Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    19/11/2023, 01:52

General

  • Target

    4d7463d7f489ec7de6ebea288af19270.exe

  • Size

    1.4MB

  • MD5

    4d7463d7f489ec7de6ebea288af19270

  • SHA1

    3a350b9badebb0d9f31bf6472d6f5c69d246ef39

  • SHA256

    bf5bf5a95a275819c1630814b9333fe1fe19d973ecb498de8c56938fa21bfb48

  • SHA512

    1dbc0a0de6fba1461383bcae6bbaece31684f395dd944a5c0b55a071180532772cf23d9b887be7b77e2baa447d54fcead93711709106baca58066d2d5604c6e4

  • SSDEEP

    24576:qBBkOlRe8ZcXPuCyRdaN1yV/vELneAcCg8:uOOy8eEa1Jct8

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 24 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 12 IoCs
  • DCRat payload 12 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 3 IoCs
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 24 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe
    "C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2436
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1376
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1380
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1612
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:960
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1316
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:896
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:560
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2044
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:888
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1304
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1684
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1820
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\f31kVUUl1u.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2724
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:2844
        • C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe
          "C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1172
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68a2ce2c-80f1-4bcc-b2b4-8b0347871485.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1676
            • C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe
              C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe
              5⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:2524
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\272f4fd3-e6ab-4e1e-b488-17d73cd59533.vbs"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:1756
                • C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe
                  C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe
                  7⤵
                  • UAC bypass
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:1572
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3721b736-858f-47ef-8287-f781ce35cc30.vbs"
                    8⤵
                      PID:2604
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b9004547-1c5b-4349-a061-6cee60dbbce7.vbs"
                      8⤵
                        PID:2668
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f833930-49d1-4544-bdda-2523dcd0b73a.vbs"
                    6⤵
                      PID:764
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9fec35f8-72b2-46ac-90d3-91d28f27e6a9.vbs"
                  4⤵
                    PID:2764
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\csrss.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1076
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\csrss.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2760
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\csrss.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2680
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\services.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2780
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2656
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1272
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\lsass.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2524
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1988
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2552
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\taskhost.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1780
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Admin\taskhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2816
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\taskhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:268
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jdk1.7.0_80\lib\dllhost.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2868
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\lib\dllhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2580
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\jdk1.7.0_80\lib\dllhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1524
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\Logs\dllhost.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2028
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Logs\dllhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1984
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\Logs\dllhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1940
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jdk1.7.0_80\db\bin\System.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2836
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\db\bin\System.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1616
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jdk1.7.0_80\db\bin\System.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1012
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "4d7463d7f489ec7de6ebea288af192704" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2800
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "4d7463d7f489ec7de6ebea288af19270" /sc ONLOGON /tr "'C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2792
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "4d7463d7f489ec7de6ebea288af192704" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:956

            Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Program Files\Java\jdk1.7.0_80\lib\dllhost.exe

                    Filesize

                    1.4MB

                    MD5

                    4d7463d7f489ec7de6ebea288af19270

                    SHA1

                    3a350b9badebb0d9f31bf6472d6f5c69d246ef39

                    SHA256

                    bf5bf5a95a275819c1630814b9333fe1fe19d973ecb498de8c56938fa21bfb48

                    SHA512

                    1dbc0a0de6fba1461383bcae6bbaece31684f395dd944a5c0b55a071180532772cf23d9b887be7b77e2baa447d54fcead93711709106baca58066d2d5604c6e4

                  • C:\Users\Admin\AppData\Local\Temp\0198774ecd329d5f7bf22f368d795edb26c4bff9.exe

                    Filesize

                    1.4MB

                    MD5

                    dc87758a301b810c1468844523b0f496

                    SHA1

                    044bf6b07e5e4dc8ff55ce2296d399bf39f219e2

                    SHA256

                    40c863b1ec6b7d852fd4061a55243f7fe821e0bd4e516a3060c8a9cd690bc46f

                    SHA512

                    0712fbc80b0e40186cb354bd9baec7c9632f979719d224b8c708878ab510cd8c9dd2b7643e9f793befab871cfd7b21da38510fe22a2f2d8b4b448e25c03ec893

