darkgate | 65370c73c41aa4d1f0e222eba60fc177fd3ecfc90376dfb3400dadf4e016831b

Analysis

max time kernel
295s
max time network
299s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
28/08/2023, 20:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.7z
Size

1.9MB
MD5

449fe8c8503ecfb77666a1a5497c8349
SHA1

c037ccffe803333e0842c6d9474de91ab680838c
SHA256

65370c73c41aa4d1f0e222eba60fc177fd3ecfc90376dfb3400dadf4e016831b
SHA512

7df0436aac9e6e31a77e48d821a270d47b9ae83202b1ae0a6203f3a2d873a92e51656b813d960260f27f5b92accc66d99bcc5dfe5f3677d4dee068874ae311b3
SSDEEP

49152:6Vx9Sv1StVUt6Sflxtz5xjnZcP9dZdE7U+YbBqcNURDGm/rxk6:dgzUt6W9z+9fdEA+o06Urr3

Score

10^/10

darkgate stealer

Malware Config

Extracted

Family

darkgate

http://179.60.149.

http://80.66.88.14

http://107.181.161.20

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Suspicious use of NtCreateUserProcessOtherParentProcess 22 IoCs

description	pid	Process	procid_target
PID 4564 created 2492	4564	Autoit3.exe	37
PID 4564 created 3532	4564	Autoit3.exe	27
PID 4564 created 1020	4564	Autoit3.exe	18
PID 2304 created 2492	2304	Autoit3.exe	37
PID 2188 created 4548	2188	cmd.exe	17
PID 2188 created 2308	2188	cmd.exe	75
PID 2188 created 1020	2188	cmd.exe	18
PID 2188 created 2524	2188	cmd.exe	36
PID 2188 created 4940	2188	cmd.exe	95
PID 2188 created 2524	2188	cmd.exe	36
PID 2188 created 2492	2188	cmd.exe	37
PID 2188 created 3736	2188	cmd.exe	26
PID 2188 created 3516	2188	cmd.exe	13
PID 2188 created 3516	2188	cmd.exe	13
PID 2188 created 4036	2188	cmd.exe	25
PID 2188 created 3720	2188	cmd.exe	74
PID 2188 created 3712	2188	cmd.exe	84
PID 2304 created 3720	2304	Autoit3.exe	74
PID 2520 created 2492	2520	Autoit3.exe	37
PID 4844 created 2520	4844	cmd.exe	98
PID 2520 created 400	2520	Autoit3.exe	90
PID 5364 created 3420	5364	cmd.exe	96

Blocklisted process makes network request 64 IoCs

flow	pid	Process
9	2188	cmd.exe
11	2188	cmd.exe
14	2188	cmd.exe
18	1400	cmd.exe
19	1400	cmd.exe
21	1400	cmd.exe
22	2188	cmd.exe
23	1400	cmd.exe
24	2188	cmd.exe
25	4844	cmd.exe
26	4844	cmd.exe
28	1400	cmd.exe
29	2188	cmd.exe
30	1400	cmd.exe
33	2188	cmd.exe
35	1400	cmd.exe
36	2188	cmd.exe
37	1400	cmd.exe
38	2188	cmd.exe
39	1400	cmd.exe
40	2188	cmd.exe
41	2188	cmd.exe
42	1400	cmd.exe
43	2188	cmd.exe
44	1400	cmd.exe
45	2188	cmd.exe
46	1400	cmd.exe
49	2188	cmd.exe
50	1400	cmd.exe
51	2188	cmd.exe
52	1400	cmd.exe
53	2188	cmd.exe
54	1400	cmd.exe
55	2188	cmd.exe
56	1400	cmd.exe
57	2188	cmd.exe
58	2188	cmd.exe
59	2188	cmd.exe
60	1400	cmd.exe
61	2188	cmd.exe
62	1400	cmd.exe
63	2188	cmd.exe
64	1400	cmd.exe
65	2188	cmd.exe
66	2188	cmd.exe
67	1400	cmd.exe
68	2188	cmd.exe
69	1400	cmd.exe
70	1400	cmd.exe
71	2188	cmd.exe
72	1400	cmd.exe
73	2188	cmd.exe
74	1400	cmd.exe
75	2188	cmd.exe
76	1400	cmd.exe
77	2188	cmd.exe
78	1400	cmd.exe
79	2188	cmd.exe
80	1400	cmd.exe
81	2188	cmd.exe
82	1400	cmd.exe
83	2188	cmd.exe
84	1400	cmd.exe
85	2188	cmd.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bchccac.lnk	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gbaddgk.lnk	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gbaddgk.lnk	reader_sl.exe

