darkgate | 1e8c119f3fe1374d1bd6234387c177ddfaa9b69c1850ed41ceee1c2309a2c27d

Analysis

max time kernel
149s
max time network
156s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-12-2024 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

787b6ed81976ebc999a547dababccc6766723d3eaef1c5b004c4f327388e9d3d.dll
Size

7.3MB
MD5

a405656b13924871d376b08d65fddbc9
SHA1

9cc98f605449f0ea0f20cdf25f390e477362e120
SHA256

787b6ed81976ebc999a547dababccc6766723d3eaef1c5b004c4f327388e9d3d
SHA512

0db0bc1e1608761399721ba13b9f9f0236eba3a47dda98111053e117fec817db948b7e9150203babfa13ec0f11908835f11b067dcedcf99f5c7a837c8784349f
SSDEEP

196608:qHJafUyYAULRp/n/JqmucSzkoeSAFHysQ/V/447XvXMZ:q8ULLhlfyv7XUZ

Score

10^/10

darkgate anoncrypter collection credential_access defense_evasion discovery execution persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\QHGbHpQ3N.README.txt

Ransom Note

~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~ >>>>> Your data is stolen and encrypted. BLOG Tor Browser Links: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/ http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/ http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/ http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/ http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/ http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/ http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/ >>>>> What guarantee is there that we won't cheat you? We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situation simply as a paid training session for your system administrators, because it was the misconfiguration of your corporate network that allowed us to attack you. Our pentesting services should be paid for the same way you pay your system administrators salaries. You can get more information about us on Ilon Musk's Twitter https://twitter.com/hashtag/lockbit?f=live >>>>> You need to contact us on TOR darknet sites with your personal ID Download and install Tor Browser https://www.torproject.org/ Write to the chat room and wait for an answer, we'll guarantee a response from us. If you need a unique ID for correspondence with us that no one will know about, ask it in the chat, we will generate a secret chat for you and give you his ID via private one-time memos service, no one can find out this ID but you. Sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack hundreds of companies around the world. Tor Browser personal link for CHAT available only to you (available during a ddos attack): http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion Tor Browser Links for CHAT (sometimes unavailable due to ddos attacks): http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >> Your personal Black ID: A58A500505762AE9844DFCBA41427433 << >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>> Warning! Do not delete or modify encrypted files, it will lead to problems with decryption of files! >>>>> Don't go to the police or the FBI for help and don't tell anyone that we attacked you.

URLs

http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/

http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/

http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/

http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/

http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/

http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/

http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/

https://twitter.com/hashtag/lockbit?f=live

http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion

http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion

http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion

http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion

http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion

http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion

http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion

Extracted

Family

darkgate

Botnet

anoncrypter

dark.masthost.net

Attributes

anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
3390
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
dbXSLnAG
minimum_disk
100
minimum_ram
4096
ping_interval
6
rootkit
false
startup_persistence
true
username
anoncrypter

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate
Darkgate family
darkgate

Detect DarkGate stealer 7 IoCs

resource	yara_rule
behavioral1/memory/1800-472-0x0000000000920000-0x00000000010C2000-memory.dmp	family_darkgate_v6
behavioral1/memory/1800-524-0x0000000000920000-0x00000000010C2000-memory.dmp	family_darkgate_v6
behavioral1/memory/1800-525-0x0000000000920000-0x00000000010C2000-memory.dmp	family_darkgate_v6
behavioral1/memory/1800-522-0x0000000000920000-0x00000000010C2000-memory.dmp	family_darkgate_v6
behavioral1/memory/1800-528-0x0000000000920000-0x00000000010C2000-memory.dmp	family_darkgate_v6
behavioral1/memory/1856-542-0x0000000000A30000-0x00000000011D2000-memory.dmp	family_darkgate_v6
behavioral1/memory/1800-527-0x0000000000920000-0x00000000010C2000-memory.dmp	family_darkgate_v6

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

description	pid	Process	procid_target
PID 2016 created 2068	2016	Autoit3.exe	33
PID 1800 created 1200	1800	GoogleUpdateCore.exe	23
PID 2480 created 1220	2480	msbuild.exe	21
PID 2404 created 1220	2404	GoogleUpdateCore.exe	21

Renames multiple (151) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Uses browser remote debugging 2 TTPs 4 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
1344	chrome.exe
1368	chrome.exe
3028	chrome.exe
2896	chrome.exe

