Analysis

  • max time kernel
    146s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    21-07-2024 22:17

General

  • Target

    NursultanCrack.exe

  • Size

    1.9MB

  • MD5

    9c49f8ab036331a19ab63f9aff82db38

  • SHA1

    a27f11d48f1428b8efb5384f779f355271cc8877

  • SHA256

    c50ff535a4d6f888019f7865b319658fc35fd9c3ce5734308821641407d91df9

  • SHA512

    2a61a2bf0bfff8c84f2ba5065b87563edd36b4a8ab34e2354f01e46a9ab7d19677cda9b686f95598921de7c2480da53a5e76965f01733e875033208adf9bfecd

  • SSDEEP

    24576:h2G/nvxW3WHj0PhetvJ2pv6zvifbzgs4dGnO1F4R8rDX6ZrnHkBseAa+s:hbA3ZUo6buPaARUDInHkBHR

Malware Config

Signatures

  • DcRat 47 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Modifies WinLogon for persistence 2 TTPs 15 IoCs
  • Process spawned unexpected child process 45 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 30 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Drops file in Program Files directory 13 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\NursultanCrack.exe
    "C:\Users\Admin\AppData\Local\Temp\NursultanCrack.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2676
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\portwebdll\fn8HNHVgHWFLApRQ1mH.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1072
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Roaming\portwebdll\CedH0gOYji0h1dJ.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2560
        • C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe
          "C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe"
          4⤵
          • DcRat
          • Modifies WinLogon for persistence
          • UAC bypass
          • Executes dropped EXE
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2296
          • C:\Users\Default User\spoolsv.exe
            "C:\Users\Default User\spoolsv.exe"
            5⤵
            • UAC bypass
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:1720
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8495b3a-9db8-4546-8c5d-bdd0435d60f4.vbs"
              6⤵
                PID:1604
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6fe43d45-72da-43a3-a071-f6cfe09cc118.vbs"
                6⤵
                  PID:1772
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\Idle.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2992
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\Idle.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2984
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\Idle.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2760
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2588
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2656
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1224
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\OSPPSVC.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:288
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\OSPPSVC.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2952
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\OSPPSVC.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:464
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\taskhost.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3004
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\taskhost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3052
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\taskhost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2084
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Default\dllhost.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2940
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3040
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Default\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2948
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\sppsvc.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1780
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\sppsvc.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:852
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\sppsvc.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1500
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "HypercommonH" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Hypercommon.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1412
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Hypercommon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Hypercommon.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2536
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "HypercommonH" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Hypercommon.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2148
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\spoolsv.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:480
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:264
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:924
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\audiodg.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2512
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\audiodg.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2696
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\audiodg.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2500
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\conhost.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2572
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\conhost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1784
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\conhost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2568
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\cmd.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1132
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\cmd.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1592
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\cmd.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1632
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\dwm.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:552
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\dwm.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1644
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\dwm.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1672
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\dllhost.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1524
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:740
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2200
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2960
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1548
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1716
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\lsass.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2468
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\lsass.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2428
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\lsass.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1648

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\6fe43d45-72da-43a3-a071-f6cfe09cc118.vbs

        Filesize

        485B

        MD5

        e282d2ed3a64f63fd1cf28cca5fc00d2

        SHA1

        f9f9fea3051f18a9ce2d57143cc0a24f2defd082

        SHA256

        8daee1c947167d76b8dc48cbf61f16910eeb32286f84403a11cc5b242e48d5ff

        SHA512

        ced76dea7d8f657fd185a5aa264483e5c69d2c466e5223c664bd15edd912a505f62821e0fa13c5281d8b89bae73cb6224241ab17f8045fcbef27dadfa303b538

      • C:\Users\Admin\AppData\Local\Temp\c8495b3a-9db8-4546-8c5d-bdd0435d60f4.vbs

        Filesize

        709B

        MD5

        9ff48d05a69ed8d8454b16ec89a821db

        SHA1

        3a51ddc504f5774b6bc70ab4b0263fe20e05759e

        SHA256

        2bfc9517ea0b46fc0a822edf463f53581bac45a7a4fc59073cf6324c795b7357

        SHA512

        22e086870ed4a43ddcacad432f5f5e40acf322734187a2492bce52cc1e023bcd00dd1f2a4a47afe8d8cbcb734a7f0142b10f9d452aa7ad9c32402c4bba82e597

      • C:\Users\Admin\AppData\Roaming\portwebdll\CedH0gOYji0h1dJ.bat

        Filesize

        38B

        MD5

        6c77726beb17fe13c44cbc3312d1ca54

        SHA1

        919076735be5e1c6c9d077b12beadce4470c7bb2

        SHA256

        e8130ea9479e696b38d37edbd700f6f08daf4c85c1758d6b6a9a71e627ce5e03

        SHA512

        5089be432cd1f996f399f4aa03140a7bdb8062304fbf4818351f93090deaa1f2e42fe034307ce542ca5ad7f7484948e7e454b4cfee885815ce402436e573d9c4

      • C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe

        Filesize

        1.4MB

        MD5

        f1ca585436d62720be1c8d7f24fb773f

        SHA1

        3687e578f150e45aa5194f9c485b221459f0f454

        SHA256

        dc22e22564f7758fd8179f22aace45dfb9a5fbedcf7203ee71a71bf26435cbc7

        SHA512

        9e56f51802b8de96589dfd51da94c466c70fd320e05a4a574054fac41ffcf5acba2fcbc29f3a655c152560dc13a45cb4f13366ab2db975b3aa7371a041fdaddc

      • C:\Users\Admin\AppData\Roaming\portwebdll\fn8HNHVgHWFLApRQ1mH.vbe

        Filesize

        209B

        MD5

        2febca5513bbb1d2fb14b29bd4998314

        SHA1

        5fbcf3720fa6200f4dfd67e2d3ec4d91e45b9def

        SHA256

        d92d5826088b6d9e94de6ef772d9283594ee4c51ca03e829c7024b4dd2f74112

        SHA512

        60a6ef94ea1d5c379c330e5c2627a34d33c5d1ed85e03fb01d561aa3ded0cad26f5ff9ef682ad83abc234a9aede970dd902e508556524c135ff3661e60b27e1c

      • memory/1720-60-0x0000000000D60000-0x0000000000ED0000-memory.dmp

        Filesize

        1.4MB

      • memory/2296-17-0x00000000009F0000-0x0000000000A06000-memory.dmp

        Filesize

        88KB

      • memory/2296-18-0x00000000007D0000-0x00000000007D8000-memory.dmp

        Filesize

        32KB

      • memory/2296-16-0x00000000002F0000-0x00000000002F8000-memory.dmp

        Filesize

        32KB

      • memory/2296-19-0x00000000020F0000-0x00000000020F8000-memory.dmp

        Filesize

        32KB

      • memory/2296-20-0x0000000002100000-0x0000000002110000-memory.dmp

        Filesize

        64KB

      • memory/2296-21-0x0000000002110000-0x000000000211A000-memory.dmp

        Filesize

        40KB

      • memory/2296-22-0x0000000002120000-0x000000000212C000-memory.dmp

        Filesize

        48KB

      • memory/2296-23-0x0000000002130000-0x000000000213A000-memory.dmp

        Filesize

        40KB

      • memory/2296-15-0x00000000002D0000-0x00000000002EC000-memory.dmp

        Filesize

        112KB

      • memory/2296-14-0x00000000002C0000-0x00000000002CE000-memory.dmp

        Filesize

        56KB

      • memory/2296-13-0x0000000000050000-0x00000000001C0000-memory.dmp

        Filesize

        1.4MB