Executes dropped EXE 4 IoCs

pid	Process
4564	Autoit3.exe
4532	Autoit3.exe
2304	Autoit3.exe
2520	Autoit3.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4564 set thread context of 2188	4564	Autoit3.exe	93
PID 4532 set thread context of 1400	4532	Autoit3.exe	97
PID 2304 set thread context of 4844	2304	Autoit3.exe	104
PID 2520 set thread context of 5364	2520	Autoit3.exe	109

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings	Autoit3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4564	Autoit3.exe
4564	Autoit3.exe
4532	Autoit3.exe
4532	Autoit3.exe
4564	Autoit3.exe
4564	Autoit3.exe
4564	Autoit3.exe
4564	Autoit3.exe
4564	Autoit3.exe
4564	Autoit3.exe
2304	Autoit3.exe
2304	Autoit3.exe
2188	cmd.exe
2188	cmd.exe
2304	Autoit3.exe
2304	Autoit3.exe
2188	cmd.exe
2188	cmd.exe
2188	cmd.exe
2188	cmd.exe
2188	cmd.exe
2188	cmd.exe
2188	cmd.exe
2188	cmd.exe
2188	cmd.exe
2188	cmd.exe
2188	cmd.exe
2188	cmd.exe
2188	cmd.exe
2188	cmd.exe
2188	cmd.exe
2188	cmd.exe
2188	cmd.exe
2188	cmd.exe
2188	cmd.exe
2188	cmd.exe
2188	cmd.exe
2188	cmd.exe
2188	cmd.exe
2188	cmd.exe
1400	cmd.exe
1400	cmd.exe
2188	cmd.exe
2188	cmd.exe
4120	AcroRd32.exe
4120	AcroRd32.exe
4120	AcroRd32.exe
4120	AcroRd32.exe
4120	AcroRd32.exe
4120	AcroRd32.exe
4120	AcroRd32.exe
4120	AcroRd32.exe
4120	AcroRd32.exe
4120	AcroRd32.exe
4120	AcroRd32.exe
4120	AcroRd32.exe
4120	AcroRd32.exe
4120	AcroRd32.exe
4120	AcroRd32.exe
4120	AcroRd32.exe
4120	AcroRd32.exe
4120	AcroRd32.exe
4120	AcroRd32.exe
4120	AcroRd32.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
2188	cmd.exe
1400	cmd.exe
4844	cmd.exe
5976	reader_sl.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	3716	7zG.exe
Token: 35	3716	7zG.exe
Token: SeSecurityPrivilege	3716	7zG.exe
Token: SeSecurityPrivilege	3716	7zG.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3716	7zG.exe
4120	AcroRd32.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
512	OpenWith.exe
4120	AcroRd32.exe
4176	AcroRd32.exe
4120	AcroRd32.exe
4120	AcroRd32.exe
4120	AcroRd32.exe
652	AcroRd32.exe
4120	AcroRd32.exe
3752	AcroRd32.exe
4120	AcroRd32.exe
4120	AcroRd32.exe
4120	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3720 wrote to memory of 4564	3720	cmd.exe	79
PID 3720 wrote to memory of 4564	3720	cmd.exe	79
PID 3720 wrote to memory of 4564	3720	cmd.exe	79
PID 3720 wrote to memory of 4532	3720	cmd.exe	80
PID 3720 wrote to memory of 4532	3720	cmd.exe	80
PID 3720 wrote to memory of 4532	3720	cmd.exe	80
PID 4564 wrote to memory of 4120	4564	Autoit3.exe	81
PID 4564 wrote to memory of 4120	4564	Autoit3.exe	81
PID 4564 wrote to memory of 4120	4564	Autoit3.exe	81
PID 4532 wrote to memory of 4176	4532	Autoit3.exe	82
PID 4532 wrote to memory of 4176	4532	Autoit3.exe	82
PID 4532 wrote to memory of 4176	4532	Autoit3.exe	82
PID 4564 wrote to memory of 1184	4564	Autoit3.exe	83
PID 4564 wrote to memory of 1184	4564	Autoit3.exe	83
PID 4564 wrote to memory of 1184	4564	Autoit3.exe	83
PID 4564 wrote to memory of 1184	4564	Autoit3.exe	83
PID 4564 wrote to memory of 1184	4564	Autoit3.exe	83
PID 4564 wrote to memory of 1184	4564	Autoit3.exe	83
