4e49c64502a20424d2ec6945aaaa92bf6706f9fa4c29735ccd3e77760c5186c4

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2024, 03:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a3205eb0447b88704c53f86f85431ae_JaffaCakes118.exe
Size

423KB
MD5

2a3205eb0447b88704c53f86f85431ae
SHA1

200772e1ef8e70224ef854eb9b4458618e7b9cb4
SHA256

4e49c64502a20424d2ec6945aaaa92bf6706f9fa4c29735ccd3e77760c5186c4
SHA512

0a177bfa8d917df728973c746c490b698ee6de353b1223e5fba376723d335417d23db7ecd3f57be027b05c9d4729fa308f37d8f61b93ab3038443c9cc4847bf6
SSDEEP

12288:1tlTn8Jx/YCxEyYgwlO5+d0cnDqa0zgdftsG/1wx6O:6xvxEMP5wqEvCr

Score

10^/10

discovery evasion execution persistence trojan upx

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	zf2c.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	1EuroP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	2a3205eb0447b88704c53f86f85431ae_JaffaCakes118.exe

Executes dropped EXE 8 IoCs

pid	Process
3976	boappsdl.exe
3960	1EuroP.exe
4408	2IC.exe
3956	3E4U - Bucks.exe
1728	6tbp.exe
3888	IR.exe
4116	zf2c.exe
2896	zf2c.exe

Loads dropped DLL 2 IoCs

pid	Process
320	rundll32.exe
4412	rundll32.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cvoruxojaponadu = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\neryp32.dll\",Startup"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ws7s = "C:\\Users\\Admin\\AppData\\Roaming\\zf2c.exe"	IR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	Rundll32.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IR.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023c91-56.dat	upx
behavioral2/memory/3888-73-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/3956-79-0x0000000000AF0000-0x0000000000B0D000-memory.dmp	upx
behavioral2/memory/4116-83-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/3888-97-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/4116-106-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/2896-108-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/2896-131-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/4116-136-0x0000000000400000-0x0000000000430000-memory.dmp	upx