                  • C:\Users\Admin\AppData\Local\Temp\0198774ecd329d5f7bf22f368d795edb26c4bff9.exe

                    Filesize

                    1.4MB

                    MD5

                    dc87758a301b810c1468844523b0f496

                    SHA1

                    044bf6b07e5e4dc8ff55ce2296d399bf39f219e2

                    SHA256

                    40c863b1ec6b7d852fd4061a55243f7fe821e0bd4e516a3060c8a9cd690bc46f

                    SHA512

                    0712fbc80b0e40186cb354bd9baec7c9632f979719d224b8c708878ab510cd8c9dd2b7643e9f793befab871cfd7b21da38510fe22a2f2d8b4b448e25c03ec893

                  • C:\Users\Admin\AppData\Local\Temp\272f4fd3-e6ab-4e1e-b488-17d73cd59533.vbs

                    Filesize

                    733B

                    MD5

                    99111039ff5e5e7b6949b1a885f3e9f7

                    SHA1

                    cc403a5600a2f9213a8849fdadbadc586de5c09a

                    SHA256

                    107b5e02f467a0ec637fd4b8f12d4806335b44f2706bc5d45b4c0d50687cbf09

                    SHA512

                    07635539f3faef86f56e81995340b4ace65e2d69e0502b02d1394dd6520234aebc58eac0c10989cf979b13ac3ab8c1783307fdf018022b883a5edd613cc65e07

                  • C:\Users\Admin\AppData\Local\Temp\3721b736-858f-47ef-8287-f781ce35cc30.vbs

                    Filesize

                    733B

                    MD5

                    dfec2f28197e955fd9fdd14080f180a4

                    SHA1

                    b5a2485b8871594fdbb6953a95da02c55b8d725d

                    SHA256

                    0fe02e8c56815c109aaa01a969ae6e8d673fe344ca1bdf862266bcd484342930

                    SHA512

                    35976011682c5ccd8b0e6d4061785a25d6270f37c78e748554269d95de1d8d4341241c46d84b0dde6527660f3bc61c16f4086496b54f423061b409230549ffd7

                  • C:\Users\Admin\AppData\Local\Temp\68a2ce2c-80f1-4bcc-b2b4-8b0347871485.vbs

                    Filesize

                    733B

                    MD5

                    d413d3a50c7d48f7390efa10b5b68a12

                    SHA1

                    459bb4553e4ca0b6cd8ccf9ba482b8a3a2a3b8b8

                    SHA256

                    befc1ded0950b7ce11a33813b94cfacc3e8d3c3881da4785432580b2645f1ebb

                    SHA512

                    39476963f4e77ceb5b4fc789b132fcf0abfdd2224ec35674b37980b826c7867af1b439ffcaf0e0c49499d0afb9ddabf52e91365ed446f1e80c05e237fd06999e

                  • C:\Users\Admin\AppData\Local\Temp\9f833930-49d1-4544-bdda-2523dcd0b73a.vbs

                    Filesize

                    509B

                    MD5

                    4803bb1ce2b631410289d974217310dc

                    SHA1

                    7bf6cc995fbb92597cff6f6720dd56fa16dca5cc

                    SHA256

                    637bab380d35d7486134b5004105975b017793ac5b36545f0fbfba88bf1fbf06

                    SHA512

                    8288005b9f15538a71e2260c42b24b6d282df5459710f29eab3aefb84f6f43ae6d3626370b56412a3d830bada4cc413fd868d6ee26984c668ccca78d06858184

                  • C:\Users\Admin\AppData\Local\Temp\9f833930-49d1-4544-bdda-2523dcd0b73a.vbs

                    Filesize

                    509B

                    MD5

                    4803bb1ce2b631410289d974217310dc

                    SHA1

                    7bf6cc995fbb92597cff6f6720dd56fa16dca5cc

                    SHA256

                    637bab380d35d7486134b5004105975b017793ac5b36545f0fbfba88bf1fbf06

                    SHA512

                    8288005b9f15538a71e2260c42b24b6d282df5459710f29eab3aefb84f6f43ae6d3626370b56412a3d830bada4cc413fd868d6ee26984c668ccca78d06858184