PID 4564 wrote to memory of 1184	4564	Autoit3.exe	83
PID 4564 wrote to memory of 1184	4564	Autoit3.exe	83
PID 4564 wrote to memory of 1184	4564	Autoit3.exe	83
PID 4564 wrote to memory of 1184	4564	Autoit3.exe	83
PID 4564 wrote to memory of 1184	4564	Autoit3.exe	83
PID 4564 wrote to memory of 1184	4564	Autoit3.exe	83
PID 4564 wrote to memory of 1184	4564	Autoit3.exe	83
PID 4564 wrote to memory of 1184	4564	Autoit3.exe	83
PID 4564 wrote to memory of 1184	4564	Autoit3.exe	83
PID 4564 wrote to memory of 1184	4564	Autoit3.exe	83
PID 4564 wrote to memory of 1184	4564	Autoit3.exe	83
PID 4564 wrote to memory of 1184	4564	Autoit3.exe	83
PID 4564 wrote to memory of 1184	4564	Autoit3.exe	83
PID 4564 wrote to memory of 1184	4564	Autoit3.exe	83
PID 4564 wrote to memory of 1184	4564	Autoit3.exe	83
PID 4564 wrote to memory of 1184	4564	Autoit3.exe	83
PID 4564 wrote to memory of 1184	4564	Autoit3.exe	83
PID 4564 wrote to memory of 1184	4564	Autoit3.exe	83
PID 4564 wrote to memory of 1184	4564	Autoit3.exe	83
PID 4564 wrote to memory of 1184	4564	Autoit3.exe	83
PID 4564 wrote to memory of 1184	4564	Autoit3.exe	83
PID 4564 wrote to memory of 1184	4564	Autoit3.exe	83
PID 4564 wrote to memory of 1184	4564	Autoit3.exe	83
PID 4564 wrote to memory of 1184	4564	Autoit3.exe	83
PID 4564 wrote to memory of 1184	4564	Autoit3.exe	83
PID 4564 wrote to memory of 1184	4564	Autoit3.exe	83
PID 4564 wrote to memory of 1184	4564	Autoit3.exe	83
PID 4564 wrote to memory of 1184	4564	Autoit3.exe	83
PID 4564 wrote to memory of 1184	4564	Autoit3.exe	83
PID 4564 wrote to memory of 1184	4564	Autoit3.exe	83
PID 4564 wrote to memory of 1184	4564	Autoit3.exe	83
PID 4564 wrote to memory of 1184	4564	Autoit3.exe	83
PID 4564 wrote to memory of 1184	4564	Autoit3.exe	83
PID 4564 wrote to memory of 1184	4564	Autoit3.exe	83
PID 4564 wrote to memory of 1184	4564	Autoit3.exe	83
PID 4564 wrote to memory of 1184	4564	Autoit3.exe	83
PID 4564 wrote to memory of 1184	4564	Autoit3.exe	83
PID 4564 wrote to memory of 1184	4564	Autoit3.exe	83
PID 4564 wrote to memory of 1184	4564	Autoit3.exe	83
PID 4564 wrote to memory of 1184	4564	Autoit3.exe	83
PID 4564 wrote to memory of 1184	4564	Autoit3.exe	83
PID 4564 wrote to memory of 1184	4564	Autoit3.exe	83
PID 4564 wrote to memory of 1184	4564	Autoit3.exe	83
PID 4564 wrote to memory of 1184	4564	Autoit3.exe	83
PID 4564 wrote to memory of 1184	4564	Autoit3.exe	83
PID 4564 wrote to memory of 1184	4564	Autoit3.exe	83

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3516

C:\Windows\System32\InstallAgent.exe
C:\Windows\System32\InstallAgent.exe -Embedding
1⤵
PID:4548

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
1⤵
PID:1020
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe"
  2⤵
  PID:400
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe"
    3⤵
    PID:4148

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4036

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3736

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3532

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\1.7z
1⤵
- Modifies registry class
PID:524