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3900	sc.exe
1520	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4292	3956	WerFault.exe	89
2840	4408	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6tbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	boappsdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1EuroP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	grpconv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3E4U - Bucks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zf2c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zf2c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2a3205eb0447b88704c53f86f85431ae_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2IC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	runonce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
320	rundll32.exe
320	rundll32.exe
320	rundll32.exe
320	rundll32.exe
320	rundll32.exe
320	rundll32.exe
320	rundll32.exe
320	rundll32.exe
320	rundll32.exe
320	rundll32.exe
320	rundll32.exe
320	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3960	1EuroP.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1728	6tbp.exe
3888	IR.exe
320	rundll32.exe
3888	IR.exe
3888	IR.exe
4116	zf2c.exe
4116	zf2c.exe
4116	zf2c.exe
2896	zf2c.exe
2896	zf2c.exe
2896	zf2c.exe
4412	rundll32.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1836 wrote to memory of 3976	1836	2a3205eb0447b88704c53f86f85431ae_JaffaCakes118.exe	85
PID 1836 wrote to memory of 3976	1836	2a3205eb0447b88704c53f86f85431ae_JaffaCakes118.exe	85
PID 1836 wrote to memory of 3976	1836	2a3205eb0447b88704c53f86f85431ae_JaffaCakes118.exe	85
PID 1836 wrote to memory of 3960	1836	2a3205eb0447b88704c53f86f85431ae_JaffaCakes118.exe	87
PID 1836 wrote to memory of 3960	1836	2a3205eb0447b88704c53f86f85431ae_JaffaCakes118.exe	87
PID 1836 wrote to memory of 3960	1836	2a3205eb0447b88704c53f86f85431ae_JaffaCakes118.exe	87
PID 1836 wrote to memory of 4408	1836	2a3205eb0447b88704c53f86f85431ae_JaffaCakes118.exe	88
PID 1836 wrote to memory of 4408	1836	2a3205eb0447b88704c53f86f85431ae_JaffaCakes118.exe	88
PID 1836 wrote to memory of 4408	1836	2a3205eb0447b88704c53f86f85431ae_JaffaCakes118.exe	88
PID 1836 wrote to memory of 3956	1836	2a3205eb0447b88704c53f86f85431ae_JaffaCakes118.exe	89
PID 1836 wrote to memory of 3956	1836	2a3205eb0447b88704c53f86f85431ae_JaffaCakes118.exe	89
PID 1836 wrote to memory of 3956	1836	2a3205eb0447b88704c53f86f85431ae_JaffaCakes118.exe	89
PID 1836 wrote to memory of 1728	1836	2a3205eb0447b88704c53f86f85431ae_JaffaCakes118.exe	90
PID 1836 wrote to memory of 1728	1836	2a3205eb0447b88704c53f86f85431ae_JaffaCakes118.exe	90
PID 1836 wrote to memory of 1728	1836	2a3205eb0447b88704c53f86f85431ae_JaffaCakes118.exe	90
PID 1836 wrote to memory of 3888	1836	2a3205eb0447b88704c53f86f85431ae_JaffaCakes118.exe	91
PID 1836 wrote to memory of 3888	1836	2a3205eb0447b88704c53f86f85431ae_JaffaCakes118.exe	91
PID 1836 wrote to memory of 3888	1836	2a3205eb0447b88704c53f86f85431ae_JaffaCakes118.exe	91
PID 1728 wrote to memory of 320	1728	6tbp.exe	92
PID 1728 wrote to memory of 320	1728	6tbp.exe	92
PID 1728 wrote to memory of 320	1728	6tbp.exe	92
PID 3888 wrote to memory of 4008	3888	IR.exe	99
PID 3888 wrote to memory of 4008	3888	IR.exe	99
PID 3888 wrote to memory of 4008	3888	IR.exe	99
PID 3888 wrote to memory of 3900	3888	IR.exe	100
PID 3888 wrote to memory of 3900	3888	IR.exe	100
PID 3888 wrote to memory of 3900	3888	IR.exe	100
PID 3888 wrote to memory of 4760	3888	IR.exe	101
PID 3888 wrote to memory of 4760	3888	IR.exe	101
PID 3888 wrote to memory of 4760	3888	IR.exe	101
PID 3888 wrote to memory of 1520	3888	IR.exe	102
PID 3888 wrote to memory of 1520	3888	IR.exe	102
PID 3888 wrote to memory of 1520	3888	IR.exe	102
PID 3888 wrote to memory of 4116	3888	IR.exe	103
PID 3888 wrote to memory of 4116	3888	IR.exe	103
PID 3888 wrote to memory of 4116	3888	IR.exe	103
PID 3888 wrote to memory of 2244	3888	IR.exe	108
PID 3888 wrote to memory of 2244	3888	IR.exe	108
PID 3888 wrote to memory of 2244	3888	IR.exe	108
PID 3960 wrote to memory of 2004	3960	1EuroP.exe	109
PID 3960 wrote to memory of 2004	3960	1EuroP.exe	109
PID 3960 wrote to memory of 2004	3960	1EuroP.exe	109
PID 4760 wrote to memory of 1592	4760	net.exe	111
PID 4760 wrote to memory of 1592	4760	net.exe	111
PID 4760 wrote to memory of 1592	4760	net.exe	111
PID 2244 wrote to memory of 2972	2244	Rundll32.exe	110
PID 2244 wrote to memory of 2972	2244	Rundll32.exe	110
PID 2244 wrote to memory of 2972	2244	Rundll32.exe	110
PID 3888 wrote to memory of 3192	3888	IR.exe	112
PID 3888 wrote to memory of 3192	3888	IR.exe	112
PID 3888 wrote to memory of 3192	3888	IR.exe	112
PID 4008 wrote to memory of 4632	4008	net.exe	115
PID 4008 wrote to memory of 4632	4008	net.exe	115
PID 4008 wrote to memory of 4632	4008	net.exe	115
PID 2972 wrote to memory of 3020	2972	runonce.exe	116
PID 2972 wrote to memory of 3020	2972	runonce.exe	116
PID 2972 wrote to memory of 3020	2972	runonce.exe	116
PID 4116 wrote to memory of 2896	4116	zf2c.exe	117
PID 4116 wrote to memory of 2896	4116	zf2c.exe	117
PID 4116 wrote to memory of 2896	4116	zf2c.exe	117
PID 320 wrote to memory of 4412	320	rundll32.exe	121
PID 320 wrote to memory of 4412	320	rundll32.exe	121
PID 320 wrote to memory of 4412	320	rundll32.exe	121

