Analysis

  • max time kernel
    148s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 02:42

General

  • Target

    JaffaCakes118_6d8f9429c033fca70e8e0700ba0d1d9d88df2ed8e10488abab08de303068aff7.exe

  • Size

    1.3MB

  • MD5

    5bfc410c52b9a8e9586447e35a2e0571

  • SHA1

    36439d929ecb0cc75393a0137bfc9bd9bcac10ce

  • SHA256

    6d8f9429c033fca70e8e0700ba0d1d9d88df2ed8e10488abab08de303068aff7

  • SHA512

    32beff4980735ad8cff05f804f4242df20e14adaa13f3a897114ec87f819b5ab7d54d28a5683e14558d4c0569b1d0d7a89ba8b465a5bac9852cf205e4a3ecc21

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 24 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 12 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d8f9429c033fca70e8e0700ba0d1d9d88df2ed8e10488abab08de303068aff7.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d8f9429c033fca70e8e0700ba0d1d9d88df2ed8e10488abab08de303068aff7.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3024
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2884
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2688
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2576
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2224
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1728
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2896
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2328
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1632
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\de-DE\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2376
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Services\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2140
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2152
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2240
          • C:\Program Files\Common Files\Services\smss.exe
            "C:\Program Files\Common Files\Services\smss.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2020
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z87Ce65nyU.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1796
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:1600
                • C:\Program Files\Common Files\Services\smss.exe
                  "C:\Program Files\Common Files\Services\smss.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:780
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wKGJ2NUoAL.bat"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2500
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      9⤵
                        PID:2184
                      • C:\Program Files\Common Files\Services\smss.exe
                        "C:\Program Files\Common Files\Services\smss.exe"
                        9⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:3024
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J2mXRZwkCj.bat"
                          10⤵
                          • Suspicious use of WriteProcessMemory
                          PID:2400
                          • C:\Windows\system32\w32tm.exe
                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            11⤵
                              PID:1868
                            • C:\Program Files\Common Files\Services\smss.exe
                              "C:\Program Files\Common Files\Services\smss.exe"
                              11⤵
                              • Executes dropped EXE
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:760
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JGN3MoCgVZ.bat"
                                12⤵
                                  PID:2528
                                  • C:\Windows\system32\w32tm.exe
                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    13⤵
                                      PID:2064
                                    • C:\Program Files\Common Files\Services\smss.exe
                                      "C:\Program Files\Common Files\Services\smss.exe"
                                      13⤵
                                      • Executes dropped EXE
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2936
                                      • C:\Windows\System32\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WSSqGJyhfL.bat"
                                        14⤵
                                          PID:1212
                                          • C:\Windows\system32\w32tm.exe
                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                            15⤵
                                              PID:2252
                                            • C:\Program Files\Common Files\Services\smss.exe
                                              "C:\Program Files\Common Files\Services\smss.exe"
                                              15⤵
                                              • Executes dropped EXE
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2860
                                              • C:\Windows\System32\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZmgdUlucqh.bat"
                                                16⤵
                                                  PID:2244
                                                  • C:\Windows\system32\w32tm.exe
                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                    17⤵
                                                      PID:2716
                                                    • C:\Program Files\Common Files\Services\smss.exe
                                                      "C:\Program Files\Common Files\Services\smss.exe"
                                                      17⤵
                                                      • Executes dropped EXE
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:2004
                                                      • C:\Windows\System32\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wUI7DLfHyj.bat"
                                                        18⤵
                                                          PID:2056
                                                          • C:\Windows\system32\w32tm.exe
                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                            19⤵
                                                              PID:376
                                                            • C:\Program Files\Common Files\Services\smss.exe
                                                              "C:\Program Files\Common Files\Services\smss.exe"
                                                              19⤵
                                                              • Executes dropped EXE
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:1520
                                                              • C:\Windows\System32\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XkJigN4PJf.bat"
                                                                20⤵
                                                                  PID:348
                                                                  • C:\Windows\system32\w32tm.exe
                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                    21⤵
                                                                      PID:2688
                                                                    • C:\Program Files\Common Files\Services\smss.exe
                                                                      "C:\Program Files\Common Files\Services\smss.exe"
                                                                      21⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:2000
                                                                      • C:\Windows\System32\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zlkj4ltLQI.bat"
                                                                        22⤵
                                                                          PID:1780
                                                                          • C:\Windows\system32\w32tm.exe
                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                            23⤵
                                                                              PID:2504
                                                                            • C:\Program Files\Common Files\Services\smss.exe
                                                                              "C:\Program Files\Common Files\Services\smss.exe"
                                                                              23⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:1208
                                                                              • C:\Windows\System32\cmd.exe
                                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sWmtPUST1G.bat"
                                                                                24⤵
                                                                                  PID:2580
                                                                                  • C:\Windows\system32\w32tm.exe
                                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                    25⤵
                                                                                      PID:2388
                                                                                    • C:\Program Files\Common Files\Services\smss.exe
                                                                                      "C:\Program Files\Common Files\Services\smss.exe"
                                                                                      25⤵
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:2120
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\providercommon\conhost.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2344
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2968
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2980
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\providercommon\smss.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2784
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2952
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2580
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2136
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:484
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1796
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\providercommon\conhost.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1296
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:780
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1620
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\Accessories\de-DE\spoolsv.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2352
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\de-DE\spoolsv.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2460
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\Accessories\de-DE\spoolsv.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2788
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\Services\smss.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2840
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\smss.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1828
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\Services\smss.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1844
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1148
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2520
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1076
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\providercommon\csrss.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2908
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2128
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2900

