Overview

overview

10

Static

static

10

cwel.zip

windows11-21h2-x64

10

Analysis

  • max time kernel
    107s
  • max time network
    105s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    20-12-2024 12:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cwel.zip

  • Size

    11.1MB

  • MD5

    2a9f3aa47c3089ab25f5755b659def4c

  • SHA1

    31fec6624ab4ed412aad69fcaaa9e7ccef06abb9

  • SHA256

    794c1b48e399a4ac173dcb4a6a619ad53cfa99f52b9685dc62d922dd879acb29

  • SHA512

    0483b54ed252b5499aedf395f692a4ce884f15399b883499d66304ffa06564df8fd5bbfd48c6e52905f6d2fb3f686dcf4b0add1314181f0b80601c1f2e66558c

  • SSDEEP

    196608:dPvlJIITPqNr34qtBFN2OtLI2YAKIcQKf7QVQKWXdk5SkqBkEZLT7oNulGOtsDvR:1vwIeNroqn82YAjcQsQvWXdk4kqBkEZA

Score
10/10
dcratdiscoveryevasioninfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 12 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 9 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 16 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 39 IoCs
  • Suspicious use of WriteProcessMemory 58 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\cwel.zip"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2208
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2504
    • C:\Users\Admin\Desktop\Paranoid Checker 4.1.7\Paranoid Checker 4.1.7.exe
      "C:\Users\Admin\Desktop\Paranoid Checker 4.1.7\Paranoid Checker 4.1.7.exe"
      1⤵
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2656
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\ServerwebRefmonitorDhcp\Oj1Ch.vbe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4948
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\ServerwebRefmonitorDhcp\z0DwzT959mUKovxD5GIlvgUprT.bat" "
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:104
          • C:\ServerwebRefmonitorDhcp\msComponentsaves.exe
            "C:\ServerwebRefmonitorDhcp\msComponentsaves.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4540
            • C:\Program Files\Common Files\sihost.exe
              "C:\Program Files\Common Files\sihost.exe"
              5⤵
              • Executes dropped EXE
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3780
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12df89a9-0b27-47db-bac7-a13f6fb73279.vbs"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:396
                • C:\Program Files\Common Files\sihost.exe
                  "C:\Program Files\Common Files\sihost.exe"
                  7⤵
                  • Executes dropped EXE
                  • Modifies registry class
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4564
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\71b6b3e2-247a-49df-8aa5-da6c93a8a73c.vbs"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4620
                    • C:\Program Files\Common Files\sihost.exe
                      "C:\Program Files\Common Files\sihost.exe"
                      9⤵
                      • Executes dropped EXE
                      • Modifies registry class
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1444
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd342c49-2e48-433f-afb8-3fdc0b6a3a64.vbs"
                        10⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2740
                        • C:\Program Files\Common Files\sihost.exe
                          "C:\Program Files\Common Files\sihost.exe"
                          11⤵
                          • Executes dropped EXE
                          • Modifies registry class
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:4608
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\438e16de-9024-48aa-85eb-263279a73a64.vbs"
                            12⤵
                            • Suspicious use of WriteProcessMemory
                            PID:4796
                            • C:\Program Files\Common Files\sihost.exe
                              "C:\Program Files\Common Files\sihost.exe"
                              13⤵
                              • Executes dropped EXE
                              • Modifies registry class
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:2876
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\88ab2888-a3e0-495d-9cd7-0e73740bf7ec.vbs"
                                14⤵
                                • Suspicious use of WriteProcessMemory
                                PID:2976
                                • C:\Program Files\Common Files\sihost.exe
                                  "C:\Program Files\Common Files\sihost.exe"
                                  15⤵
                                  • Executes dropped EXE
                                  • Modifies registry class
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of WriteProcessMemory
                                  PID:1016
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f8075f91-e2f8-4a50-9683-0d76a3220603.vbs"
                                    16⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:212
                                    • C:\Program Files\Common Files\sihost.exe
                                      "C:\Program Files\Common Files\sihost.exe"
                                      17⤵
                                      • Executes dropped EXE
                                      • Modifies registry class
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      • Suspicious use of WriteProcessMemory
                                      PID:4972
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\907565d7-854c-4133-b076-fe40bb9493b6.vbs"
                                        18⤵
                                        • Suspicious use of WriteProcessMemory
                                        PID:3476
                                        • C:\Program Files\Common Files\sihost.exe
                                          "C:\Program Files\Common Files\sihost.exe"
                                          19⤵
                                          • Executes dropped EXE
                                          PID:3056
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2844c725-f086-462c-81b4-ba42d8331e82.vbs"
                                        18⤵
                                          PID:3364
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a3aa2a7-9b27-49df-96d0-0a0ebd2c6260.vbs"
                                      16⤵
                                        PID:1556
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\529e2dd1-957d-4aec-9186-c39d3c65bc68.vbs"
                                    14⤵
                                      PID:568
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e14ead7b-0e91-4929-a8a5-0ccb71d40ab3.vbs"
                                  12⤵
                                    PID:3780
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc6d6323-a89f-41e6-afc9-8e71d7a1e968.vbs"
                                10⤵
                                  PID:5100
                            • C:\Windows\System32\WScript.exe
                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc62288e-6529-4594-8237-b7d51ae689d0.vbs"
                              8⤵
                                PID:4760
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33e9b4b8-ec8f-469f-a228-7a5cd3e693b7.vbs"
                            6⤵
                              PID:4192
                        • C:\Windows\SysWOW64\reg.exe
                          reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                          4⤵
                          • System Location Discovery: System Language Discovery
                          • Modifies registry key
                          PID:1584
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\sihost.exe'" /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:1140
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Common Files\sihost.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:3688
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\sihost.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:1540
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\ServerwebRefmonitorDhcp\SppExtComObj.exe'" /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:756
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\ServerwebRefmonitorDhcp\SppExtComObj.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:3736
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\ServerwebRefmonitorDhcp\SppExtComObj.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:4668
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:1972
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:4508
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:1552
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\ServerwebRefmonitorDhcp\fontdrvhost.exe'" /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:904
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\ServerwebRefmonitorDhcp\fontdrvhost.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:3132
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\ServerwebRefmonitorDhcp\fontdrvhost.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:3672
                  • C:\Windows\system32\OpenWith.exe
                    C:\Windows\system32\OpenWith.exe -Embedding
                    1⤵
                    • Modifies registry class
                    • Suspicious use of SetWindowsHookEx
                    PID:2620
                  • C:\Windows\system32\OpenWith.exe
                    C:\Windows\system32\OpenWith.exe -Embedding
                    1⤵
                    • Modifies registry class
                    • Suspicious behavior: GetForegroundWindowSpam
                    • Suspicious use of SetWindowsHookEx
                    PID:2976
                  • C:\Windows\system32\BackgroundTransferHost.exe
                    "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
                    1⤵
                    • Modifies registry class
                    PID:1316
                  • C:\Windows\system32\OpenWith.exe
                    C:\Windows\system32\OpenWith.exe -Embedding
                    1⤵
                    • Modifies registry class
                    • Suspicious behavior: GetForegroundWindowSpam
                    • Suspicious use of SetWindowsHookEx
                    PID:2116
                  • C:\Users\Admin\Desktop\Paranoid Checker 4.1.7\Paranoid Checker 4.1.7.exe
                    "C:\Users\Admin\Desktop\Paranoid Checker 4.1.7\Paranoid Checker 4.1.7.exe"
                    1⤵
                    • System Location Discovery: System Language Discovery
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:2076
                    • C:\Windows\SysWOW64\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\ServerwebRefmonitorDhcp\Oj1Ch.vbe"
                      2⤵
                      • System Location Discovery: System Language Discovery
                      PID:1372