C:\Users\Admin\AppData\Local\Temp\2a3205eb0447b88704c53f86f85431ae_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2a3205eb0447b88704c53f86f85431ae_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Users\Admin\AppData\Local\Temp\nssA78C.tmp\boappsdl.exe
  "C:\Users\Admin\AppData\Local\Temp\nssA78C.tmp\boappsdl.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3976
- C:\Users\Admin\AppData\Local\Temp\nssA78C.tmp\1EuroP.exe
  "C:\Users\Admin\AppData\Local\Temp\nssA78C.tmp\1EuroP.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:3960
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Swz..bat" > nul 2> nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2004
- C:\Users\Admin\AppData\Local\Temp\nssA78C.tmp\2IC.exe
  "C:\Users\Admin\AppData\Local\Temp\nssA78C.tmp\2IC.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4408
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 476
    3⤵
    - Program crash
    PID:2840
- C:\Users\Admin\AppData\Local\Temp\nssA78C.tmp\3E4U - Bucks.exe
  "C:\Users\Admin\AppData\Local\Temp\nssA78C.tmp\3E4U - Bucks.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3956
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 588
    3⤵
    - Program crash
    PID:4292
- C:\Users\Admin\AppData\Local\Temp\nssA78C.tmp\6tbp.exe
  "C:\Users\Admin\AppData\Local\Temp\nssA78C.tmp\6tbp.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\neryp32.dll",Startup
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:320
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Local\neryp32.dll",iep
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4412
- C:\Users\Admin\AppData\Local\Temp\nssA78C.tmp\IR.exe
  "C:\Users\Admin\AppData\Local\Temp\nssA78C.tmp\IR.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3888
- - C:\Windows\SysWOW64\net.exe
    net.exe stop "Security Center"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4008
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Security Center"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4632
- - C:\Windows\SysWOW64\sc.exe
    sc config wscsvc start= DISABLED
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:3900
- - C:\Windows\SysWOW64\net.exe
    net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4760
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1592
- - C:\Windows\SysWOW64\sc.exe
    sc config SharedAccess start= DISABLED
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:1520
- - C:\Users\Admin\AppData\Roaming\zf2c.exe
    C:\Users\Admin\AppData\Roaming\zf2c.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4116
  - - C:\Users\Admin\AppData\Roaming\zf2c.exe
      C:\Users\Admin\AppData\Roaming\zf2c.exe -d2D3EDA3027E0B36C62934E69D296DDD8A93C6C1CDEBCCA03EB87CCBA8E5885ED98E46B76007C83DDE09409A6033D2A0226E5CF2728838FD3B28B35491C6384F6A6EF238C353DD23E337256114AB1C3C90C3B064AC879E4E41BA9C6AE02F6088E7324ABB9C9D790208741B0E73DFEEABF9924596AE2B9586F755797D9F788F3425E48EC450340EF3A4978CF9CB07420AF49A45252DC27BDFF4BD0025DEE30658E03660F7266005F712671ADF7B8262687DAB1B90A5B79259C6A67A02F1D59BF693F407D6FB9F4926F0C7C811BAB3AFDAD48F698DD430DDF51E10249D9F93FA2752F93DED200B279C82627C6571DD7E5A6D1E4371EBAC97ECAFB4B179F36CDF09B2FC11DB7800844F0E4033408E4AD61A7F1512019250AD2494770632BCB66C9F3DE926295BEF56459F0CEC4BB140A30DC66B01BA128AAEBDA8FBCC6B1EC958FFD1856156F80648B343928AFE203C254B32C273171A82D1CE0E34A18720DE9E199FA9FE1FCC9D7AA01EB396E3244920E69812EACC4CC9FF5C68F747367E565A219E1CEAE66E090F2067300BB28AF43DE52E1EF142FF7C4473D1FAC3040677DF3E66A0DA40D48EAD29B7EFD8EE4568D874D0AA833D0CF8223C86144E75EC9BA342672072D11C844FEE7FA5120A2902F0874F810
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2896
- - C:\Windows\SysWOW64\Rundll32.exe
    Rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 C:\Users\Admin\AppData\Roaming\mdinstall.inf
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2244
  - - C:\Windows\SysWOW64\runonce.exe
      "C:\Windows\system32\runonce.exe" -r
      4⤵
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious use of WriteProcessMemory
      PID:2972
    - - C:\Windows\SysWOW64\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\e6le8hoc.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3956 -ip 3956
1⤵
PID:2136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4408 -ip 4408
1⤵
PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Swz..bat