                  • C:\Users\Admin\AppData\Local\Temp\9fec35f8-72b2-46ac-90d3-91d28f27e6a9.vbs

                    Filesize

                    509B

                    MD5

                    4803bb1ce2b631410289d974217310dc

                    SHA1

                    7bf6cc995fbb92597cff6f6720dd56fa16dca5cc

                    SHA256

                    637bab380d35d7486134b5004105975b017793ac5b36545f0fbfba88bf1fbf06

                    SHA512

                    8288005b9f15538a71e2260c42b24b6d282df5459710f29eab3aefb84f6f43ae6d3626370b56412a3d830bada4cc413fd868d6ee26984c668ccca78d06858184

                  • C:\Users\Admin\AppData\Local\Temp\b9004547-1c5b-4349-a061-6cee60dbbce7.vbs

                    Filesize

                    509B

                    MD5

                    4803bb1ce2b631410289d974217310dc

                    SHA1

                    7bf6cc995fbb92597cff6f6720dd56fa16dca5cc

                    SHA256

                    637bab380d35d7486134b5004105975b017793ac5b36545f0fbfba88bf1fbf06

                    SHA512

                    8288005b9f15538a71e2260c42b24b6d282df5459710f29eab3aefb84f6f43ae6d3626370b56412a3d830bada4cc413fd868d6ee26984c668ccca78d06858184

                  • C:\Users\Admin\AppData\Local\Temp\f31kVUUl1u.bat

                    Filesize

                    222B

                    MD5

                    4796cc41b5bc8c9322c2b447cd6fb561

                    SHA1

                    13fe4b12e85d816f93da80fbfd2616b3f268a846

                    SHA256

                    7b2bdd40a9cb4781dbac117026cc0ab5cc59834d08a5627c50b88c42e60aaf61

                    SHA512

                    3a86d1cf1a42524724650e178b07c31ce6ce78dd39e6075ddbdedcf512418ffeb5a70c1b9f9a12571aafd2df25853b43f4b40b0c19d8bc4aceacc2a9d66ab103

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                    Filesize

                    7KB

                    MD5

                    e5a639566f0edd6a8775106a0b9d4982

                    SHA1

                    863d46a775163709e1ed0a19d291ab89c6f13f5b

                    SHA256

                    7b0f41745a63daac17c1d57241a85372a3d8a7510909e1349a83fe03ccf51237

                    SHA512

                    9f81cbde2436b538779836bb3397394ea579bce4cb7f8655548466aac81e0391f91900b5a85c4b97b9ac13fedeb3d68e0dbad77630af9ed98bf281a237356af3

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                    Filesize

                    7KB

                    MD5

                    e5a639566f0edd6a8775106a0b9d4982

                    SHA1

                    863d46a775163709e1ed0a19d291ab89c6f13f5b

                    SHA256

                    7b0f41745a63daac17c1d57241a85372a3d8a7510909e1349a83fe03ccf51237

                    SHA512

                    9f81cbde2436b538779836bb3397394ea579bce4cb7f8655548466aac81e0391f91900b5a85c4b97b9ac13fedeb3d68e0dbad77630af9ed98bf281a237356af3

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                    Filesize

                    7KB

                    MD5

                    e5a639566f0edd6a8775106a0b9d4982

                    SHA1

                    863d46a775163709e1ed0a19d291ab89c6f13f5b

                    SHA256

                    7b0f41745a63daac17c1d57241a85372a3d8a7510909e1349a83fe03ccf51237

                    SHA512

                    9f81cbde2436b538779836bb3397394ea579bce4cb7f8655548466aac81e0391f91900b5a85c4b97b9ac13fedeb3d68e0dbad77630af9ed98bf281a237356af3

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                    Filesize