Executes dropped EXE 6 IoCs

pid	Process
1792	svchost.exe
1548	l.exe
2068	v.exe
2600	mydark.exe
2016	Autoit3.exe
1948	6816.tmp

Loads dropped DLL 2 IoCs

pid	Process
2600	mydark.exe
1548	l.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	chrome.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	chrome.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	chrome.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	chrome.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	chrome.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	chrome.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\chgeaeh = "\"C:\\ProgramData\\kfcdhff\\Autoit3.exe\" C:\\ProgramData\\kfcdhff\\abhdded.a3x"	GoogleUpdateCore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\chgeaeh = "\"C:\\ProgramData\\kfcdhff\\Autoit3.exe\" C:\\ProgramData\\kfcdhff\\abhdded.a3x"	GoogleUpdateCore.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini	l.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini	l.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Command and Scripting Interpreter: AutoIT 1 TTPs 1 IoCs

Using AutoIT for possible automate script.

execution

AutoHotKey & AutoIT

T1059.010

pid	Process
2016	Autoit3.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\QHGbHpQ3N.bmp"	l.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\QHGbHpQ3N.bmp"	l.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs

pid	Process
1548	l.exe
1548	l.exe
1548	l.exe
1548	l.exe
1548	l.exe
1548	l.exe
1948	6816.tmp
1948	6816.tmp
1948	6816.tmp
1948	6816.tmp
1948	6816.tmp
1948	6816.tmp

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1800 set thread context of 2480	1800	GoogleUpdateCore.exe	45