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2524

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2492
- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
  "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe"
  2⤵
  PID:1184
- C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe
  "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe"
  2⤵
  PID:3420
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe"
    3⤵
    - Drops startup file
    - Suspicious behavior: GetForegroundWindowSpam
    PID:5976
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"
  2⤵
  PID:4144

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:512

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3720
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2308
- C:\Users\Admin\AppData\Local\Temp\1\files\Autoit3.exe
  autoit3 GInzGoKa.au3
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4564
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\1\files\datatender.pdf"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:4120
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
      4⤵
      PID:3712
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2C5274E7B7DABCBB39851CC720ADB941 --mojo-platform-channel-handle=1600 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:4684
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=EF95871CB640819827A9423A5B50BB4B --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=EF95871CB640819827A9423A5B50BB4B --renderer-client-id=2 --mojo-platform-channel-handle=1624 --allow-no-sandbox-job /prefetch:1
        5⤵
        
        PID:164
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=BC6CADEBAACB353D72EECEAFCFF53C1F --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=BC6CADEBAACB353D72EECEAFCFF53C1F --renderer-client-id=4 --mojo-platform-channel-handle=2036 --allow-no-sandbox-job /prefetch:1
        5⤵
        
        PID:4228
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A588F124EEF763D881D9C390E3625862 --mojo-platform-channel-handle=2436 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:3716
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe"
        5⤵
        
        PID:4628
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=46C6E82F0235ACC74E65FDB9455EF526 --mojo-platform-channel-handle=2616 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:4148
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=93AC50978171A0FD6304E2864C8B9188 --mojo-platform-channel-handle=1880 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:3384
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Blocklisted process makes network request
    - Drops startup file
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2188
- C:\Users\Admin\AppData\Local\Temp\1\files\Autoit3.exe
  autoit3 1.au3
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4532
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\1\files\datatender.pdf"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:4176
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"
    3⤵
    PID:2192
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe"
    3⤵
    PID:4940
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    PID:1400
- C:\Users\Admin\AppData\Local\Temp\1\files\Autoit3.exe
  autoit3 2.au3
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2304
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\1\files\datatender.pdf"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:652
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Blocklisted process makes network request
    - Drops startup file
    - Suspicious behavior: GetForegroundWindowSpam
    PID:4844
- C:\Users\Admin\AppData\Local\Temp\1\files\Autoit3.exe
  autoit3 3.au3
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Modifies registry class
  PID:2520
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\1\files\datatender.pdf"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:3752
- - C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\pipanel.exe
    "C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\pipanel.exe"
    3⤵
    PID:600
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5344
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    PID:5364
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe"
  2⤵
  PID:4276

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1188

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\1\" -spe -an -ai#7zMap21023:80:7zEvent31353
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ebbdheh\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\ProgramData\ebbdheh\bbhkgfb.au3

Filesize
788KB

MD5
d4da44147ac66d2abcd4ebe136d7d558

SHA1
4d86d0b7081531717d40c9f3aee260a31500ba47

SHA256
99407aa8ef0e5b04408a0d4cf571f9e880fc092d92056f448b865f0c1bc317f5

SHA512
9a3adda097699b17e445d4a7776aa7f8dbfd3514d87126b822af6795ac675dc51b82a4a1a3c97fa3d7298e8fab90be4c1f9bb03b98a12b3b7056786a8896ea9f

Download Submit
C:\ProgramData\ebbdheh\edaeehd\acahffe

Filesize
134B

MD5
662135f8f4f4bf14ba0102e1c8d8cf29

SHA1
b3353808040e6dae320a5567cee1ff65251576c2

SHA256
74d669f067c7c4326dfac7a505c5c7cc44e6cca90e3a0d2f2cbcd63583ba1ef3

SHA512
af87a5aff03d6ce608a9e25c4a431737a7cf970679da2a50fc6a9cdb2336e4ed7fff21a4e4a6acc5ada4442c77251d1c1d4613a10c0a0b08f08f6764ca985990

Download Submit
C:\ProgramData\ebbdheh\edaeehd\acahffe

Filesize
134B

MD5
27278e768012b53e8c829d005fc57a2f

SHA1
bb2cc28bd3182b6bc83cdb6b1cd4d2b52b37e1fe

SHA256
a9f760b1f0fac52c5a600c7f9a0734f3c86c6c3bcf74a0b1c3991ed6685c9cd1

SHA512
96db60390b77a0464f0ee35596a9a4567f6bcc3af986b205dbb582406023e23c4259091af3bef6dac298215527ff5ab12045f226dfb4786eba24d8b549443818