                    7KB

                    MD5

                    e5a639566f0edd6a8775106a0b9d4982

                    SHA1

                    863d46a775163709e1ed0a19d291ab89c6f13f5b

                    SHA256

                    7b0f41745a63daac17c1d57241a85372a3d8a7510909e1349a83fe03ccf51237

                    SHA512

                    9f81cbde2436b538779836bb3397394ea579bce4cb7f8655548466aac81e0391f91900b5a85c4b97b9ac13fedeb3d68e0dbad77630af9ed98bf281a237356af3

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                    Filesize

                    7KB

                    MD5

                    e5a639566f0edd6a8775106a0b9d4982

                    SHA1

                    863d46a775163709e1ed0a19d291ab89c6f13f5b

                    SHA256

                    7b0f41745a63daac17c1d57241a85372a3d8a7510909e1349a83fe03ccf51237

                    SHA512

                    9f81cbde2436b538779836bb3397394ea579bce4cb7f8655548466aac81e0391f91900b5a85c4b97b9ac13fedeb3d68e0dbad77630af9ed98bf281a237356af3

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                    Filesize

                    7KB

                    MD5

                    e5a639566f0edd6a8775106a0b9d4982

                    SHA1

                    863d46a775163709e1ed0a19d291ab89c6f13f5b

                    SHA256

                    7b0f41745a63daac17c1d57241a85372a3d8a7510909e1349a83fe03ccf51237

                    SHA512

                    9f81cbde2436b538779836bb3397394ea579bce4cb7f8655548466aac81e0391f91900b5a85c4b97b9ac13fedeb3d68e0dbad77630af9ed98bf281a237356af3

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                    Filesize

                    7KB

                    MD5

                    e5a639566f0edd6a8775106a0b9d4982

                    SHA1

                    863d46a775163709e1ed0a19d291ab89c6f13f5b

                    SHA256

                    7b0f41745a63daac17c1d57241a85372a3d8a7510909e1349a83fe03ccf51237

                    SHA512

                    9f81cbde2436b538779836bb3397394ea579bce4cb7f8655548466aac81e0391f91900b5a85c4b97b9ac13fedeb3d68e0dbad77630af9ed98bf281a237356af3

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                    Filesize

                    7KB

                    MD5

                    e5a639566f0edd6a8775106a0b9d4982

                    SHA1

                    863d46a775163709e1ed0a19d291ab89c6f13f5b

                    SHA256

                    7b0f41745a63daac17c1d57241a85372a3d8a7510909e1349a83fe03ccf51237

                    SHA512

                    9f81cbde2436b538779836bb3397394ea579bce4cb7f8655548466aac81e0391f91900b5a85c4b97b9ac13fedeb3d68e0dbad77630af9ed98bf281a237356af3

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                    Filesize

                    7KB

                    MD5

                    e5a639566f0edd6a8775106a0b9d4982

                    SHA1

                    863d46a775163709e1ed0a19d291ab89c6f13f5b

                    SHA256

                    7b0f41745a63daac17c1d57241a85372a3d8a7510909e1349a83fe03ccf51237

                    SHA512

                    9f81cbde2436b538779836bb3397394ea579bce4cb7f8655548466aac81e0391f91900b5a85c4b97b9ac13fedeb3d68e0dbad77630af9ed98bf281a237356af3

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AZWAATKDQJ6LBKM6AS7X.temp

                    Filesize

                    7KB

                    MD5

                    e5a639566f0edd6a8775106a0b9d4982

                    SHA1

                    863d46a775163709e1ed0a19d291ab89c6f13f5b

                    SHA256

                    7b0f41745a63daac17c1d57241a85372a3d8a7510909e1349a83fe03ccf51237

                    SHA512

                    9f81cbde2436b538779836bb3397394ea579bce4cb7f8655548466aac81e0391f91900b5a85c4b97b9ac13fedeb3d68e0dbad77630af9ed98bf281a237356af3