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mydark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6816.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdateCore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdateCore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdateCore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GoogleUpdateCore.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GoogleUpdateCore.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	v.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	v.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GoogleUpdateCore.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GoogleUpdateCore.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	chrome.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2672	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop	l.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\WallpaperStyle = "10"	l.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.QHGbHpQ3N	l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.QHGbHpQ3N\ = "QHGbHpQ3N"	l.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QHGbHpQ3N\DefaultIcon	l.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QHGbHpQ3N	l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QHGbHpQ3N\DefaultIcon\ = "C:\\ProgramData\\QHGbHpQ3N.ico"	l.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	v.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	v.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	v.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1604	WMPDMC.exe
1312	setup_wm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1800	GoogleUpdateCore.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
476	Process not Found
476	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	1548	l.exe
Token: SeBackupPrivilege	1548	l.exe
Token: SeDebugPrivilege	1548	l.exe
Token: 36	1548	l.exe
Token: SeImpersonatePrivilege	1548	l.exe
Token: SeIncBasePriorityPrivilege	1548	l.exe
Token: SeIncreaseQuotaPrivilege	1548	l.exe
Token: 33	1548	l.exe
Token: SeManageVolumePrivilege	1548	l.exe
Token: SeProfSingleProcessPrivilege	1548	l.exe
Token: SeRestorePrivilege	1548	l.exe
Token: SeSecurityPrivilege	1548	l.exe
Token: SeSystemProfilePrivilege	1548	l.exe
Token: SeTakeOwnershipPrivilege	1548	l.exe
Token: SeShutdownPrivilege	1548	l.exe
Token: SeDebugPrivilege	1548	l.exe
Token: SeIncreaseQuotaPrivilege	1984	WMIC.exe
Token: SeSecurityPrivilege	1984	WMIC.exe
Token: SeTakeOwnershipPrivilege	1984	WMIC.exe
Token: SeLoadDriverPrivilege	1984	WMIC.exe
Token: SeSystemProfilePrivilege	1984	WMIC.exe
Token: SeSystemtimePrivilege	1984	WMIC.exe
Token: SeProfSingleProcessPrivilege	1984	WMIC.exe
Token: SeIncBasePriorityPrivilege	1984	WMIC.exe
Token: SeCreatePagefilePrivilege	1984	WMIC.exe
Token: SeBackupPrivilege	1984	WMIC.exe
Token: SeRestorePrivilege	1984	WMIC.exe
Token: SeShutdownPrivilege	1984	WMIC.exe
Token: SeDebugPrivilege	1984	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1984	WMIC.exe
Token: SeRemoteShutdownPrivilege	1984	WMIC.exe
Token: SeUndockPrivilege	1984	WMIC.exe
Token: SeManageVolumePrivilege	1984	WMIC.exe
Token: 33	1984	WMIC.exe
Token: 34	1984	WMIC.exe
Token: 35	1984	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1984	WMIC.exe
Token: SeSecurityPrivilege	1984	WMIC.exe
Token: SeTakeOwnershipPrivilege	1984	WMIC.exe
Token: SeLoadDriverPrivilege	1984	WMIC.exe
Token: SeSystemProfilePrivilege	1984	WMIC.exe
Token: SeSystemtimePrivilege	1984	WMIC.exe
Token: SeProfSingleProcessPrivilege	1984	WMIC.exe
Token: SeIncBasePriorityPrivilege	1984	WMIC.exe
Token: SeCreatePagefilePrivilege	1984	WMIC.exe
Token: SeBackupPrivilege	1984	WMIC.exe
Token: SeRestorePrivilege	1984	WMIC.exe
Token: SeShutdownPrivilege	1984	WMIC.exe
Token: SeDebugPrivilege	1984	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1984	WMIC.exe
Token: SeRemoteShutdownPrivilege	1984	WMIC.exe
Token: SeUndockPrivilege	1984	WMIC.exe
Token: SeManageVolumePrivilege	1984	WMIC.exe
Token: 33	1984	WMIC.exe
Token: 34	1984	WMIC.exe
Token: 35	1984	WMIC.exe
Token: SeBackupPrivilege	1932	vssvc.exe
Token: SeRestorePrivilege	1932	vssvc.exe
Token: SeAuditPrivilege	1932	vssvc.exe
Token: SeBackupPrivilege	1548	l.exe
Token: SeBackupPrivilege	1548	l.exe
Token: SeSecurityPrivilege	1548	l.exe
Token: SeSecurityPrivilege	1548	l.exe
Token: SeBackupPrivilege	1548	l.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
852	chrome.exe
852	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 1792	2792	rundll32.exe	31
PID 2792 wrote to memory of 1792	2792	rundll32.exe	31
PID 2792 wrote to memory of 1792	2792	rundll32.exe	31
PID 1792 wrote to memory of 1548	1792	svchost.exe	32
PID 1792 wrote to memory of 1548	1792	svchost.exe	32
PID 1792 wrote to memory of 1548	1792	svchost.exe	32
PID 1792 wrote to memory of 1548	1792	svchost.exe	32
PID 1792 wrote to memory of 2068	1792	svchost.exe	33
PID 1792 wrote to memory of 2068	1792	svchost.exe	33
PID 1792 wrote to memory of 2068	1792	svchost.exe	33
PID 1792 wrote to memory of 2068	1792	svchost.exe	33
PID 1792 wrote to memory of 2600	1792	svchost.exe	34
PID 1792 wrote to memory of 2600	1792	svchost.exe	34
PID 1792 wrote to memory of 2600	1792	svchost.exe	34
PID 1792 wrote to memory of 2600	1792	svchost.exe	34
PID 2600 wrote to memory of 2016	2600	mydark.exe	35
PID 2600 wrote to memory of 2016	2600	mydark.exe	35
PID 2600 wrote to memory of 2016	2600	mydark.exe	35
PID 2600 wrote to memory of 2016	2600	mydark.exe	35
PID 2016 wrote to memory of 2960	2016	Autoit3.exe	37
PID 2016 wrote to memory of 2960	2016	Autoit3.exe	37
PID 2016 wrote to memory of 2960	2016	Autoit3.exe	37
PID 2016 wrote to memory of 2960	2016	Autoit3.exe	37
PID 2960 wrote to memory of 1984	2960	cmd.exe	39
PID 2960 wrote to memory of 1984	2960	cmd.exe	39
PID 2960 wrote to memory of 1984	2960	cmd.exe	39
PID 2960 wrote to memory of 1984	2960	cmd.exe	39
PID 2016 wrote to memory of 1800	2016	Autoit3.exe	43
PID 2016 wrote to memory of 1800	2016	Autoit3.exe	43
PID 2016 wrote to memory of 1800	2016	Autoit3.exe	43
PID 2016 wrote to memory of 1800	2016	Autoit3.exe	43
PID 2016 wrote to memory of 1800	2016	Autoit3.exe	43
PID 2016 wrote to memory of 1800	2016	Autoit3.exe	43
PID 2016 wrote to memory of 1800	2016	Autoit3.exe	43
PID 2016 wrote to memory of 1800	2016	Autoit3.exe	43
PID 1800 wrote to memory of 2480	1800	GoogleUpdateCore.exe	45
PID 1800 wrote to memory of 2480	1800	GoogleUpdateCore.exe	45
PID 1800 wrote to memory of 2480	1800	GoogleUpdateCore.exe	45
PID 1800 wrote to memory of 2480	1800	GoogleUpdateCore.exe	45
PID 1800 wrote to memory of 2480	1800	GoogleUpdateCore.exe	45
PID 1800 wrote to memory of 2480	1800	GoogleUpdateCore.exe	45
PID 1800 wrote to memory of 1856	1800	GoogleUpdateCore.exe	46
PID 1800 wrote to memory of 1856	1800	GoogleUpdateCore.exe	46
PID 1800 wrote to memory of 1856	1800	GoogleUpdateCore.exe	46
PID 1800 wrote to memory of 1856	1800	GoogleUpdateCore.exe	46
PID 1800 wrote to memory of 1856	1800	GoogleUpdateCore.exe	46
PID 1800 wrote to memory of 1856	1800	GoogleUpdateCore.exe	46
PID 1800 wrote to memory of 1856	1800	GoogleUpdateCore.exe	46
PID 1800 wrote to memory of 1856	1800	GoogleUpdateCore.exe	46
PID 2480 wrote to memory of 2404	2480	msbuild.exe	48
PID 2480 wrote to memory of 2404	2480	msbuild.exe	48
PID 2480 wrote to memory of 2404	2480	msbuild.exe	48
PID 2480 wrote to memory of 2404	2480	msbuild.exe	48
PID 2480 wrote to memory of 2404	2480	msbuild.exe	48
PID 2480 wrote to memory of 2404	2480	msbuild.exe	48
PID 2480 wrote to memory of 2404	2480	msbuild.exe	48
PID 2480 wrote to memory of 2404	2480	msbuild.exe	48
PID 2480 wrote to memory of 2404	2480	msbuild.exe	48
PID 2068 wrote to memory of 2896	2068	v.exe	49
PID 2068 wrote to memory of 2896	2068	v.exe	49
PID 2068 wrote to memory of 2896	2068	v.exe	49
PID 2068 wrote to memory of 2896	2068	v.exe	49
PID 2896 wrote to memory of 2888	2896	chrome.exe	50
PID 2896 wrote to memory of 2888	2896	chrome.exe	50