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\ServerwebRefmonitorDhcp\Oj1Ch.vbe
                    Filesize

                    227B

                    MD5

                    c4f52c0631a8695b0f14c2448f58e817

                    SHA1

                    fcc2ad52443c7dcaa844b66f87e3b138a153baf9

                    SHA256

                    cda56d62ea26565c81d7cb150204b59e7e9ceee957462fd3c2ff044d97aac2f4

                    SHA512

                    0360a9bec265aa978cd0dc4ab80bedb00285ef966434f2d57c04d6b943673d29eac419035025dafce002c2c577b5b2882ce5ead6f79fb84df4e52db2d4a6c4c3

                    Download Submit

                  • C:\ServerwebRefmonitorDhcp\msComponentsaves.exe
                    Filesize

                    2.4MB

                    MD5

                    e426d3b62c5478e7270a4b8c72c71539

                    SHA1

                    d65a844d8f8dd1655aba5a0927d6373480b79632

                    SHA256

                    4023c7f0a9dc47dcbefc20bf92423a1c4a80de962f79ff78fd6cdca64def73b5

                    SHA512

                    21401403a59d79f619316a34a247d752f56d1172fe70934a872e37253e9a3c99defbf3f5b08ff079cab5e2fbb4648b0428e253e402c6627ef55edb5951614454