                  • C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe

                    Filesize

                    1.4MB

                    MD5

                    dc87758a301b810c1468844523b0f496

                    SHA1

                    044bf6b07e5e4dc8ff55ce2296d399bf39f219e2

                    SHA256

                    40c863b1ec6b7d852fd4061a55243f7fe821e0bd4e516a3060c8a9cd690bc46f

                    SHA512

                    0712fbc80b0e40186cb354bd9baec7c9632f979719d224b8c708878ab510cd8c9dd2b7643e9f793befab871cfd7b21da38510fe22a2f2d8b4b448e25c03ec893

                  • C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe

                    Filesize

                    1.4MB

                    MD5

                    dc87758a301b810c1468844523b0f496

                    SHA1

                    044bf6b07e5e4dc8ff55ce2296d399bf39f219e2

                    SHA256

                    40c863b1ec6b7d852fd4061a55243f7fe821e0bd4e516a3060c8a9cd690bc46f

                    SHA512

                    0712fbc80b0e40186cb354bd9baec7c9632f979719d224b8c708878ab510cd8c9dd2b7643e9f793befab871cfd7b21da38510fe22a2f2d8b4b448e25c03ec893

                  • C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe

                    Filesize

                    1.4MB

                    MD5

                    dc87758a301b810c1468844523b0f496

                    SHA1

                    044bf6b07e5e4dc8ff55ce2296d399bf39f219e2

                    SHA256

                    40c863b1ec6b7d852fd4061a55243f7fe821e0bd4e516a3060c8a9cd690bc46f

                    SHA512

                    0712fbc80b0e40186cb354bd9baec7c9632f979719d224b8c708878ab510cd8c9dd2b7643e9f793befab871cfd7b21da38510fe22a2f2d8b4b448e25c03ec893

                  • C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe

                    Filesize

                    1.4MB

                    MD5

                    dc87758a301b810c1468844523b0f496

                    SHA1

                    044bf6b07e5e4dc8ff55ce2296d399bf39f219e2

                    SHA256

                    40c863b1ec6b7d852fd4061a55243f7fe821e0bd4e516a3060c8a9cd690bc46f

                    SHA512

                    0712fbc80b0e40186cb354bd9baec7c9632f979719d224b8c708878ab510cd8c9dd2b7643e9f793befab871cfd7b21da38510fe22a2f2d8b4b448e25c03ec893

                  • C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe

                    Filesize

                    1.4MB

                    MD5

                    dc87758a301b810c1468844523b0f496

                    SHA1

                    044bf6b07e5e4dc8ff55ce2296d399bf39f219e2

                    SHA256

                    40c863b1ec6b7d852fd4061a55243f7fe821e0bd4e516a3060c8a9cd690bc46f

                    SHA512

                    0712fbc80b0e40186cb354bd9baec7c9632f979719d224b8c708878ab510cd8c9dd2b7643e9f793befab871cfd7b21da38510fe22a2f2d8b4b448e25c03ec893

                  • C:\Users\Default\RCX55C5.tmp

                    Filesize

                    1.4MB

                    MD5

                    66b67ed3faae4a63506a65bc0736f102

                    SHA1

                    f8fd3942fb901e5f0fba1e11ba974bb49d07631e

                    SHA256

                    e8f764ef4f7a6b171cfa9df9676a2b4d908ba224d9604a3957816c2b8d27d887

                    SHA512

                    9abf2f47a113b82009a7d10f3ba0a8ad93baa127466a8598c9f13ca512f89b14a44742fbdbd567cbc7057cf109dcfc2dd9ad685ec9c65bc1070fd6c10a7c41bd

                  • C:\Windows\Logs\dllhost.exe

                    Filesize

                    1.4MB

                    MD5

                    0f28a750e818c80bffea40c662214e99

                    SHA1

                    7972cda164a22b1017af1a4e213850789d92025c

                    SHA256

                    a56f488ea9fdf1d26b47bd7e8521b8f904dd1dd351b4efedae048fa523223c4b

                    SHA512

                    04380580bee7f59aac06846e1307a713331380af05bbfe7c718c91a29cdcd53217575117933ccb24c15a0e912cdd01cfa95d2744d7ae1e767f5e5902d70007e7

