Malware Analysis Report

2024-11-30 11:11

Sample ID 241117-bc8fjaxfpd
Target 19888b7fe000d86bc63cf6a75a1e4c69.bin
SHA256 0d259358cc6c6d195424b2d188a1a8ecb5564ce1d51e8f7a9fc3ebc187eafefc
Tags
discovery darkgate derry execution persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0d259358cc6c6d195424b2d188a1a8ecb5564ce1d51e8f7a9fc3ebc187eafefc

Threat Level: Known bad

The file 19888b7fe000d86bc63cf6a75a1e4c69.bin was found to be: Known bad.

Malicious Activity Summary

discovery darkgate derry execution persistence stealer

Detect DarkGate stealer

DarkGate

Darkgate family

Executes dropped EXE

Adds Run key to start application

Command and Scripting Interpreter: AutoIT

Suspicious use of SetThreadContext

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-17 01:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-17 01:01

Reported

2024-11-17 01:04

Platform

win7-20241010-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cc5c482229f5b9d1c88f6ff68abb7461de259749f6230932654bb5aaa3fddd88.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\cc5c482229f5b9d1c88f6ff68abb7461de259749f6230932654bb5aaa3fddd88.exe

"C:\Users\Admin\AppData\Local\Temp\cc5c482229f5b9d1c88f6ff68abb7461de259749f6230932654bb5aaa3fddd88.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 172

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-17 01:01

Reported

2024-11-17 01:04

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cc5c482229f5b9d1c88f6ff68abb7461de259749f6230932654bb5aaa3fddd88.exe"

Signatures

DarkGate

stealer darkgate

Darkgate family

darkgate

Detect DarkGate stealer

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\temp\test\Autoit3.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cfdcaba = "\"C:\\ProgramData\\ebbcbdh\\Autoit3.exe\" C:\\ProgramData\\ebbcbdh\\hcdcehe.a3x" \??\c:\temp\test\Autoit3.exe N/A