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	chrome.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	chrome.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1220
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\787b6ed81976ebc999a547dababccc6766723d3eaef1c5b004c4f327388e9d3d.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1792
  - - C:\Users\Admin\AppData\Local\Temp\l.exe
      "C:\Users\Admin\AppData\Local\Temp\l.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops desktop.ini file(s)
      Sets desktop wallpaper using registry
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Modifies Control Panel
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      PID:1548
    - - C:\ProgramData\6816.tmp
        
        "C:\ProgramData\6816.tmp"
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1948
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\6816.tmp >> NUL
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1796
  - - C:\Users\Admin\AppData\Local\Temp\v.exe
      "C:\Users\Admin\AppData\Local\Temp\v.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Modifies system certificate store
      Suspicious use of WriteProcessMemory
      PID:2068
    - - C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of WriteProcessMemory
        
        PID:1800
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2480
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:2896
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6579758,0x7fef6579768,0x7fef6579778
        6⤵
        
        PID:2888
      - C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        6⤵
        
        PID:2076
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1148 --field-trial-handle=1364,i,6631659882535207466,9577081261585403720,131072 /prefetch:2
        6⤵
        
        PID:484
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1508 --field-trial-handle=1364,i,6631659882535207466,9577081261585403720,131072 /prefetch:8
        6⤵
        
        PID:3056
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1636 --field-trial-handle=1364,i,6631659882535207466,9577081261585403720,131072 /prefetch:8
        6⤵
        
        PID:3044
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1564 --field-trial-handle=1364,i,6631659882535207466,9577081261585403720,131072 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:1344
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2312 --field-trial-handle=1364,i,6631659882535207466,9577081261585403720,131072 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:1368
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1388 --field-trial-handle=1364,i,6631659882535207466,9577081261585403720,131072 /prefetch:2
        6⤵
        
        PID:1696
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3392 --field-trial-handle=1364,i,6631659882535207466,9577081261585403720,131072 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:3028
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\JKEBFBFIEHID" & exit
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2900
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2672
  - - C:\Users\Public\mydark.exe
      "C:\Users\Public\mydark.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2600
    - - \??\c:\temp\test\Autoit3.exe
        
        "c:\temp\test\Autoit3.exe" c:\temp\test\script.a3x
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Command and Scripting Interpreter: AutoIT
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious use of WriteProcessMemory
        