                  • memory/560-222-0x00000000021E0000-0x0000000002260000-memory.dmp

                    Filesize

                    512KB

                  • memory/560-219-0x000007FEEDC40000-0x000007FEEE5DD000-memory.dmp

                    Filesize

                    9.6MB

                  • memory/560-218-0x00000000021E0000-0x0000000002260000-memory.dmp

                    Filesize

                    512KB

                  • memory/560-221-0x000007FEEDC40000-0x000007FEEE5DD000-memory.dmp

                    Filesize

                    9.6MB

                  • memory/896-235-0x0000000002A90000-0x0000000002B10000-memory.dmp

                    Filesize

                    512KB

                  • memory/1172-239-0x0000000000C90000-0x0000000000DFC000-memory.dmp

                    Filesize

                    1.4MB

                  • memory/1316-217-0x0000000002660000-0x00000000026E0000-memory.dmp

                    Filesize

                    512KB

                  • memory/1316-215-0x0000000002660000-0x00000000026E0000-memory.dmp

                    Filesize

                    512KB

                  • memory/1316-212-0x000007FEEDC40000-0x000007FEEE5DD000-memory.dmp

                    Filesize

                    9.6MB

                  • memory/1316-231-0x000007FEEDC40000-0x000007FEEE5DD000-memory.dmp

                    Filesize

                    9.6MB

                  • memory/1316-216-0x000007FEEDC40000-0x000007FEEE5DD000-memory.dmp

                    Filesize

                    9.6MB

                  • memory/1316-213-0x0000000002660000-0x00000000026E0000-memory.dmp

                    Filesize

                    512KB

                  • memory/1316-214-0x0000000002660000-0x00000000026E0000-memory.dmp

                    Filesize

                    512KB

                  • memory/1376-234-0x00000000028D0000-0x0000000002950000-memory.dmp

                    Filesize

                    512KB

                  • memory/1380-166-0x00000000023D0000-0x00000000023D8000-memory.dmp

                    Filesize

                    32KB

                  • memory/1380-233-0x000007FEEDC40000-0x000007FEEE5DD000-memory.dmp

                    Filesize

                    9.6MB

                  • memory/1380-207-0x000007FEEDC40000-0x000007FEEE5DD000-memory.dmp

                    Filesize

                    9.6MB

                  • memory/1380-208-0x0000000002510000-0x0000000002590000-memory.dmp

                    Filesize

                    512KB

                  • memory/1380-209-0x000007FEEDC40000-0x000007FEEE5DD000-memory.dmp

                    Filesize

                    9.6MB

                  • memory/1380-210-0x0000000002510000-0x0000000002590000-memory.dmp

                    Filesize

                    512KB

                  • memory/1380-211-0x0000000002510000-0x0000000002590000-memory.dmp

                    Filesize

                    512KB

                  • memory/1380-151-0x000000001B210000-0x000000001B4F2000-memory.dmp

                    Filesize

                    2.9MB

                  • memory/1612-227-0x0000000001F40000-0x0000000001FC0000-memory.dmp

                    Filesize

                    512KB

                  • memory/1612-226-0x0000000001F40000-0x0000000001FC0000-memory.dmp

                    Filesize

                    512KB

                  • memory/1612-225-0x0000000001F40000-0x0000000001FC0000-memory.dmp

                    Filesize

                    512KB

                  • memory/1612-224-0x000007FEEDC40000-0x000007FEEE5DD000-memory.dmp

                    Filesize

                    9.6MB

                  • memory/1684-229-0x0000000002980000-0x0000000002A00000-memory.dmp

                    Filesize

                    512KB

                  • memory/1684-232-0x0000000002980000-0x0000000002A00000-memory.dmp

                    Filesize

                    512KB

                  • memory/1684-230-0x0000000002980000-0x0000000002A00000-memory.dmp

                    Filesize

                    512KB

                  • memory/1684-228-0x000007FEEDC40000-0x000007FEEE5DD000-memory.dmp

                    Filesize

                    9.6MB

                  • memory/1820-240-0x0000000002B40000-0x0000000002BC0000-memory.dmp

                    Filesize

                    512KB

                  • memory/1820-236-0x000007FEEDC40000-0x000007FEEE5DD000-memory.dmp

                    Filesize