Download Submit
C:\ProgramData\ebbdheh\edaeehd\acahffe

Filesize
134B

MD5
75deaffbde738ce5988eda9dd751302e

SHA1
09b63a4934309fbfd074a0a24e3efcb44c15b574

SHA256
cc774420915c059e028d61400a1e8c17a41191e097a50b5ec2f121b7250edbd3

SHA512
937862729883e762675761cdde511781afb57066ab17f7f7c0b32964113c4d287c25370c9de766ce8e5ebfa68e5dc896323ee3bd1372e8ad39ea04afa0ba2a68

Download Submit
C:\ProgramData\ebbdheh\edaeehd\acahffe

Filesize
134B

MD5
ad830229c432f5e4a7c6e59b8509b67f

SHA1
67e42bff9732ff2cafdc02cb8e0070666db6f541

SHA256
c04733307eb5c3ee1563b36feb740e7993d0366b649691207cb846ce0dac373e

SHA512
cf7a531ed744415f5a03dd875635e9a62d0863ae6ec273010b7a31b0f16deff24ab2c5115f2bf74967e4e12414648435f6f36abbbd6974f381913d1b2aac0aaf

Download Submit
C:\ProgramData\gcchkdb\bdebfcf\cacfebc

Filesize
131B

MD5
cd7b23506aa410e149d7415c8bb49b5e

SHA1
82d4c86bb3e6bc310ff874a71dc64ee029dec557

SHA256
d72e342a4250460bb6544f136652bf388ad1c36d9b3d4ef3866b6925abaa986d

SHA512
667fadb24e438fb9e19a1c7268216dc76f2493b8c63c7b5decdece52d03b264163be08fa7c3990894d6c36767eead6ed9df7f14a05c3b9e6de37d4a65d6678ba

Download Submit
C:\ProgramData\hgfffaf\cbfgdbf\facgcfe

Filesize
131B

MD5
10c8773d3fa06997d06e3bb6cc612a76

SHA1
60be48b1e09fb7e21ea18a98ab4a17503e6713ac

SHA256
1fffed49f3d3373647b074b68453e714b1fe2ef90049f4b63d68da54a327674b

SHA512
6d03fc7a2953912b7f2b36a6117cd3fb94c08dca9b05b43f81c7b7cf9b2d26ac9cf25cb4cf0aacb9ac2fd893b711bfe36c79ade4a8318dba942a7aeed2b9952f

Download Submit
C:\ProgramData\hgfffaf\cbfgdbf\facgcfe

Filesize
131B

MD5
10c8773d3fa06997d06e3bb6cc612a76

SHA1
60be48b1e09fb7e21ea18a98ab4a17503e6713ac

SHA256
1fffed49f3d3373647b074b68453e714b1fe2ef90049f4b63d68da54a327674b

SHA512
6d03fc7a2953912b7f2b36a6117cd3fb94c08dca9b05b43f81c7b7cf9b2d26ac9cf25cb4cf0aacb9ac2fd893b711bfe36c79ade4a8318dba942a7aeed2b9952f

Download Submit
C:\ProgramData\hgfffaf\fbedfcg.au3

Filesize
763KB

MD5
07f10fcfc1a5b106ca20c70369f2ea4e

SHA1
72fd7c503d2bbd940f281c037a39c8c934c42a92

SHA256
f3b54a1d01bc232eaf3bcb3868a58781bd74957ea38fdd5add9bbf2e775f943c

SHA512
118774e03c8a904dec57fa23775fcc2e3238c53602891c92b5e414e98d132a0476205ca80509e1af69cf39a8b3b67ae9c26ec56d44b33c9f21996ae08caf27de

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
44f4cca7af79967765e90dbdaa7a2d84

SHA1
d5b10e0c31ea482da5397973f65e0c97999e5641

SHA256
7d89194616353b1e7866dddcbbf79fde953deccc7b84e102c1577e16d77ca30b

SHA512
c9a265dace3c54a25b1ca1a44f96bcc456f932d7a3699d959b3e17802b1afe21087d53de8e2fae4edded2151c34f28a9619682e9610523149267d52b207a10c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
38f27d8db95fad3f76f3d35b3cf55fd3

