692-147-0x000007FEE9710000-0x000007FEEA26D000-memory.dmp

          Filesize

          11.4MB

          Download

        • memory/692-163-0x00000000029A4000-0x00000000029A7000-memory.dmp

          Filesize

          12KB

          Download

        • memory/1112-133-0x0000000002644000-0x0000000002647000-memory.dmp

          Filesize

          12KB

          Download

        • memory/1112-171-0x000000001B850000-0x000000001BB4F000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/1112-188-0x000000000264B000-0x000000000266A000-memory.dmp

          Filesize

          124KB

          Download

        • memory/1112-160-0x0000000002644000-0x0000000002647000-memory.dmp

          Filesize

          12KB

          Download

        • memory/1112-124-0x000007FEEA270000-0x000007FEEAC93000-memory.dmp

          Filesize

          10.1MB

          Download

        • memory/1112-148-0x000007FEE9710000-0x000007FEEA26D000-memory.dmp

          Filesize

          11.4MB

          Download

        • memory/1184-72-0x000000001A790000-0x000000001A79E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/1184-67-0x0000000002110000-0x0000000002122000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1184-54-0x0000000000890000-0x0000000000B80000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/1184-63-0x00000000005E0000-0x00000000005EA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1184-71-0x00000000021F0000-0x00000000021F8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1184-57-0x00000000002E0000-0x00000000002FC000-memory.dmp

          Filesize

          112KB

          Download

        • memory/1184-69-0x00000000021D0000-0x00000000021DA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1184-70-0x00000000021E0000-0x00000000021EE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/1184-68-0x0000000002140000-0x0000000002148000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1184-65-0x0000000000600000-0x000000000060C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/1184-62-0x00000000005F0000-0x0000000000600000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1184-66-0x0000000000820000-0x000000000082C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/1184-56-0x0000000000250000-0x0000000000258000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1184-73-0x000000001A7A0000-0x000000001A7AC000-memory.dmp

          Filesize

          48KB

          Download

        • memory/1184-55-0x0000000000240000-0x000000000024E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/1184-58-0x0000000000300000-0x0000000000308000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1184-59-0x0000000000310000-0x0000000000320000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1184-64-0x0000000000840000-0x0000000000896000-memory.dmp

          Filesize

          344KB

          Download

        • memory/1184-60-0x00000000005C0000-0x00000000005D6000-memory.dmp

          Filesize

          88KB

          Download

        • memory/1184-61-0x00000000003A0000-0x00000000003B2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1216-145-0x000007FEE9710000-0x000007FEEA26D000-memory.dmp

          Filesize

          11.4MB

          Download

        • memory/1216-91-0x000007FEEA270000-0x000007FEEAC93000-memory.dmp

          Filesize

          10.1MB

          Download

        • memory/1216-167-0x000000001B840000-0x000000001BB3F000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/1216-132-0x0000000002534000-0x0000000002537000-memory.dmp

          Filesize

          12KB

          Download

        • memory/1216-159-0x0000000002534000-0x0000000002537000-memory.dmp

          Filesize

          12KB

          Download

        • memory/1216-190-0x0000000002534000-0x0000000002537000-memory.dmp

          Filesize

          12KB

          Download

        • memory/1292-120-0x000007FEEA270000-0x000007FEEAC93000-memory.dmp

          Filesize

          10.1MB

          Download

        • memory/1292-153-0x000000001B790000-0x000000001BA8F000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/1292-166-0x0000000002424000-0x0000000002427000-memory.dmp