                                    Network

                                          MITRE ATT&CK Enterprise v15

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            ea2cd3cca5fd73fb1bf9ca49f07d981d

                                            SHA1

                                            f362030ebbcf4a29e9fd2df5d6fcf0a270a8566e

                                            SHA256

                                            4e31b1fc65e36ab5c78d74e84eb836533b4d942ed94170bd602647094369034b

                                            SHA512

                                            01e159e4f928e7d75f4acf57ce65a5e888bc8aa772f94dd5ec4fed726d6867c245f540a37829e2f9ef29cd3f54f0aa30a411a36eae091408c7241eafd980e405

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            a2336accbec6808b0d937c5fe1ff2506

                                            SHA1

                                            38e343de081b2672b7d7feff55c8ad58441e5a96

                                            SHA256

                                            61c387df824d61d23c8db46b3ecefdc0673ebc3b97f678d4e591611656790eae

                                            SHA512

                                            5e96354a5027a94eec30a573a2c4cfa87e5a1dcd7efb030c8aa2628514d614c1ad1ebb0d5b9ee4dc52cf310e8e30ac307f25d7e0d224b3d674a4f0d2251bcfbf

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            69082d2d9d35970e45250e636f7d39ee

                                            SHA1

                                            23a05799c45eba27072fd46cd929e30c01871aa9

                                            SHA256

                                            92215b0ce31f71a34b94dd98ba7335eec64af241f3e558092170fed25da2ef9f

                                            SHA512

                                            b03417c42852f76c7743ab9f3cefaef7ab4893ac91e1bbd1c87995d81d12edc371abcf67f3d8da44425115c835bdeb744b81bbe0c8fc6af2b3bf2db6760197d3

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            102f552309b246d7db33bcb57ce522b0

                                            SHA1

                                            32676b8e4db6ca2feb0114b1b209b8b0934f9d78

                                            SHA256

                                            333165f69131c8d8e858f73f66effba00098f8fa30f63246908a7ac5ca07dfbb

                                            SHA512

                                            11f841a42ac181123f1e0b504b3d794d0408efc6bfb39f6d24c6f91a1efb0e1f204452152a1d2c2911fcfe18015a5b67b03c5e65edcb8a68f283695f618cef6e

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            a2a30622d75a81d5d03fde107cbf70b6

                                            SHA1

                                            0e3aac0c75caabb54ae9340975431a4bfd5bee1f

                                            SHA256

                                            1c0741edfa92e4dc2f0e9438425a6956efe51425498d75eecc159bc732c49599

                                            SHA512

                                            e3933e2c5dd1aafbae3958058f394ded860c895c10f3282bf7f27a562cf0a170a555303d343199f21ef49d4728f3f1884a1d6dadb19906e1830ee91ca7779983

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            1758b39a03a055d8b7506098c61b69a6

