Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    21-06-2024 19:05

General

  • Target

    Solara/SolaraBootstrapper.exe

  • Size

    1.9MB

  • MD5

    8911439914996ec2bd5ba4dc50ffd163

  • SHA1

    bed9b04aaab10cf740a5eb07f894c71f62ef88b2

  • SHA256

    40488c03efa03bac855bf7195a94dae672bcda3ed2cdf3a004817cad86471a41

  • SHA512

    c0be4a292be417838f973e9dd4fb99370473b32c1db731610a468572f2e5557032b8088c70bbb728bd237855d028b5d1f62486855f7d210ee68bc592a98dcd93

  • SSDEEP

    24576:U2G/nvxW3Ww0tVOzdE5lXHKtZRqdw0OYdr7OISbKOwQR+BVEBr7Yo4GI4dxEyQTt:UbA30wzCjKopOFbVn+zE1ex4dxE3x

Malware Config

Signatures

  • DcRat 43 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 42 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Disables Task Manager via registry modification
  • Executes dropped EXE 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Drops file in Program Files directory 10 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 3 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Solara\SolaraBootstrapper.exe
    "C:\Users\Admin\AppData\Local\Temp\Solara\SolaraBootstrapper.exe"
    1⤵
    • DcRat
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1396
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\SavesRuntimecrtmonitorCommon\jlhL2OmdnM.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4608
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\SavesRuntimecrtmonitorCommon\4ZsCcJGcA5WhDRgpe0Cmw.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3988
        • C:\SavesRuntimecrtmonitorCommon\reviewinto.exe
          "C:\SavesRuntimecrtmonitorCommon\reviewinto.exe"
          4⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:4896
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZhjKPAlWJ0.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3236
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:2236
              • C:\Windows\de-DE\explorer.exe
                "C:\Windows\de-DE\explorer.exe"
                6⤵
                • UAC bypass
                • Executes dropped EXE
                • Checks whether UAC is enabled
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                • System policy modification
                PID:4644
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\626051b2-1ddd-4bbd-b1f3-6acf1b847e1e.vbs"
                  7⤵
                    PID:4812
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5453d5f-cf98-4f5e-b151-0ba95bc4a58e.vbs"
                    7⤵
                      PID:868
              • C:\Windows\SysWOW64\reg.exe
                reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                4⤵
                • Modifies registry key
                PID:2820
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2452
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1684
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3388
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\sihost.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3308
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\sihost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4836
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\sihost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4816
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\de-DE\explorer.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3464
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\de-DE\explorer.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2920
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Windows\de-DE\explorer.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3068
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3592
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1352
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4456
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "reviewintor" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\browser\reviewinto.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4800
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "reviewinto" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\reviewinto.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3912
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "reviewintor" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\browser\reviewinto.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4584
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\winlogon.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1188
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\winlogon.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4772
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\winlogon.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4124
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Package Cache\winlogon.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:792
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\winlogon.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3460
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Package Cache\winlogon.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3688
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\sysmon.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2408
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\sysmon.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3208
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\sysmon.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4448
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\SavesRuntimecrtmonitorCommon\cmd.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1300
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\SavesRuntimecrtmonitorCommon\cmd.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3708
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\SavesRuntimecrtmonitorCommon\cmd.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2140
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\SavesRuntimecrtmonitorCommon\dllhost.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3596
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\SavesRuntimecrtmonitorCommon\dllhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3588
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\SavesRuntimecrtmonitorCommon\dllhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3652
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\SavesRuntimecrtmonitorCommon\smss.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4796
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\SavesRuntimecrtmonitorCommon\smss.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3276
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\SavesRuntimecrtmonitorCommon\smss.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4612
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4908
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4928
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2748
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\ja-JP\spoolsv.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2300
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\ja-JP\spoolsv.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4640
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\ja-JP\spoolsv.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4544
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\ShellExperienceHost.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3148
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\ShellExperienceHost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1816
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\ShellExperienceHost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4368
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2176

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\SavesRuntimecrtmonitorCommon\4ZsCcJGcA5WhDRgpe0Cmw.bat
          Filesize

          160B

          MD5

          aa1ca164a728084ffd5e22bcf41ef9fb

          SHA1

          a46fc620937abf7e82d6c97e728530549c74805f

          SHA256

          c98facc1c471936575f62d9bdafd6614f5a66477c33c3a53ab41688a4917750d

          SHA512

          71dda5b7b13809823069eada39a0b6c3ebb26377125b6b4f1e7a283dfcee4139732b5b456fcba91bfaaf29a38929fb8adc5c17b18bf7733457e4db878df0a9e4

        • C:\SavesRuntimecrtmonitorCommon\jlhL2OmdnM.vbe
          Filesize

          226B

          MD5

          4defbf69b7ac7cd48d5d28019164fc15

          SHA1

          475d6ef458c0505261f6e058b84d602dd55a792a

          SHA256

          0b66c2ddaca8e3a1be3a5a7543d480993ab71bf4b8308fff4ebe3754ea22f47f

          SHA512

          6eadacef630be325097a307e115fac9e960b6bdb2460dff8c2058a78d92b46d1a6845d36b2d1ed0794d1b64694bb60cd12f71be2e4f5634f023506962161d2fe