Command and Scripting Interpreter: AutoIT

execution
Description Indicator Process Target
N/A N/A \??\c:\temp\test\Autoit3.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 100 set thread context of 4380 N/A \??\c:\temp\test\Autoit3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cc5c482229f5b9d1c88f6ff68abb7461de259749f6230932654bb5aaa3fddd88.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\temp\test\Autoit3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\temp\test\Autoit3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\temp\test\Autoit3.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc5c482229f5b9d1c88f6ff68abb7461de259749f6230932654bb5aaa3fddd88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc5c482229f5b9d1c88f6ff68abb7461de259749f6230932654bb5aaa3fddd88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc5c482229f5b9d1c88f6ff68abb7461de259749f6230932654bb5aaa3fddd88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc5c482229f5b9d1c88f6ff68abb7461de259749f6230932654bb5aaa3fddd88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc5c482229f5b9d1c88f6ff68abb7461de259749f6230932654bb5aaa3fddd88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc5c482229f5b9d1c88f6ff68abb7461de259749f6230932654bb5aaa3fddd88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc5c482229f5b9d1c88f6ff68abb7461de259749f6230932654bb5aaa3fddd88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc5c482229f5b9d1c88f6ff68abb7461de259749f6230932654bb5aaa3fddd88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc5c482229f5b9d1c88f6ff68abb7461de259749f6230932654bb5aaa3fddd88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc5c482229f5b9d1c88f6ff68abb7461de259749f6230932654bb5aaa3fddd88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc5c482229f5b9d1c88f6ff68abb7461de259749f6230932654bb5aaa3fddd88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc5c482229f5b9d1c88f6ff68abb7461de259749f6230932654bb5aaa3fddd88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc5c482229f5b9d1c88f6ff68abb7461de259749f6230932654bb5aaa3fddd88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc5c482229f5b9d1c88f6ff68abb7461de259749f6230932654bb5aaa3fddd88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc5c482229f5b9d1c88f6ff68abb7461de259749f6230932654bb5aaa3fddd88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc5c482229f5b9d1c88f6ff68abb7461de259749f6230932654bb5aaa3fddd88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc5c482229f5b9d1c88f6ff68abb7461de259749f6230932654bb5aaa3fddd88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc5c482229f5b9d1c88f6ff68abb7461de259749f6230932654bb5aaa3fddd88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc5c482229f5b9d1c88f6ff68abb7461de259749f6230932654bb5aaa3fddd88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc5c482229f5b9d1c88f6ff68abb7461de259749f6230932654bb5aaa3fddd88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc5c482229f5b9d1c88f6ff68abb7461de259749f6230932654bb5aaa3fddd88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc5c482229f5b9d1c88f6ff68abb7461de259749f6230932654bb5aaa3fddd88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc5c482229f5b9d1c88f6ff68abb7461de259749f6230932654bb5aaa3fddd88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc5c482229f5b9d1c88f6ff68abb7461de259749f6230932654bb5aaa3fddd88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc5c482229f5b9d1c88f6ff68abb7461de259749f6230932654bb5aaa3fddd88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc5c482229f5b9d1c88f6ff68abb7461de259749f6230932654bb5aaa3fddd88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc5c482229f5b9d1c88f6ff68abb7461de259749f6230932654bb5aaa3fddd88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc5c482229f5b9d1c88f6ff68abb7461de259749f6230932654bb5aaa3fddd88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc5c482229f5b9d1c88f6ff68abb7461de259749f6230932654bb5aaa3fddd88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc5c482229f5b9d1c88f6ff68abb7461de259749f6230932654bb5aaa3fddd88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc5c482229f5b9d1c88f6ff68abb7461de259749f6230932654bb5aaa3fddd88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc5c482229f5b9d1c88f6ff68abb7461de259749f6230932654bb5aaa3fddd88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc5c482229f5b9d1c88f6ff68abb7461de259749f6230932654bb5aaa3fddd88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc5c482229f5b9d1c88f6ff68abb7461de259749f6230932654bb5aaa3fddd88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc5c482229f5b9d1c88f6ff68abb7461de259749f6230932654bb5aaa3fddd88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc5c482229f5b9d1c88f6ff68abb7461de259749f6230932654bb5aaa3fddd88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc5c482229f5b9d1c88f6ff68abb7461de259749f6230932654bb5aaa3fddd88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc5c482229f5b9d1c88f6ff68abb7461de259749f6230932654bb5aaa3fddd88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc5c482229f5b9d1c88f6ff68abb7461de259749f6230932654bb5aaa3fddd88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc5c482229f5b9d1c88f6ff68abb7461de259749f6230932654bb5aaa3fddd88.exe N/A
N/A N/A \??\c:\temp\test\Autoit3.exe N/A
N/A N/A \??\c:\temp\test\Autoit3.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\temp\test\Autoit3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4736 wrote to memory of 100 N/A C:\Users\Admin\AppData\Local\Temp\cc5c482229f5b9d1c88f6ff68abb7461de259749f6230932654bb5aaa3fddd88.exe \??\c:\temp\test\Autoit3.exe
PID 4736 wrote to memory of 100 N/A C:\Users\Admin\AppData\Local\Temp\cc5c482229f5b9d1c88f6ff68abb7461de259749f6230932654bb5aaa3fddd88.exe \??\c:\temp\test\Autoit3.exe
PID 4736 wrote to memory of 100 N/A C:\Users\Admin\AppData\Local\Temp\cc5c482229f5b9d1c88f6ff68abb7461de259749f6230932654bb5aaa3fddd88.exe \??\c:\temp\test\Autoit3.exe
PID 100 wrote to memory of 3380 N/A \??\c:\temp\test\Autoit3.exe \??\c:\windows\SysWOW64\cmd.exe
PID 100 wrote to memory of 3380 N/A \??\c:\temp\test\Autoit3.exe \??\c:\windows\SysWOW64\cmd.exe
PID 100 wrote to memory of 3380 N/A \??\c:\temp\test\Autoit3.exe \??\c:\windows\SysWOW64\cmd.exe
PID 3380 wrote to memory of 3204 N/A \??\c:\windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 3380 wrote to memory of 3204 N/A \??\c:\windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 3380 wrote to memory of 3204 N/A \??\c:\windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 100 wrote to memory of 4380 N/A \??\c:\temp\test\Autoit3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 100 wrote to memory of 4380 N/A \??\c:\temp\test\Autoit3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 100 wrote to memory of 4380 N/A \??\c:\temp\test\Autoit3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 100 wrote to memory of 4380 N/A \??\c:\temp\test\Autoit3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 100 wrote to memory of 4380 N/A \??\c:\temp\test\Autoit3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cc5c482229f5b9d1c88f6ff68abb7461de259749f6230932654bb5aaa3fddd88.exe

"C:\Users\Admin\AppData\Local\Temp\cc5c482229f5b9d1c88f6ff68abb7461de259749f6230932654bb5aaa3fddd88.exe"