SHA1
0cf212a786535a602e7b465f44bc33d57cc482c0

SHA256
eaf3a85037129e8b84ed68f7c2d3496b04ae652cf9d898fdb98ffaa3e9ef1003

SHA512
fa9125b1d6ab1d0be35abdbfc7359748c4ce9df10e825207050e7c576c5e9e9edd9741163d7173985f703b0739cf8e95ca7370aace555832f151a5ef2896fdd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1\files.cab

Filesize
1.7MB

MD5
3bc10188dcda4cc438f5f87761b36047

SHA1
5e7c562f6acdf07e9df4c5190e5e7926fcd089e3

SHA256
09b8169648af15e94731e8e20ee712fd774cf007da8f6b35a6d081174b4cdd54

SHA512
5f15b4312b88566df0c8ed9a2fec90f36d90d7e4100674a313a9f19a1ab6b260952ae64873de26d7a3edced6294211541fcd819d148963f677668c7b32d3f86f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1\files\1.au3

Filesize
755KB

MD5
f82aab988df103939de96fd09997ffb9

SHA1
409a300275069e2dbb390341571654f2633eb859

SHA256
47675464c64dc3f0617354beb44a6f7fc926f0f91fe8f194ccaa8251fc191c49

SHA512
2da61f1d108b398fb2effda9a279acb881d5a4363d1187d754ba0d24897b93605935ac855c856eb427ced6af82bc23d79f8031197c0f45636ffcec2f04520b97

Download Submit
C:\Users\Admin\AppData\Local\Temp\1\files\2.au3

Filesize
777KB

MD5
0e3913bc130c81f4c6cb004eddbdf1a3

SHA1
80eaa851d47a0aa67148e544882a3003b3f4742d

SHA256
8ff356af97443bd2b028eb57f160a92c2a1ecab2d227977a87a221ae6409c4be

SHA512
7aab507bc116aebf8202b96824489d48c90493acddfad9faac0013ed2d136db2a72a7269c7e4c79a17e051b7e30a62061ac954ed19bd35ec8ddc1a6cf3cc5e85

Download Submit
C:\Users\Admin\AppData\Local\Temp\1\files\3.au3

Filesize
776KB

MD5
5892ff480896da2f5c2e52a8dccb1446

SHA1
7d89c0b2ed8613f0ea23a2200b9a66d8b316f7af

SHA256
1d981f5c19ba3f2be6be51685f211ed80b28fc31dd1de7b7797e09a611e893c5

SHA512
6a836325d3f233cd04eca1de36e695f238005066b55d93d6526e90a588466da2812b84407095a7fb19f8e1051b66c04457886a239d481ab48563507eb85c5213

Download Submit
C:\Users\Admin\AppData\Local\Temp\1\files\AutoIt3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1\files\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1\files\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1\files\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1\files\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1\files\GInzGoKa.au3

Filesize
754KB

MD5
142377b6fde2d28f875e3c9c39ecbdb5

SHA1
08147592674b9f38fbb21fed091ec9d19e5be411

SHA256
f7754f0eb2930342d1cc22007cb8edb1a672e6b5f48a6d7aded0c4b5810e6595

SHA512
d7f806e7662c3eb5f49514caf89a8a0666272e0dbc2048f26c7163e32f4e563f7425ead6d067a6ad8bf7b088b32870cc7767ca6c954254a99a05b058bb3bf534

Download Submit
C:\Users\Admin\AppData\Local\Temp\1\files\datatender.pdf

Filesize
85KB

MD5
fdc82f97d2d63f95f03db51da9e1a5fa

SHA1
baffb59a3b411b30fd4b7389ddb0ecb74a9762ef

SHA256
c1c29ee06d655719efb4653a6aa4dd95ae8236248e05d853c3819ceb4bd79234

SHA512
48a1de0c4c6e5e3a928fd9f4ef0396663727d4a6639b695177761df531675a1e30daab4190ffdbb053fd4720057d9f4b220534faed4a1f4a232d249deebe859b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bchccac.lnk