                    9.6MB

                  • memory/2044-223-0x00000000024F0000-0x0000000002570000-memory.dmp

                    Filesize

                    512KB

                  • memory/2044-220-0x00000000024F0000-0x0000000002570000-memory.dmp

                    Filesize

                    512KB

                  • memory/2436-17-0x00000000020A0000-0x00000000020AE000-memory.dmp

                    Filesize

                    56KB

                  • memory/2436-13-0x0000000002060000-0x0000000002068000-memory.dmp

                    Filesize

                    32KB

                  • memory/2436-22-0x00000000020E0000-0x00000000020E8000-memory.dmp

                    Filesize

                    32KB

                  • memory/2436-21-0x00000000020D0000-0x00000000020DC000-memory.dmp

                    Filesize

                    48KB

                  • memory/2436-20-0x000000001B120000-0x000000001B1A0000-memory.dmp

                    Filesize

                    512KB

                  • memory/2436-19-0x00000000020C0000-0x00000000020CE000-memory.dmp

                    Filesize

                    56KB

                  • memory/2436-24-0x0000000002100000-0x000000000210C000-memory.dmp

                    Filesize

                    48KB

                  • memory/2436-0-0x00000000001F0000-0x000000000035C000-memory.dmp

                    Filesize

                    1.4MB

                  • memory/2436-39-0x000000001B120000-0x000000001B1A0000-memory.dmp

                    Filesize

                    512KB

                  • memory/2436-18-0x00000000020B0000-0x00000000020B8000-memory.dmp

                    Filesize

                    32KB

                  • memory/2436-43-0x000000001B120000-0x000000001B1A0000-memory.dmp

                    Filesize

                    512KB

                  • memory/2436-206-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp

                    Filesize

                    9.9MB

                  • memory/2436-16-0x0000000002080000-0x000000000208A000-memory.dmp

                    Filesize

                    40KB

                  • memory/2436-15-0x0000000002090000-0x0000000002098000-memory.dmp

                    Filesize

                    32KB

                  • memory/2436-14-0x0000000002070000-0x000000000207C000-memory.dmp

                    Filesize

                    48KB

                  • memory/2436-23-0x00000000020F0000-0x00000000020FA000-memory.dmp

                    Filesize

                    40KB

                  • memory/2436-12-0x0000000002050000-0x000000000205C000-memory.dmp

                    Filesize

                    48KB

                  • memory/2436-50-0x000000001B120000-0x000000001B1A0000-memory.dmp

                    Filesize

                    512KB

                  • memory/2436-141-0x000000001B120000-0x000000001B1A0000-memory.dmp

                    Filesize

                    512KB

                  • memory/2436-11-0x0000000000AC0000-0x0000000000ACC000-memory.dmp

                    Filesize

                    48KB

                  • memory/2436-10-0x0000000000A70000-0x0000000000A7A000-memory.dmp

                    Filesize

                    40KB

                  • memory/2436-9-0x00000000008C0000-0x00000000008D0000-memory.dmp

                    Filesize

                    64KB

                  • memory/2436-8-0x00000000008A0000-0x00000000008B6000-memory.dmp

                    Filesize

                    88KB

                  • memory/2436-7-0x0000000000680000-0x0000000000690000-memory.dmp

                    Filesize

                    64KB

                  • memory/2436-6-0x0000000000670000-0x0000000000678000-memory.dmp

                    Filesize

                    32KB

                  • memory/2436-5-0x0000000000650000-0x000000000066C000-memory.dmp

                    Filesize

                    112KB

                  • memory/2436-4-0x0000000000430000-0x0000000000438000-memory.dmp

                    Filesize

                    32KB

                  • memory/2436-3-0x0000000000420000-0x000000000042E000-memory.dmp

                    Filesize

                    56KB

                  • memory/2436-2-0x000000001B120000-0x000000001B1A0000-memory.dmp

                    Filesize

                    512KB

                  • memory/2436-1-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp

                    Filesize

                    9.9MB