                                            SHA1

                                            add0b55ffe6f4c508ea284cfd80eb1c7156dd69f

                                            SHA256

                                            bd3548d594760dbe2fd3487dd6710b524bb8e641e73eb3d56726cf0e51800f54

                                            SHA512

                                            46f9fe864353a0ff9b54f8a79693cae52bae0c44f93e94a6948530a0c126941f10a78055fb132ec104e814a9a181cd6515882b0668de1b0275d26681dff00e7f

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            4246e7342ab8f882ab5091c105c1aa1a

                                            SHA1

                                            20f949a6662c498b93134168653285d9a063cf3a

                                            SHA256

                                            9b3a984a81598a9b667c89df1eb940060329e908975614bf9eaf0fc5b5427be8

                                            SHA512

                                            0317b35374e3254a82331d2ebb7303facf4a91bdcf7cb0427eaebf49befaffe6b96dc5466bff5720404e553a0105669b5703528abc4d2237a5470e3fe5ede501

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            63bca8993ef282705ec3892e2490f08c

                                            SHA1

                                            28abe39ffa617cd90177dc4c20649e422275e729

                                            SHA256

                                            6bbe34d0874da5d8aec021a487abee1560bce08e81a71953b91a5063e228a0a8

                                            SHA512

                                            8a0649a6c481f7e10bcf766e22888ff2185f103f58f5769653a8c9f172ac96ddca3226d59a36d4d9cfc8fb6f4bf966ce540b73b69b6b4613f78fe7f90fbdf96e

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            dd3163f955d445d87124a2d7bb805413

                                            SHA1

                                            85946353e2cb64f7731eec8bfd95b1816d35badd

                                            SHA256

                                            8c66c9918fbc3c6ffb127a23987b015b45c6bda2d71145027a3293c65cfaab43

                                            SHA512

                                            bad52e9edc8434e43f9d3bb83a181ae5a2d175e61a51ad7c9566a8c89b942cb276d200fb0e6165a6620ed144b7aa835e6a65f3903c7721037d9458f8bacf19b5

                                          • C:\Users\Admin\AppData\Local\Temp\Cab3748.tmp

                                            Filesize

                                            70KB

                                            MD5

                                            49aebf8cbd62d92ac215b2923fb1b9f5

                                            SHA1

                                            1723be06719828dda65ad804298d0431f6aff976

                                            SHA256

                                            b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                            SHA512

                                            bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                          • C:\Users\Admin\AppData\Local\Temp\J2mXRZwkCj.bat

                                            Filesize

                                            212B

                                            MD5

                                            a30978ec2e459fb04ab22e7604cc40a0

                                            SHA1

                                            eeca7310e6c6c2c2f805b8e66e81ae278d93c8b8

                                            SHA256

                                            d8408cb6b03c034acb413d948dae6d55159aa4ffefebdda0dd1effb1815b1c68

                                            SHA512

                                            edc577ee1cdb8a3bd50f931a7cf871e40ae4f6d724f6f9945162473f6d463564d56b74e9cc8ee6b66a0a1a740ca91f788c8bff845d910d038b3d87fb125f9ee3

                                          • C:\Users\Admin\AppData\Local\Temp\JGN3MoCgVZ.bat

                                            Filesize

                                            212B

                                            MD5

                                            95531640ce85b16c1d892f54097ce39d

                                            SHA1

                                            1cecf33841913df148840cbd1c94ceae680b39f8

                                            SHA256

                                            9b02da6ac5992a08b68c04d8857d4818cebd2b8e5757cab54f356a5da3529f2a

                                            SHA512

                                            abc5777d722ac729f025f97a6c959fcfdb151bdbc2c5697ac9a37bfc7eb3fd4b77f945ec3716291c290f3348d6d2a2bd179db11b8e0b342ae14a486df414efcb

                                          • C:\Users\Admin\AppData\Local\Temp\Tar374B.tmp

                                            Filesize

                                            181KB

                                            MD5

                                            4ea6026cf93ec6338144661bf1202cd1

                                            SHA1

                                            a1dec9044f750ad887935a01430bf49322fbdcb7

                                            SHA256

                                            8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                            SHA512

                                            6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                          • C:\Users\Admin\AppData\Local\Temp\WSSqGJyhfL.bat