Filesize
647B

MD5
edfa0f8fa3fbd32652e06b712dbc1668

SHA1
dc11e87e2ce0256fc630a00d1909aa168ae6e2e2

SHA256
b059c1fd528da7d04c64495b146ae481aaa38a29e6619e5acc6b263cf51a5366

SHA512
558ea7258cd282d269f114c17a5f85fd8d68eb287060d38d29c9f72079648d1ba20d09a822bc15505e4f4df63f93e0293bdd0834dc39dc8702e8b9bc87687483

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gbaddgk.lnk

Filesize
647B

MD5
6b232399089231719bc87eb17287db9e

SHA1
73835f5fb7018f5414080b2b0f74a14277f01aa1

SHA256
86b37644b46a05b4b20a119e09f75af27e284922a68e4c292158b926a1a09bfe

SHA512
e2444fbd87ee3f000b089d7490e6920a2a0ad3c970237564acd155944f02470d3db563125058d0e441ddc78469e75ebeb0b9d49b38836642f5725df490d8736d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gbaddgk.lnk

Filesize
898B

MD5
51dea96c52fafb0db26b17a49b828f90

SHA1
ea25eb150ef052e2d473170a76ea2c0f11af1a39

SHA256
626a5ff8d7ef059ffcc149eb8fa3f8bf62439001bff88861cbddb95e950ae4b1

SHA512
022abb2540d803857832bbeba8f112922632da580ef5f61b18450b74fee0594823d333dad3c13b32224640ce5d5618a441eb1eebc3bb9d06b742e7b4afd92132

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gbaddgk.lnk

Filesize
898B

MD5
51dea96c52fafb0db26b17a49b828f90

SHA1
ea25eb150ef052e2d473170a76ea2c0f11af1a39

SHA256
626a5ff8d7ef059ffcc149eb8fa3f8bf62439001bff88861cbddb95e950ae4b1

SHA512
022abb2540d803857832bbeba8f112922632da580ef5f61b18450b74fee0594823d333dad3c13b32224640ce5d5618a441eb1eebc3bb9d06b742e7b4afd92132

Download Submit
C:\temp\AutoIt3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\c:\temp\AutoIt3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\c:\temp\AutoIt3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\c:\temp\AutoIt3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\c:\temp\bbhkgfb.au3

Filesize
776KB

MD5
5892ff480896da2f5c2e52a8dccb1446

SHA1
7d89c0b2ed8613f0ea23a2200b9a66d8b316f7af

SHA256
1d981f5c19ba3f2be6be51685f211ed80b28fc31dd1de7b7797e09a611e893c5

SHA512
6a836325d3f233cd04eca1de36e695f238005066b55d93d6526e90a588466da2812b84407095a7fb19f8e1051b66c04457886a239d481ab48563507eb85c5213

Download Submit
\??\c:\temp\bbhkgfb.au3

Filesize
776KB

MD5
5892ff480896da2f5c2e52a8dccb1446

SHA1
7d89c0b2ed8613f0ea23a2200b9a66d8b316f7af

SHA256
1d981f5c19ba3f2be6be51685f211ed80b28fc31dd1de7b7797e09a611e893c5

SHA512
6a836325d3f233cd04eca1de36e695f238005066b55d93d6526e90a588466da2812b84407095a7fb19f8e1051b66c04457886a239d481ab48563507eb85c5213

Download Submit
\??\c:\temp\bffbaka.au3

Filesize
755KB

MD5
f82aab988df103939de96fd09997ffb9

SHA1
409a300275069e2dbb390341571654f2633eb859

SHA256
47675464c64dc3f0617354beb44a6f7fc926f0f91fe8f194ccaa8251fc191c49

SHA512
2da61f1d108b398fb2effda9a279acb881d5a4363d1187d754ba0d24897b93605935ac855c856eb427ced6af82bc23d79f8031197c0f45636ffcec2f04520b97

Download Submit
\??\c:\temp\fbedfcg.au3

Filesize
754KB

MD5
142377b6fde2d28f875e3c9c39ecbdb5

SHA1
08147592674b9f38fbb21fed091ec9d19e5be411

SHA256
f7754f0eb2930342d1cc22007cb8edb1a672e6b5f48a6d7aded0c4b5810e6595

SHA512
d7f806e7662c3eb5f49514caf89a8a0666272e0dbc2048f26c7163e32f4e563f7425ead6d067a6ad8bf7b088b32870cc7767ca6c954254a99a05b058bb3bf534