          Filesize

          12KB

          Download

        • memory/1292-177-0x0000000002424000-0x0000000002427000-memory.dmp

          Filesize

          12KB

          Download

        • memory/1292-129-0x000007FEE9710000-0x000007FEEA26D000-memory.dmp

          Filesize

          11.4MB

          Download

        • memory/1292-178-0x000000000242B000-0x000000000244A000-memory.dmp

          Filesize

          124KB

          Download

        • memory/1292-142-0x0000000002424000-0x0000000002427000-memory.dmp

          Filesize

          12KB

          Download

        • memory/1352-143-0x000007FEE9710000-0x000007FEEA26D000-memory.dmp

          Filesize

          11.4MB

          Download

        • memory/1352-125-0x000007FEEA270000-0x000007FEEAC93000-memory.dmp

          Filesize

          10.1MB

          Download

        • memory/1352-131-0x00000000028E4000-0x00000000028E7000-memory.dmp

          Filesize

          12KB

          Download

        • memory/1352-158-0x00000000028E4000-0x00000000028E7000-memory.dmp

          Filesize

          12KB

          Download

        • memory/1352-176-0x00000000028EB000-0x000000000290A000-memory.dmp

          Filesize

          124KB

          Download

        • memory/1352-175-0x00000000028E4000-0x00000000028E7000-memory.dmp

          Filesize

          12KB

          Download

        • memory/1572-138-0x0000000002524000-0x0000000002527000-memory.dmp

          Filesize

          12KB

          Download

        • memory/1572-150-0x000007FEE9710000-0x000007FEEA26D000-memory.dmp

          Filesize

          11.4MB

          Download

        • memory/1572-165-0x0000000002524000-0x0000000002527000-memory.dmp

          Filesize

          12KB

          Download

        • memory/1572-185-0x000000000252B000-0x000000000254A000-memory.dmp

          Filesize

          124KB

          Download

        • memory/1572-187-0x0000000002524000-0x0000000002527000-memory.dmp

          Filesize

          12KB

          Download

        • memory/1572-170-0x000000001B730000-0x000000001BA2F000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/1572-123-0x000007FEEA270000-0x000007FEEAC93000-memory.dmp

          Filesize

          10.1MB

          Download

        • memory/1684-135-0x0000000002974000-0x0000000002977000-memory.dmp

          Filesize

          12KB

          Download

        • memory/1684-173-0x000000001B780000-0x000000001BA7F000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/1684-162-0x0000000002974000-0x0000000002977000-memory.dmp

          Filesize

          12KB

          Download

        • memory/1684-186-0x000000000297B000-0x000000000299A000-memory.dmp

          Filesize

          124KB

          Download

        • memory/1684-189-0x0000000002974000-0x0000000002977000-memory.dmp

          Filesize

          12KB

          Download

        • memory/1684-146-0x000007FEE9710000-0x000007FEEA26D000-memory.dmp

          Filesize

          11.4MB

          Download

        • memory/1684-121-0x000007FEEA270000-0x000007FEEAC93000-memory.dmp

          Filesize

          10.1MB

          Download

        • memory/1796-87-0x000007FEEA270000-0x000007FEEAC93000-memory.dmp

          Filesize

          10.1MB

          Download

        • memory/1796-161-0x0000000001DD0000-0x0000000001E50000-memory.dmp

          Filesize

          512KB

          Download

        • memory/1796-80-0x000007FEFB7D1000-0x000007FEFB7D3000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1796-149-0x000007FEE9710000-0x000007FEEA26D000-memory.dmp

          Filesize

          11.4MB

          Download

        • memory/1796-134-0x0000000001DD0000-0x0000000001E50000-memory.dmp

          Filesize

          512KB

          Download

        • memory/1992-199-0x000007FEE9790000-0x000007FEEA2ED000-memory.dmp

          Filesize

          11.4MB

          Download

        • memory/1992-198-0x000007FEEA2F0000-0x000007FEEAD13000-memory.dmp

          Filesize

          10.1MB

          Download

        • memory/1996-156-0x0000000002924000-0x0000000002927000-memory.dmp

          Filesize

          12KB

          Download

        • memory/1996-182-0x0000000002924000-0x0000000002927000-memory.dmp

          Filesize

          12KB

          Download

        • memory/1996-179-0x000000000292B000-0x000000000294A000-memory.dmp

          Filesize

          124KB

          Download

        • memory/1996-152-0x000000001B880000-0x000000001BB7F000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/1996-128-0x0000000002924000-0x0000000002927000-memory.dmp

          Filesize

          12KB

          Download

        • memory/1996-114-0x000007FEEA270000-0x000007FEEAC93000-memory.dmp

          Filesize

          10.1MB

          Download

        • memory/1996-126-0x000007FEE9710000-0x000007FEEA26D000-memory.dmp

          Filesize

          11.4MB

          Download

        • memory/2016-181-0x00000000029A4000-0x00000000029A7000-memory.dmp

          Filesize

          12KB

          Download

        • memory/2016-155-0x000000001B870000-0x000000001BB6F000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/2016-180-0x00000000029AB000-0x00000000029CA000-memory.dmp

          Filesize

          124KB

          Download

        • memory/2016-164-0x00000000029A4000-0x00000000029A7000-memory.dmp

          Filesize

          12KB

          Download

        • memory/2016-137-0x00000000029A4000-0x00000000029A7000-memory.dmp

          Filesize

          12KB

          Download

        • memory/2016-122-0x000007FEEA270000-0x000007FEEAC93000-memory.dmp

          Filesize

          10.1MB

          Download

        • memory/2016-144-0x000007FEE9710000-0x000007FEEA26D000-memory.dmp

          Filesize

          11.4MB

          Download

        • memory/2220-139-0x0000000000970000-0x0000000000982000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2220-118-0x00000000013C0000-0x00000000016B0000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/2220-140-0x0000000000A50000-0x0000000000AA6000-memory.dmp

          Filesize

          344KB

          Download

        • memory/2220-141-0x00000000009C0000-0x00000000009D2000-memory.dmp

          Filesize

          72KB

          Download