        • C:\SavesRuntimecrtmonitorCommon\reviewinto.exe
          Filesize

          1.6MB

          MD5

          c3d7d94a09a4a29ddc66ba84508d559f

          SHA1

          8bdcdd488649b311182622b7b07ea526bfd021c8

          SHA256

          dee994f94e8e98b45fa47215e4593157d13a39f87ca2de6208614a61208c7b5c

          SHA512

          ae1a238b5cbd08a6b4db092390fd22bb3f0970ed1bc744d676e357e38f2ac182025e01abd8d7da9771f154df378e972c27e324608da29d0c0cbb9db606e9e0d0

        • C:\Users\Admin\AppData\Local\Temp\626051b2-1ddd-4bbd-b1f3-6acf1b847e1e.vbs
          Filesize

          705B

          MD5

          6ed116302b66b8a06a42a3f0a42e71a8

          SHA1

          2cc4abb154dfee00ac5aa51497c9ce680ee23145

          SHA256

          0fb53438b3d6cc1a466305c71feaaf5989d75a47667db4341bef94f742988d17

          SHA512

          77207b1e7e0c6077cfcd2331184d052131aaad66d4da9db87ad78879b50759c9b598be8f76d9341d84f94d6af209b261ed5f68dd27e0b8e5b7d82d9e663356a4

        • C:\Users\Admin\AppData\Local\Temp\ZhjKPAlWJ0.bat
          Filesize

          194B

          MD5

          267ec0e7133262a9921581e0ad459516

          SHA1

          c1d0c91f71b136126c58efd1f796d461480746e7

          SHA256

          1c12c2666ef5c6c818841163e20b01ead6d8471e06269840b60d03feae048f76

          SHA512

          05086a72866d6c9c5e460b2b2a83213efeecffaa36ec19630d871273f257e1e42f0878476782c8e6d76f406a48a1c76716650336a4eaf55d5d70ae638d14f2c7

        • C:\Users\Admin\AppData\Local\Temp\c5453d5f-cf98-4f5e-b151-0ba95bc4a58e.vbs
          Filesize

          481B

          MD5

          5c8323fa4a7ed8b39fb3f036d758373f

          SHA1

          30f3313e88663b0b57f89c4b65387af8bcfdb8ff

          SHA256

          75f50c25311cab1dc7ae48c162590b3469095112a4496f3b73ce91c9366b0988

          SHA512

          941132fd68325995ba52a515e28a526079946cd567f316153ee7886dbe051c4e1d0851102b563ce3a1b692d526664fb0842d1c98cf085eb5f081fe0c00aa6f0d

        • memory/4644-68-0x0000000002F20000-0x0000000002F32000-memory.dmp
          Filesize

          72KB

        • memory/4896-23-0x000000001B1C0000-0x000000001B1CC000-memory.dmp
          Filesize

          48KB

        • memory/4896-27-0x000000001B260000-0x000000001B26C000-memory.dmp
          Filesize

          48KB

        • memory/4896-20-0x000000001B190000-0x000000001B198000-memory.dmp
          Filesize

          32KB

        • memory/4896-21-0x000000001B1B0000-0x000000001B1C0000-memory.dmp
          Filesize

          64KB

        • memory/4896-22-0x000000001B1A0000-0x000000001B1AA000-memory.dmp
          Filesize

          40KB

        • memory/4896-18-0x000000001B160000-0x000000001B168000-memory.dmp
          Filesize

          32KB

        • memory/4896-24-0x000000001B1D0000-0x000000001B1E2000-memory.dmp
          Filesize

          72KB

        • memory/4896-25-0x000000001BEB0000-0x000000001C3D6000-memory.dmp
          Filesize

          5.1MB

        • memory/4896-26-0x000000001B250000-0x000000001B25C000-memory.dmp
          Filesize

          48KB

        • memory/4896-19-0x000000001B170000-0x000000001B180000-memory.dmp
          Filesize

          64KB

        • memory/4896-29-0x000000001B990000-0x000000001B99E000-memory.dmp
          Filesize

          56KB

        • memory/4896-28-0x000000001B980000-0x000000001B98A000-memory.dmp
          Filesize

          40KB

        • memory/4896-30-0x000000001B9A0000-0x000000001B9A8000-memory.dmp
          Filesize

          32KB

        • memory/4896-17-0x000000001B1E0000-0x000000001B230000-memory.dmp
          Filesize

          320KB

        • memory/4896-16-0x0000000002930000-0x000000000294C000-memory.dmp
          Filesize

          112KB

        • memory/4896-15-0x0000000002920000-0x000000000292E000-memory.dmp
          Filesize

          56KB

        • memory/4896-14-0x00000000004C0000-0x0000000000662000-memory.dmp
          Filesize

          1.6MB