                    Download Submit

                  • C:\ServerwebRefmonitorDhcp\z0DwzT959mUKovxD5GIlvgUprT.bat
                    Filesize

                    161B

                    MD5

                    a5249d8d9ac9a994fb125f32d6e61ef7

                    SHA1

                    f2df0aeb2f44fe19e352a83851c1f6f1c1717920

                    SHA256

                    e1e77331eaf029bdf0b48562314dfd82c47cc85b28e2a66c506d388056713f55

                    SHA512

                    5e47c5e6b475a3b9eeb6414311eccf39b04067fe06d7ff91d6327f61656f6ba1d2a52addd96afa27a7a036164e539f37ffde24c76c6896e4b82ef1d978839532

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sihost.exe.log
                    Filesize

                    1KB

                    MD5

                    1d9507afc916477f0f601cb7cc451a05

                    SHA1

                    0fb3121347b7dc81e12fc77257747c3f63e687d0

                    SHA256

                    503dfd09e4cce869388e46952d967e4cf503e8dc33a7e4fdfdae9bf7471642ae

                    SHA512

                    8f08d3d944023f7e61ef8f5d6bd0c84660bbbed866cf0780c189ac6ed5214699d21c597f99876c71adae0c360d8d4b5c151f08d0297b88bc11da61a329f06c41

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\c3f7a458-8ae3-42e5-b444-56ac58e68c54.down_data
                    Filesize

                    555KB

                    MD5

                    5683c0028832cae4ef93ca39c8ac5029

                    SHA1

                    248755e4e1db552e0b6f8651b04ca6d1b31a86fb

                    SHA256

                    855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

                    SHA512

                    aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\12df89a9-0b27-47db-bac7-a13f6fb73279.vbs
                    Filesize

                    716B

                    MD5

                    fc480804130e1f20bd7c450cbb7b4852

                    SHA1

                    5f819a76ce8e4dc3549f74b5ed9d615c90df98be

                    SHA256

                    12ba938c60cbdd279083622623937376d7f5053d287550a4fb493b6fd26b76ac

                    SHA512

                    fde8eabec9f8cc4947891dd1a137a700e6fa4a3ae1216ac9fc5daaf0eeff12d819983c75a5f1c0730fddb3b1081722808f9802c3e8e1c280fc63e8761f482a63

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\33e9b4b8-ec8f-469f-a228-7a5cd3e693b7.vbs
                    Filesize

                    492B

                    MD5

                    1a039b3c19218fee89eb22dd00944b81

                    SHA1

                    52d4baa6d251f287518fc03744b32e8e870a0e99

                    SHA256

                    5e813d72226fde936adeaec98165f9495fbebb463bde2e5067dfa1636e8839a3

                    SHA512

                    b66f847c5719e56b3557670ee2f99192b31e905684b6862a974387d5ef7942deb26c1a16d2f4a3c893df74a6cced542acd173ba798db0a0dcba91db75f417363

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\438e16de-9024-48aa-85eb-263279a73a64.vbs
                    Filesize

                    716B

                    MD5

                    9fd500764f8cc31f785369abb7ee0e2f

                    SHA1

                    bc39a93b8f0bf001791de65a8db7d1672495e96a

                    SHA256

                    a6a19f9f172658db9dcbb468b481185348e1708b872a976fdb407d2fcf331d34

                    SHA512

                    882d52da86e96c3a8a804909cb27ae69e96bd92a1284d0cebb639b1afeffeae18ac02fa8deaa5326a35a4e98a3a1b46fc0f098dbf62739bc1950acecea60968b

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\71b6b3e2-247a-49df-8aa5-da6c93a8a73c.vbs
                    Filesize

                    716B

                    MD5

                    e3f41f7d24022f3c36b4d2d08fce573b

                    SHA1

                    8f537dc8e604f3a058ab4896ed95f87043b73036

                    SHA256

                    a00e75256356937ed6a0fc5af989f94d23d4c316556daddcdad644bf327c7e3d

                    SHA512

                    735584433c7a0a2d7fc85e135b73585751f00e64e4a9722aad66787bd3e79d8fd2c25de3756aaed8ecd20ec7670d42bdedbd20bcbb19597fa513e5d9e8b31964

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\88ab2888-a3e0-495d-9cd7-0e73740bf7ec.vbs
                    Filesize