        PID:2016
      - \??\c:\windows\SysWOW64\cmd.exe
        
        "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\kfcdhff\ahdgdbd
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic ComputerSystem get domain
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
- C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
  "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  PID:2404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Checks processor information in registry
  - outlook_office_path
  - outlook_win_path
  PID:2572
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    --user-data-dir="C:\Users\Admin\AppData\Local\Temp\chr8288.tmp" --explicitly-allowed-ports=8000 --disable-gpu --new-window "http://127.0.0.1:8000/94336476/9594ef06"
    3⤵
    - Enumerates system info in registry
    - Suspicious use of FindShellTrayWindow
    PID:852
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\chr8288.tmp /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\chr8288.tmp\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\chr8288.tmp --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc4,0xc8,0xcc,0x98,0xd0,0x7fef6579758,0x7fef6579768,0x7fef6579778
      4⤵
      PID:948
  - - C:\Windows\system32\ctfmon.exe
      ctfmon.exe
      4⤵
      PID:2732
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1140 --field-trial-handle=2044,i,16303776431207924702,1172074313107823482,131072 /prefetch:2
      4⤵
      PID:1704
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1260 --field-trial-handle=2044,i,16303776431207924702,1172074313107823482,131072 /prefetch:8
      4⤵
      PID:2096
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1280 --field-trial-handle=2044,i,16303776431207924702,1172074313107823482,131072 /prefetch:8
      4⤵
      PID:2696
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1904 --field-trial-handle=2044,i,16303776431207924702,1172074313107823482,131072 /prefetch:1
      4⤵
      PID:2084
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=1912 --field-trial-handle=2044,i,16303776431207924702,1172074313107823482,131072 /prefetch:1
      4⤵
      PID:640
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2380 --field-trial-handle=2044,i,16303776431207924702,1172074313107823482,131072 /prefetch:1
      4⤵
      PID:3060
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2424 --field-trial-handle=2044,i,16303776431207924702,1172074313107823482,131072 /prefetch:1
      4⤵
      PID:2372
- - C:\Program Files\Windows Media Player\WMPDMC.exe
    "C:\Program Files\Windows Media Player\WMPDMC.exe"
    3⤵
    - Suspicious behavior: AddClipboardFormatListener
    PID:1604
- - C:\Program Files\Windows Media Player\setup_wm.exe
    "C:\Program Files\Windows Media Player\setup_wm.exe"
    3⤵
    - Suspicious behavior: AddClipboardFormatListener
    PID:1312

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1200
- C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
  "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:1856

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1932

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1160

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1416

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x148
1⤵
PID:604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

AutoHotKey & AutoIT

T1059.010

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Modify Authentication Process

T1556

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Authentication Process

T1556

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini

Filesize
129B

MD5
5b9359a039fc27094f5d98184031f286

SHA1
62c13b2a1b56ba825aabc5d06bb5f54eb69d498a

SHA256
b0e2381e84f07e86303f82cbf9d5912f1e5d8524a6981426385ebd1ed337dae3

SHA512
1b451921930767fb9c9308ca35cb0893988e6aa79a627d45f61497a14a5b514416b799868eda5e112e9eba189eddcbd1589322b42b4de50cd6a29d151a4a8ed0

Download Submit
C:\ProgramData\kfcdhff\ahdgdbd

Filesize
54B

MD5
c8bbad190eaaa9755c8dfb1573984d81

SHA1
17ad91294403223fde66f687450545a2bad72af5

SHA256
7f136265128b7175fb67024a6ddd7524586b025725a878c07d76a9d8ad3dc2ac

SHA512
05f02cf90969b7b9a2de39eecdf810a1835325e7c83ffe81388c9866c6f79be6cdc8617f606a8fedc6affe6127bede4b143106a90289bbb9bf61d94c648059df

Download Submit
C:\ProgramData\kfcdhff\hggeeec

Filesize
1KB

MD5
2c69730a9c79deb4abd3f93b5935f389

SHA1
7bed568a195643654072a4ec44f7be46ae68e65f

SHA256
930878905452b92d73244d4eb740a58069bfd9f3109503e56031860d0db9c1d2

SHA512
90cbe6404d6d5627644c10cee2fe0fcbe595715ebfee604d538b18bbe3e71587f85e3d4504008015a77574e6f2604e5743b339f0cfac0126b20f5efaac1a5b26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d1ff17bfa9c85f8db25f6a595b2bb721