Filesize
182B

MD5
27b90c060cb60b2a8d5b3cad3b73b99b

SHA1
2a69340c9a029e6e8b81d7f88175121d8aefcd34

SHA256
0f756574588408e534be31432f508426d6da4471730c8f39c60d5cac20e389eb

SHA512
79c2c130a02d55a181232054a8ca4010dddf5af34fcf0df15e5900a7fde6a958777837a6d12833f83ead830f6c24f411fee7e44d46c331fe38550ee4dbffe7cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssA78C.tmp\1EuroP.exe

Filesize
75KB

MD5
2784875b2b2dde69361d6b917f54758b

SHA1
747a0ec068660337474dd9d0afc0876387e204fc

SHA256
c40e5a64c3cac44e3e1ebb7c9825b519f54ae7cffb7a9cb0b70c8a4ee14f56a6

SHA512
6cd12efb866e46bf5df0a3a319c58b2632640039874631910290ee3eeb955b36705d24cb57f313825897cdfc1f750a74a30e7cef4614478586f8c800ce665350

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssA78C.tmp\2IC.exe

Filesize
181KB

MD5
e7e229b007a6544258fe277d5da484b1

SHA1
2cc56dc3845c06ece6c504797c7e47fa6b6fc567

SHA256
fc6b2bda4157eff1bd6848fa5a468b5259c534417958b25b9f5cdd3cabd2a111

SHA512
2bde6b535ef15b936ccf9f84ab0413784de594647d2afb894b2898c11864d863b5e4357428a4c6457e5ef9e84159f5d48c96d39e1d3eb685b9949b1add3c4c5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssA78C.tmp\3E4U - Bucks.exe

Filesize
25KB

MD5
c2843e6d91b543622030f50878a5a73d

SHA1
a1594ac083039ba3365cb6fe486e6e69d098229b

SHA256
d6959e93c6fed6115e733bcdebd8b831e79a0f01488ade309f87135346cc61f5

SHA512
72260c6d2664347c38279a20bee7c8f3c1ede0576ee60a7ccd63fced9c4589279b4c7cd062f376dcca645aa5c00554c3aedc832b72a6912eaf776ea1badf1581