                    716B

                    MD5

                    44081e6db78d6bcedd68eabbcc86aeae

                    SHA1

                    26c846dae366009b559deb7c05f318687386a35c

                    SHA256

                    804aa3791b818986571525233b7fd7fd9e00a1428aa1ff25b9dea1cd046ac7af

                    SHA512

                    858cb7aa505d2e889dc381d05c4303fb0f3aa98e42dbe825bc759801c1e54811f954ff3a61e57b0526c474bb3861c450168798d882c8929a3b12642c70117206

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\907565d7-854c-4133-b076-fe40bb9493b6.vbs
                    Filesize

                    716B

                    MD5

                    9c0ef85ae651f83f46e2a4b3c93e7ebd

                    SHA1

                    c44a4cbe18d455eeca0038df05eb697f3ce47d97

                    SHA256

                    784b50806985316aaac3b8e35f51dca4120c1f2cc7c4b8444aae9f16a7130590

                    SHA512

                    96c64096bb469574421424d61f70708644e15701c0f0bbff5bb63bea02abab51523e2a525022b73f6995ddc99db549832f62d06efa220bc7b7b8f74e284a80a8

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\dd342c49-2e48-433f-afb8-3fdc0b6a3a64.vbs
                    Filesize

                    716B

                    MD5

                    285dd8a765def919e9962c084f1cc65c

                    SHA1

                    d9f006f2fc60a8647f95924adc991b15cd8aabb6

                    SHA256

                    3a06a81e14ce722dbbcb1d9d250444417a0bd7c06a08371fe8498c8603cb96a4

                    SHA512

                    2af6194beaed4d916b3bde4cebd0e4d845d3f54f9666e4a4fc06038dce948846ee984ce6d6e9d4c3f833b6fd843f7230cc764f55acb8e39e529e76cf1dbb5672

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\f8075f91-e2f8-4a50-9683-0d76a3220603.vbs
                    Filesize

                    716B

                    MD5

                    58fbe53ca92a7cc298710dedbebb7239

                    SHA1

                    b35de4ecb04c04183ef3b182ab463ea6c9c49936

                    SHA256

                    34aa8fb6db4561e349245cd76bca51a4f0d0be3bec997e2695612ab9f95f365c

                    SHA512

                    ecd54a4d3201372a66fd4a6261246b4ee46b6854559bd784fe25c221d0d4c9e39202a07c554f72e2f3fc305da0827dc5550beb2eb9e2c63b4fcf7af76d18384c

                    Download Submit

                  • memory/3780-46-0x000000001CC20000-0x000000001CC32000-memory.dmp

                    Filesize

                    72KB

                    Download

                  • memory/4540-17-0x0000000002BF0000-0x0000000002BF8000-memory.dmp

                    Filesize

                    32KB

                    Download

                  • memory/4540-25-0x000000001BF80000-0x000000001BF88000-memory.dmp

                    Filesize

                    32KB

                    Download

                  • memory/4540-26-0x000000001BF90000-0x000000001BF9C000-memory.dmp

                    Filesize

                    48KB

                    Download

                  • memory/4540-24-0x000000001BD10000-0x000000001BD1E000-memory.dmp

                    Filesize

                    56KB

                    Download

                  • memory/4540-23-0x000000001B6B0000-0x000000001B6BA000-memory.dmp

                    Filesize

                    40KB

                    Download

                  • memory/4540-22-0x000000001BF30000-0x000000001BF86000-memory.dmp

                    Filesize

                    344KB

                    Download

                  • memory/4540-21-0x0000000002C70000-0x0000000002C7C000-memory.dmp

                    Filesize

                    48KB

                    Download

                  • memory/4540-20-0x000000001C460000-0x000000001C988000-memory.dmp

                    Filesize

                    5.2MB

                    Download

                  • memory/4540-18-0x000000001BCD0000-0x000000001BCE6000-memory.dmp

                    Filesize

                    88KB

                    Download

                  • memory/4540-19-0x0000000002C00000-0x0000000002C12000-memory.dmp

                    Filesize

                    72KB

                    Download

                  • memory/4540-16-0x000000001BD20000-0x000000001BD70000-memory.dmp

                    Filesize

                    320KB

                    Download

                  • memory/4540-15-0x0000000001320000-0x000000000133C000-memory.dmp

                    Filesize

                    112KB

                    Download

                  • memory/4540-14-0x0000000000780000-0x00000000009F0000-memory.dmp

                    Filesize

                    2.4MB

                    Download