SHA1
2f6c1706647d8b49687c6e141115bcccce0e32e8

SHA256
b26c5beca5ea4a12b79828f96996b0b5705a9538ee7472c7a7877b0be585a9f2

SHA512
f06b9b584f083f44f344b96b892b9fffe6915919a1d119379ef286eb061c8976570f9d6169762ff3e55134589742b94d1978289d39425bca6e484f221e8f0be1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
14B

MD5
9eae63c7a967fc314dd311d9f46a45b7

SHA1
caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf

SHA256
4288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d

SHA512
bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\BBBBB

Filesize
264KB

MD5
06dc42759ec36f5af59f2e9b2c6128ca

SHA1
e2d0e12bf089f224ed8339cffff2b0e6e31dd6ae

SHA256
3929d7940a3bdc89d4c0f2a008a299f5b49833755716ca7ef285facb5b892c79

SHA512
bf72840bd40ad0f83caf46a62f027093ed814b1375ebca5c2bc60911aebfca201bc3c18bf406bff3a61d0f6ace06fe4c1aeb2fb02be987551f984a010cfdb0d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab31EB.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar325B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\chr8288.tmp\Default\Site Characteristics Database\CURRENT~RFf778804.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\chr8288.tmp\Default\Sync Data\LevelDB\000002.dbtmp

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Temp\chr8288.tmp\Default\Sync Data\LevelDB\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\l.exe

Filesize
264KB

MD5
f03b13218cb720a087175198a67b831c

SHA1
bafad61b13f7b6d08a286e970c822f940b9135fb

SHA256
3a2b885fd306f3ccbab3ec7584a3769c048a475d790fda8818d21c596eda8e05

SHA512
42f9038be2b096b0468a5d05286fbfe2ec93dac08bdbb627b69722143a6db496de406abcd7c15d614e8bd68622ffc257ba02c6a489d4e9698ed02b0671a2541a

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
1.4MB

MD5
15bb67aec4ec337cfad207203cd593c6

SHA1
542b1839fcfb29e386eab1a8919f17f486408ebc

SHA256
7fb6af6b92b77fbcca3c98aa6566ff29af0fd3f538185610437514d075b7e963

SHA512
e64ff67acebfe76cfdbef33d70f783ce5b1343452c862013cc42e8a3992897259d6ff06a36ddab0be155cde85faef83318294a8ff33674a677c9f4c1a4b2aefe

Download Submit
C:\Users\Admin\AppData\Local\Temp\v.exe

Filesize
372KB

MD5
931744642ba53a75c3008f30d8ea7183

SHA1
2ce31051b434bfdfa7447fd1acb1992485b7205b

SHA256
61d998e1c9c4c3d033e9214204f7c96ea09fd2580009094e66dd0a5a7998f754

SHA512
9f5f8beb8f9994c9af24d8acef470f8df0c9339358f245b651a95eb9d8d213b125f7f7ec6305cedcbf190e5396acc1eb12de0c4e0a3136d7505a14119efee2d2

Download Submit
C:\Users\Admin\AppData\Roaming\bEFdbfK

Filesize
32B

MD5
4aef751a198079ebc5ed8eb60b05febc

SHA1
946cc6d4b65d6b0876f5674f1d6296aca00f6add

SHA256
6b140da368de669fa5e5318334123efbca7ac76a1b804660fb83d99ab506cfc8

SHA512
a1cdb9f9119fe516a3aed6a439b10d8195885193c30b57ef5970b512e101303db945c15b698f489f31ae6b18e38117dd2e1d537851cc04c2c7b939c597a4cff9

Download Submit
C:\Users\Public\mydark.exe

Filesize
2.0MB

MD5
dc0a046d715f645ef7f78b6b022f67a8

SHA1
e3a9622fc9a5016ade389aa98cedb38efa9aef4c

SHA256
80dab4dab91f87874bb3c41347a4441b2011bf87030ab5e0e59d214063ffa569

SHA512
7892573ecec7666cc4d73c8ad2be078fa41d3b8667b0ffc10450727875aee2a92ab3554f610ad97a32b33f1a965f9a39351aebd32616b8b0ca3a7efc98e95008

Download Submit
C:\Users\QHGbHpQ3N.README.txt

Filesize
3KB

MD5
caafaa5c4bb5a5d1a3f02ae60b0f7f3d

SHA1
1ce6bbff7c8076a35704fd3f6904a01047f19a10

SHA256
167baef34b2bdd9025504624be40797d77e8968c59d406be767ac84780e3696c

SHA512
892e0f664054947e9c33db12f4ff3a77b235622f198ec9c1b2f5f29a51a87577bb622ff601de1d135222e905acd94584ab055cc4e61cad0c04171b56df3aecd2