                                            Filesize

                                            212B

                                            MD5

                                            abc5f41868dd6592e9461667835eae0c

                                            SHA1

                                            809d87187b1769c019422382b0b873e96e0fab80

                                            SHA256

                                            acc2049d74d4781b44ad55047c4fd8e0aa01f02bd4593fd826de54bbaf3d9857

                                            SHA512

                                            0384ea396a960a2acda0788f8525acc3b60279a8125e81e04bb3c2ba43be590de219cc5cbe1d78d9138892f7284fc3b831936a899ba81f470b82969fecd6594d

                                          • C:\Users\Admin\AppData\Local\Temp\XkJigN4PJf.bat

                                            Filesize

                                            212B

                                            MD5

                                            818d52263b84cc7030cccb5c8e943a7a

                                            SHA1

                                            c28918b85c1170ca7f7b50f4f9f562946bf42886

                                            SHA256

                                            dcc6cab4f05fc5a236afa7bb71363f411b9a35366be9ee086bdd4b37f0e08932

                                            SHA512

                                            b55193c9f6de3d1407d1f75f48e91ae5809b39a61b6453a23249097edc81030f833c458bc1cc77e0654eff470217c102800cf4c09d2b59521f78793a9be5ea8d

                                          • C:\Users\Admin\AppData\Local\Temp\Z87Ce65nyU.bat

                                            Filesize

                                            212B

                                            MD5

                                            023a6a873beb1365181a9bd8a25f5b92

                                            SHA1

                                            91fe108943f51b3888c57a0a35c490621d509ac2

                                            SHA256

                                            b0393449f63b933b6c89900b4672a999f28d495c12496b3a2d655e4ce968b1e9

                                            SHA512

                                            6d3703349f2513ffa1bcad28a2962239a24ae1fc82407dfd289d1cbd1c1e6aae997e1c8c667dc9683fe717d2493b8c80127879994494151ee2118178d001037a

                                          • C:\Users\Admin\AppData\Local\Temp\ZmgdUlucqh.bat

                                            Filesize

                                            212B

                                            MD5

                                            8681b8c1c027d378033d5f7921cc0cc4

                                            SHA1

                                            42eb49e3d7d675871cf1d6ae8df96edd588fa95e

                                            SHA256

                                            3827c9f99b1e89a80d43eaaa5a2be5782ed3009d169b2efc4c1642badbad930d

                                            SHA512

                                            1ed497e828f465271d18f25aaddcf340047e76db3519e13b06e239e0018ea37bd6a5eced134f139f1bd7597d405d17fd1fc29961d04b4b12dca9e4306cb95bc9

                                          • C:\Users\Admin\AppData\Local\Temp\sWmtPUST1G.bat

                                            Filesize

                                            212B

                                            MD5

                                            c89266f3cc2a397cd9c2f5dd289ce203

                                            SHA1

                                            52c1c469311c707ef9f92794723eaba3547c8dba

                                            SHA256

                                            64959f014b62beccb192ccbbdf60277ce155764432e09c21d1db4809a59297b3

                                            SHA512

                                            d966dcfdee27b9d23f3e5943f34eec435c93fec200c3d235baaffc40314da1d8f44d56729cf086bee01c9b8ceed9e27ddda521b82d8ac5d6cde50f379f9581c8

                                          • C:\Users\Admin\AppData\Local\Temp\wKGJ2NUoAL.bat

                                            Filesize

                                            212B

                                            MD5

                                            4c4d242c1362bf3608c370f226195afa

                                            SHA1

                                            975890a9df8ecf9908dc465daadc9bc24e583649

                                            SHA256

                                            9d192eb35b106faabf564a88d8b3853b243daf7609ff5fce82a1f29f3727686c

                                            SHA512

                                            96d8d3f4ed07f065dfaf95399e9fb0897fcbf1d5f653a5e51ed3f3054c2a3b7d07196dc94d4b8869d979f99689709e600135533988a4ced8c8ef6ad34ec916ab