\??\c:\temp\test\Autoit3.exe

"c:\temp\test\Autoit3.exe" c:\temp\test\script.a3x

\??\c:\windows\SysWOW64\cmd.exe

"c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\ebbcbdh\hbhbbke

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic ComputerSystem get domain

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
FR 164.132.5.124:1111 tcp
US 8.8.8.8:53 hard-to-find.cyou udp
US 104.21.29.245:443 hard-to-find.cyou tcp
US 8.8.8.8:53 thicktoys.sbs udp
US 8.8.8.8:53 fleez-inc.sbs udp
US 8.8.8.8:53 pull-trucker.sbs udp
US 8.8.8.8:53 3xc1aimbl0w.sbs udp
US 8.8.8.8:53 bored-light.sbs udp
US 8.8.8.8:53 300snails.sbs udp
US 8.8.8.8:53 faintbl0w.sbs udp
US 8.8.8.8:53 124.5.132.164.in-addr.arpa udp
US 8.8.8.8:53 245.29.21.104.in-addr.arpa udp
US 8.8.8.8:53 crib-endanger.sbs udp
US 8.8.8.8:53 steamcommunity.com udp
GB 2.22.99.85:443 steamcommunity.com tcp
US 8.8.8.8:53 marshal-zhukov.com udp
US 172.67.160.80:443 marshal-zhukov.com tcp
US 8.8.8.8:53 85.99.22.2.in-addr.arpa udp
US 8.8.8.8:53 80.160.67.172.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/4736-0-0x0000000002810000-0x0000000002890000-memory.dmp

memory/4736-1-0x0000000077272000-0x0000000077273000-memory.dmp

memory/4736-4-0x0000000002E80000-0x0000000002ED0000-memory.dmp

memory/4736-2-0x0000000002890000-0x00000000028E0000-memory.dmp

C:\temp\test\Autoit3.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/4736-11-0x0000000002810000-0x0000000002890000-memory.dmp

memory/4736-12-0x0000000000400000-0x0000000000A47000-memory.dmp

\??\c:\temp\test\script.a3x

MD5 b06f6dee405e7edbdb66a38c8f466f40
SHA1 20929c94acdf4bcc9f93ffc9d21682e4f5d27579
SHA256 22bbc7aee06585f281643cccfc6f80c360f2ec27e70a300c578e5a8f4bdb2df1
SHA512 fd759d5dd4e711e6dfe29806f25521ccce90d123a9576e3f688fc103c6f06f76d37fad4844107a0ca98e0730e75266ddaeda529513cb92d8ae1c8d210677c4cc

memory/4736-10-0x0000000002BA0000-0x0000000002C90000-memory.dmp

memory/4736-8-0x0000000000400000-0x0000000000A47000-memory.dmp

memory/100-15-0x0000000001900000-0x0000000001D00000-memory.dmp

memory/100-16-0x00000000047B0000-0x0000000004B05000-memory.dmp

C:\ProgramData\ebbcbdh\hbhbbke

MD5 c8bbad190eaaa9755c8dfb1573984d81
SHA1 17ad91294403223fde66f687450545a2bad72af5
SHA256 7f136265128b7175fb67024a6ddd7524586b025725a878c07d76a9d8ad3dc2ac
SHA512 05f02cf90969b7b9a2de39eecdf810a1835325e7c83ffe81388c9866c6f79be6cdc8617f606a8fedc6affe6127bede4b143106a90289bbb9bf61d94c648059df

memory/4380-32-0x0000000000400000-0x0000000000457000-memory.dmp

memory/4380-27-0x0000000000400000-0x0000000000457000-memory.dmp

memory/100-31-0x00000000047B0000-0x0000000004B05000-memory.dmp

memory/4380-35-0x0000000000400000-0x0000000000457000-memory.dmp

memory/100-33-0x00000000047B0000-0x0000000004B05000-memory.dmp

memory/100-30-0x00000000047B0000-0x0000000004B05000-memory.dmp

memory/4380-29-0x0000000000400000-0x0000000000457000-memory.dmp

memory/100-34-0x00000000047B0000-0x0000000004B05000-memory.dmp

memory/100-28-0x00000000047B0000-0x0000000004B05000-memory.dmp

memory/100-36-0x0000000001900000-0x0000000001D00000-memory.dmp

memory/100-37-0x00000000047B0000-0x0000000004B05000-memory.dmp