Download Submit
C:\temp\bhadfgk

Filesize
4B

MD5
13001b8d45b2b5ff87e5cabff34ca215

SHA1
3e8a84e9072682057218d091d32ad24a08875fda

SHA256
e5d380d5d9bba61ae121555c91ff9b7c44be6329e351e8bf23daa5bd8e3fe196

SHA512
c99c0ec1b520a72d04e0af9a90ae38fdcddaf8f03400c793cb930597e9e7a99c1f7f3e178fc07a1a249ceff8dae482a619861a05dcc740aa2f9c7f37377468b0

Download Submit
C:\temp\edfddba

Filesize
4B

MD5
7c05ebe935e4231dd0b8ff5e9bbb2692

SHA1
0f27439d98cfc138f1da40a6a69660ca1afed3f9

SHA256
b2b738378867269c7ecc999fab8065d0acd595b6f92e983e432a48438dd7f80e

SHA512
88dbb085350b43df118ccb47658c1f5285e9054cb5abefbe615881b40fd6ef1a4a1cd7d1ede4c9477ccd8bce19c525aa00f624c16d843d9261612bcfd6024baf

Download Submit
C:\temp\hgffbbc

Filesize
4B

MD5
dd198d4717d01e69c7d75fbe6cc1b5dd

SHA1
a71b03f30a2c0791d34af07737b2c87188334a5c

SHA256
38eb4120edc4c6ce8e0ec6902d6e0056d92e2d2e64e8260748ef7f581e639852

SHA512
b3730ecae6eda02bc38758d645bed241a6d9f8bacbe0bda8a045aee9630aa712af62c5bd8439e9b7f2947fed28b127062aa8d8f40ea0d8afb9a41c55cec253b9

Download Submit
C:\temp\hgffbbc

Filesize
4B

MD5
1c207255d07667ddfc53fce669e42bc9

SHA1
0d85228fdfa0f25a2a09a0962316a269fd7e7397

SHA256
abebb53447f52608af5cb520aad2cd9ce1da52402577a49706fac38153a4ad57

SHA512
b2af236b1e7420e67d80602b771c1c087b4bfa9a2a1edefacb96038cfa893f4af75f432ec4ae02631bf2622dbd9a94c40cbf777223d9f991b23848675aa52bc5

Download Submit
C:\temp\test\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1488793075-819845221-1497111674-1000\CCCCCCCCCCC

Filesize
129B

MD5
cf9fddd6fd3471d56efd96c79f77d8a4

SHA1
937bd613fb934f1281cf8e0fb26881334de50cf0

SHA256
e03933f8e5e41da5e59f461464f751d9305689d2d32d4cf5e6faf697e694fc03

SHA512
27edd8e8987b87872f7b32b05d88a93071d441fd9bbb950f21af1b89b8b89825b63a9665d2d197c2ac42f3813a2116c35f1a1c8b9df9bb82ac5fc2535f139d95

Download Submit
\??\c:\temp\test\script.a3x

Filesize
1.1MB

MD5
6d0ba22651177f51271416be0280d1cc

SHA1
b07d421b386b7cc3affbd412008288021f219dd1

SHA256
d0ca6d8064faec38a998b957f40e87a4f9de47802f9137e32c5a6f8484ba893e

SHA512
0e7d10f71fb4e54a4e610fc68d95929f3d0260deb2981aed5febc53a3dad061f81aa258b780c27459f7b51dc20152a3c9439ffd83d3b803c4c3b07fb295da6fe

Download Submit
\ProgramData\6816.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
memory/1312-989-0x0000000000060000-0x00000000000C2000-memory.dmp