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssA78C.tmp\6tbp.exe

Filesize
128KB

MD5
370ca2875a57cb84d38efe9080ad1c0d

SHA1
44ae32885406e806a49adbd4b7e10f478c1cb34e

SHA256
06575b6a771ae7ced801857accf8041da9a3b4933e49f0a13046284455ee9069

SHA512
82c230dddc72236cdf84683ae430eabc101a55a8a143a219667f3441f3bc225aa021550588f20098b2fe61a6e0d5efe8672de98271dc9f41d7707d59fc1c0cb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssA78C.tmp\IR.exe

Filesize
61KB

MD5
03019043f2fb9601a4e6b5aca7f200fc

SHA1
e496986cf539b906b519afd282623619da515386

SHA256
e63371b06dcbfc7cfc4bc4d5112606a743f5f6b88475ed54c69a61273ccfa9e1

SHA512
d920d9e588801aaa31802e208dd28ed524155e4c634ba1068ea39512da45872fd80057a4ca05e9acbeaeb6f7360878afab9275efdd96eab6be55d77b2e021ffa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssA78C.tmp\boappsdl.exe

Filesize
3KB

MD5
46e07fd3a40760fda18cf6b4fc691742

SHA1
53ee1a754bf5e94fa88a6ab8bb6120b4011afcfa

SHA256
bd7ca609d2fb63e14d08acab1091579c23e298b4fa2ac1e8d2daaff94fc107be

SHA512
ce13f6527cbd13002dca00b71ab38ab12e3f3f7138ada0780ad3f40e7c49946c018a00782ec957b1fd123fb439aabc0d9b3660829dabf10ddcebba08d6e2fbbd

Download Submit
C:\Users\Admin\AppData\Local\neryp32.dll

Filesize
128KB

MD5
bfe877e4a2ce901f4f5ce760c85abce7

SHA1
fee22bcb0bf86d0872d1dd72fcb49cb2748d3d37

SHA256
312e9adbdf485b8b43898c857f54c97bc2275f73daa0fda79bf3c7338e3e1c47

SHA512
3067fe28a9948106ad87a85e72f93a0e20422ce9a38f490dff0b2c08699b3a3f8b83b0f309186e6273055d38c7d051412c6c65f215f2415006bd4b434157e84a

Download Submit
C:\Users\Admin\AppData\Roaming\e6le8hoc.bat

Filesize
154B

MD5
266668a9d8829e22def10d60e0774f22

SHA1
8e7d0134a6b488f4457a481ad4b08287f8414686

SHA256
e974519b84f1b77efcfa52efbbfb1649102e9050330d7860d37dcbe80c357615

SHA512
c6963ea9615283016e8616c8903533234954c90d3972346a0e840c5299aed441a831c266ed8cae34cf228779be82b246676dd40b1ef0c511c64a9f0456dc63c7

Download Submit
C:\Users\Admin\AppData\Roaming\mdinstall.inf

Filesize
410B

MD5
3ccb3b743b0d79505a75476800c90737

SHA1
b5670f123572972883655ef91c69ecc2be987a63

SHA256
5d96bec9bc06fd8d7abc11efbb3cb263844ee0416910f63581dd7848b4e1d8dd

SHA512
09b1cdd4393f515f7569fbccc3f63051823ed7292b6e572bc9a34e4389b727b2914b22118e874864ccb32ef63016b2abd6d84510fd46fdee712fd84be59c114e

Download Submit
memory/320-119-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/320-78-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/320-116-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/320-105-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/1728-68-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/1728-104-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2896-108-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2896-131-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3888-73-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3888-97-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3956-79-0x0000000000AF0000-0x0000000000B0D000-memory.dmp

Filesize
116KB

Download
memory/3956-72-0x00000000024A0000-0x0000000002BA0000-memory.dmp

Filesize
7.0MB

Download
memory/3960-95-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3960-43-0x00000000007C0000-0x00000000007E5000-memory.dmp

Filesize
148KB

Download
memory/3960-44-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4116-83-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4116-106-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4116-136-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4412-120-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download