Download Submit
memory/600-976-0x00000000030B0000-0x00000000030B1000-memory.dmp

Filesize
4KB

Download
memory/600-973-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

Filesize
4KB

Download
memory/1184-37-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/1184-38-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/1400-656-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1400-570-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2188-500-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2188-453-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2192-161-0x0000000001500000-0x0000000001501000-memory.dmp

Filesize
4KB

Download
memory/2192-164-0x0000000001680000-0x0000000001681000-memory.dmp

Filesize
4KB

Download
memory/2304-477-0x00000000000E0000-0x00000000004E0000-memory.dmp

Filesize
4.0MB

Download
memory/2304-427-0x00000000000E0000-0x00000000004E0000-memory.dmp

Filesize
4.0MB

Download
memory/2304-480-0x0000000003B60000-0x0000000003D3A000-memory.dmp

Filesize
1.9MB

Download
memory/2304-899-0x0000000003B60000-0x0000000003D3A000-memory.dmp

Filesize
1.9MB

Download
memory/2304-429-0x0000000003400000-0x00000000034F5000-memory.dmp

Filesize
980KB

Download
memory/2304-431-0x0000000003B60000-0x0000000003D3A000-memory.dmp

Filesize
1.9MB

Download
memory/2520-758-0x0000000000D70000-0x0000000001170000-memory.dmp

Filesize
4.0MB

Download
memory/2520-646-0x00000000037F0000-0x00000000038E5000-memory.dmp

Filesize
980KB

Download
memory/2520-1262-0x0000000004040000-0x000000000421A000-memory.dmp

Filesize
1.9MB

Download
memory/2520-753-0x0000000004040000-0x000000000421A000-memory.dmp

Filesize
1.9MB

Download
memory/2520-652-0x0000000004040000-0x000000000421A000-memory.dmp

Filesize
1.9MB

Download
memory/2520-642-0x0000000000D70000-0x0000000001170000-memory.dmp

Filesize
4.0MB

Download
memory/3420-464-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/3420-466-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/4144-759-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/4144-763-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/4532-560-0x0000000003BE0000-0x0000000003DB7000-memory.dmp

Filesize
1.8MB

Download
memory/4532-30-0x0000000000A50000-0x0000000000E50000-memory.dmp

Filesize
4.0MB

Download
memory/4532-28-0x0000000003BE0000-0x0000000003DB7000-memory.dmp

Filesize
1.8MB

Download
memory/4532-27-0x00000000033C0000-0x00000000034B5000-memory.dmp

Filesize
980KB

Download
memory/4532-58-0x0000000000A50000-0x0000000000E50000-memory.dmp

Filesize
4.0MB

Download
memory/4532-56-0x0000000003BE0000-0x0000000003DB7000-memory.dmp

Filesize
1.8MB

Download
memory/4564-445-0x0000000004790000-0x000000000496A000-memory.dmp

Filesize
1.9MB

Download
memory/4564-54-0x0000000004790000-0x000000000496A000-memory.dmp

Filesize
1.9MB

Download
memory/4564-23-0x0000000001A30000-0x0000000001E30000-memory.dmp

Filesize
4.0MB

Download
memory/4564-25-0x00000000018C0000-0x00000000019B5000-memory.dmp

Filesize
980KB

Download
memory/4564-52-0x0000000001A30000-0x0000000001E30000-memory.dmp

Filesize
4.0MB

Download
memory/4564-35-0x0000000004790000-0x000000000496A000-memory.dmp

Filesize
1.9MB

Download
memory/4564-26-0x0000000004790000-0x000000000496A000-memory.dmp

Filesize
1.9MB

Download
memory/4628-587-0x0000000001190000-0x0000000001191000-memory.dmp

Filesize
4KB

Download
memory/4628-2184-0x0000000010410000-0x000000001048E000-memory.dmp

Filesize
504KB

Download
memory/4628-590-0x0000000001320000-0x0000000001321000-memory.dmp

Filesize
4KB

Download
memory/4628-2735-0x0000000010410000-0x000000001048E000-memory.dmp

Filesize
504KB

Download
memory/4844-909-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4844-1789-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4844-1002-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/5364-1738-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/5364-1276-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/5976-2736-0x0000000010410000-0x000000001048E000-memory.dmp

Filesize
504KB

Download
memory/5976-2769-0x0000000010410000-0x000000001048E000-memory.dmp

Filesize
504KB

Download