Filesize
392KB

Download
memory/1312-995-0x000007FFFFFA0000-0x000007FFFFFA8000-memory.dmp

Filesize
32KB

Download
memory/1312-996-0x000007FFFFFA0000-0x000007FFFFFA8000-memory.dmp

Filesize
32KB

Download
memory/1312-990-0x0000000000060000-0x00000000000C2000-memory.dmp

Filesize
392KB

Download
memory/1312-991-0x0000000000060000-0x00000000000C2000-memory.dmp

Filesize
392KB

Download
memory/1312-992-0x0000000000060000-0x00000000000C2000-memory.dmp

Filesize
392KB

Download
memory/1548-619-0x0000000000400000-0x0000000000819000-memory.dmp

Filesize
4.1MB

Download
memory/1548-495-0x0000000000400000-0x0000000000819000-memory.dmp

Filesize
4.1MB

Download
memory/1604-982-0x0000000000060000-0x00000000000C2000-memory.dmp

Filesize
392KB

Download
memory/1604-986-0x0000000000060000-0x00000000000C2000-memory.dmp

Filesize
392KB

Download
memory/1604-980-0x0000000000060000-0x00000000000C2000-memory.dmp

Filesize
392KB

Download
memory/1604-984-0x0000000000060000-0x00000000000C2000-memory.dmp

Filesize
392KB

Download
memory/1604-983-0x0000000000060000-0x00000000000C2000-memory.dmp

Filesize
392KB

Download
memory/1604-985-0x0000000000060000-0x00000000000C2000-memory.dmp

Filesize
392KB

Download
memory/1792-47-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

Filesize
9.9MB

Download
memory/1792-552-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

Filesize
9.9MB

Download
memory/1792-16-0x000007FEF5BB3000-0x000007FEF5BB4000-memory.dmp

Filesize
4KB

Download
memory/1792-17-0x0000000000F40000-0x00000000010B8000-memory.dmp

Filesize
1.5MB

Download
memory/1800-522-0x0000000000920000-0x00000000010C2000-memory.dmp

Filesize
7.6MB

Download
memory/1800-525-0x0000000000920000-0x00000000010C2000-memory.dmp

Filesize
7.6MB

Download
memory/1800-528-0x0000000000920000-0x00000000010C2000-memory.dmp

Filesize
7.6MB

Download
memory/1800-527-0x0000000000920000-0x00000000010C2000-memory.dmp

Filesize
7.6MB

Download
memory/1800-524-0x0000000000920000-0x00000000010C2000-memory.dmp

Filesize
7.6MB

Download
memory/1800-472-0x0000000000920000-0x00000000010C2000-memory.dmp

Filesize
7.6MB

Download
memory/1856-542-0x0000000000A30000-0x00000000011D2000-memory.dmp

Filesize
7.6MB

Download
memory/2068-904-0x0000000000400000-0x0000000000834000-memory.dmp

Filesize
4.2MB

Download
memory/2068-666-0x0000000000400000-0x0000000000834000-memory.dmp

Filesize
4.2MB

Download
memory/2068-496-0x0000000000400000-0x0000000000834000-memory.dmp

Filesize
4.2MB

Download
memory/2068-1039-0x0000000000400000-0x0000000000834000-memory.dmp

Filesize
4.2MB

Download
memory/2068-849-0x0000000000400000-0x0000000000834000-memory.dmp

Filesize
4.2MB

Download
memory/2068-981-0x0000000000400000-0x0000000000834000-memory.dmp

Filesize
4.2MB

Download
memory/2404-523-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/2404-540-0x00000000772F0000-0x0000000077337000-memory.dmp

Filesize
284KB

Download
memory/2404-609-0x00000000001A0000-0x00000000001CC000-memory.dmp

Filesize
176KB

Download
memory/2404-530-0x00000000777C0000-0x0000000077969000-memory.dmp

Filesize
1.7MB

Download
memory/2404-599-0x0000000000890000-0x0000000000C90000-memory.dmp

Filesize
4.0MB

Download
memory/2404-598-0x0000000000890000-0x0000000000C90000-memory.dmp

Filesize
4.0MB

Download
memory/2404-593-0x00000000001A0000-0x00000000001CC000-memory.dmp

Filesize
176KB

Download
memory/2404-529-0x0000000000890000-0x0000000000C90000-memory.dmp

Filesize
4.0MB

Download
memory/2480-519-0x00000000772F0000-0x0000000077337000-memory.dmp

Filesize
284KB

Download
memory/2480-517-0x00000000777C0000-0x0000000077969000-memory.dmp

Filesize
1.7MB

Download
memory/2480-516-0x0000000000610000-0x0000000000A10000-memory.dmp

Filesize
4.0MB

Download
memory/2480-515-0x0000000000610000-0x0000000000A10000-memory.dmp

Filesize
4.0MB

Download
memory/2480-471-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2480-470-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2600-45-0x0000000000400000-0x000000000060E000-memory.dmp

Filesize
2.1MB

Download
memory/2792-48-0x000000006D080000-0x000000006D7D7000-memory.dmp

Filesize
7.3MB

Download
memory/2792-0-0x0000000002650000-0x0000000002CDC000-memory.dmp

Filesize
6.5MB

Download