                                          • C:\Users\Admin\AppData\Local\Temp\wUI7DLfHyj.bat

                                            Filesize

                                            212B

                                            MD5

                                            f7d130d2a22418c8fa98b6fb02a31a25

                                            SHA1

                                            139d8fc82afaf581e45672cf8e2c52a1476ed6e2

                                            SHA256

                                            d1cf2fc5ee0b9bf889dafa24785968c90f37d4e405fc2f2e5bc79cdfaae1784d

                                            SHA512

                                            abf52b718823aabe7f9056c7e179f89bfd9df76b290d581c739866d55d17a7746554b5bdc7159471a1d20a0aa75549b17627c301c31c78cbbb5c797baab77cc9

                                          • C:\Users\Admin\AppData\Local\Temp\zlkj4ltLQI.bat

                                            Filesize

                                            212B

                                            MD5

                                            a016008d01b2acdc51ab821ab5ac737e

                                            SHA1

                                            24ed95d14902418bbbba55fc8eecba41c09a8644

                                            SHA256

                                            0a7ec7ace1e5c9214ad4293c79c63335790fd7f76a34a99301d5ec40d692f6b9

                                            SHA512

                                            9f3139d50177b86a8fe56425498f6d5f222308984534c5154b77eb256a52a1d3828d2dfb4c5ca65ab37af7a6dc0df648a17d68d1ed9441f631c03e9ad4403b3b

                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                            Filesize

                                            7KB

                                            MD5

                                            ef567b4e090c05d7116d46cdde4bdefc

                                            SHA1

                                            eb4558d7abf2c71c4ef213a3c6233c2c9d33c68e

                                            SHA256

                                            f9b0260d06ad10543401697733275b52bf8684f20043a6eff3f1cbe2da43afc1

                                            SHA512

                                            3abb489e565e3998c454c0c588a397e08bbd75cedad773614548ca9fff4ebf9bcd37081dc9077e7a27c53fc606de6407dcb7ff46aeb2930e14f792ba2ac9eb03

                                          • C:\providercommon\1zu9dW.bat

                                            Filesize

                                            36B

                                            MD5

                                            6783c3ee07c7d151ceac57f1f9c8bed7

                                            SHA1

                                            17468f98f95bf504cc1f83c49e49a78526b3ea03

                                            SHA256

                                            8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                            SHA512

                                            c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                          • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                            Filesize

                                            197B

                                            MD5

                                            8088241160261560a02c84025d107592

                                            SHA1

                                            083121f7027557570994c9fc211df61730455bb5

                                            SHA256

                                            2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                            SHA512

                                            20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                          • \providercommon\DllCommonsvc.exe

                                            Filesize

                                            1.0MB

                                            MD5

                                            bd31e94b4143c4ce49c17d3af46bcad0

                                            SHA1

                                            f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                            SHA256

                                            b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                            SHA512

                                            f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                          • memory/760-265-0x0000000000180000-0x0000000000290000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/760-266-0x0000000000350000-0x0000000000362000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/780-144-0x00000000002C0000-0x00000000002D2000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/780-143-0x0000000000CA0000-0x0000000000DB0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/1208-628-0x0000000000BB0000-0x0000000000CC0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/1520-507-0x0000000000C40000-0x0000000000D50000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/1728-47-0x0000000002290000-0x0000000002298000-memory.dmp

                                            Filesize

                                            32KB

                                          • memory/1728-46-0x000000001B7B0000-0x000000001BA92000-memory.dmp

                                            Filesize

                                            2.9MB

                                          • memory/2000-567-0x0000000000100000-0x0000000000210000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2000-568-0x0000000000250000-0x0000000000262000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/2004-447-0x0000000000150000-0x0000000000162000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/2004-446-0x00000000002D0000-0x00000000003E0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2020-45-0x0000000000220000-0x0000000000330000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2020-84-0x00000000001C0000-0x00000000001D2000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/2576-16-0x00000000002D0000-0x00000000002DC000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/2576-17-0x0000000000580000-0x000000000058C000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/2576-15-0x0000000000570000-0x000000000057C000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/2576-14-0x0000000000240000-0x0000000000252000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/2576-13-0x0000000000C90000-0x0000000000DA0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2860-386-0x0000000000D10000-0x0000000000E20000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2936-326-0x0000000000A70000-0x0000000000B80000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/3024-204-0x0000000000340000-0x0000000000450000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/3024-205-0x0000000000150000-0x0000000000162000-memory.dmp

                                            Filesize

                                            72KB