darkgate | 5fb1567d2cbbaf1df7c4ec782f8c9b1a0e1a171bdb6f814f3b3089dab7a03bf4

Analysis

max time kernel
54s
max time network
55s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
02/04/2025, 21:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test/Autoit3.exe
Size

872KB
MD5

c56b5f0201a3b3de53e561fe76912bfd
SHA1

2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256

237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512

195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
SSDEEP

12288:6pVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:6T3E53Myyzl0hMf1tr7Caw8M01

Score

10^/10

darkgate drk3 discovery execution persistence stealer

Malware Config

Extracted

Family

darkgate

Botnet

drk3

aspava-yachting.com

Attributes

anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
80
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
ZuMRODIC
minimum_disk
100
minimum_ram
4096
ping_interval
6
rootkit
false
startup_persistence
true
username
drk3

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate
Darkgate family
darkgate

Detect DarkGate stealer 7 IoCs

resource	yara_rule
behavioral1/memory/2852-48-0x0000000003BA0000-0x0000000003EF5000-memory.dmp	family_darkgate_v6
behavioral1/memory/2852-75-0x0000000003BA0000-0x0000000003EF5000-memory.dmp	family_darkgate_v6
behavioral1/memory/2852-76-0x0000000003BA0000-0x0000000003EF5000-memory.dmp	family_darkgate_v6
behavioral1/memory/2852-77-0x0000000003BA0000-0x0000000003EF5000-memory.dmp	family_darkgate_v6
behavioral1/memory/2852-74-0x0000000003BA0000-0x0000000003EF5000-memory.dmp	family_darkgate_v6
behavioral1/memory/2852-73-0x0000000003BA0000-0x0000000003EF5000-memory.dmp	family_darkgate_v6
behavioral1/memory/3740-111-0x00000000040C0000-0x0000000004415000-memory.dmp	family_darkgate_v6

Suspicious use of NtCreateUserProcessOtherParentProcess 8 IoCs

description	pid	Process	procid_target
PID 2852 created 4052	2852	Autoit3.exe	60
PID 2852 created 1356	2852	Autoit3.exe	100
PID 4144 created 2748	4144	Autoit3.exe	61
PID 3740 created 2732	3740	Autoit3.exe	120
PID 2024 created 2660	2024	Autoit3.exe	45
PID 4476 created 2748	4476	Autoit3.exe	61
PID 2852 created 2748	2852	Autoit3.exe	61
PID 3508 created 4052	3508	Autoit3.exe	60

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ekbchac = "\"C:\\ProgramData\\dkbfaha\\Autoit3.exe\" C:\\ProgramData\\dkbfaha\\dhfacgd.a3x"	Autoit3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ekbchac = "\"C:\\ProgramData\\dkbfaha\\Autoit3.exe\" C:\\ProgramData\\dkbfaha\\dhfacgd.a3x"	Autoit3.exe

Command and Scripting Interpreter: AutoIT 1 TTPs 2 IoCs

Using AutoIT for possible automate script.

execution

AutoHotKey & AutoIT

T1059.010

pid	Process
316	Autoit3.exe
2852	Autoit3.exe

Executes dropped EXE 13 IoCs

pid	Process
3740	Autoit3.exe
4144	Autoit3.exe
2024	Autoit3.exe
4476	Autoit3.exe
3508	Autoit3.exe
788	Autoit3.exe
4016	Autoit3.exe
1568	Autoit3.exe
2848	Autoit3.exe
2428	Autoit3.exe
1456	Autoit3.exe
1968	Autoit3.exe
3812	Autoit3.exe

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 20 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
2044	powershell.exe
2044	powershell.exe
2852	Autoit3.exe
2852	Autoit3.exe
2852	Autoit3.exe
2852	Autoit3.exe
2852	Autoit3.exe
2852	Autoit3.exe
2852	Autoit3.exe
2852	Autoit3.exe
3740	Autoit3.exe
3740	Autoit3.exe
4144	Autoit3.exe
4144	Autoit3.exe
4144	Autoit3.exe
4144	Autoit3.exe
2024	Autoit3.exe
2024	Autoit3.exe
3740	Autoit3.exe
3740	Autoit3.exe
4476	Autoit3.exe
4476	Autoit3.exe
2024	Autoit3.exe
2024	Autoit3.exe
3508	Autoit3.exe
3508	Autoit3.exe
4476	Autoit3.exe
4476	Autoit3.exe
2852	Autoit3.exe
2852	Autoit3.exe
3740	Autoit3.exe
3740	Autoit3.exe
788	Autoit3.exe
788	Autoit3.exe
3508	Autoit3.exe
3508	Autoit3.exe
4476	Autoit3.exe
4476	Autoit3.exe
2852	Autoit3.exe
2852	Autoit3.exe
4016	Autoit3.exe
4016	Autoit3.exe
1568	Autoit3.exe
1568	Autoit3.exe
2848	Autoit3.exe
2848	Autoit3.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2852	Autoit3.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeIncreaseQuotaPrivilege	5036	WMIC.exe
Token: SeSecurityPrivilege	5036	WMIC.exe
Token: SeTakeOwnershipPrivilege	5036	WMIC.exe
Token: SeLoadDriverPrivilege	5036	WMIC.exe
Token: SeSystemProfilePrivilege	5036	WMIC.exe
Token: SeSystemtimePrivilege	5036	WMIC.exe
Token: SeProfSingleProcessPrivilege	5036	WMIC.exe
Token: SeIncBasePriorityPrivilege	5036	WMIC.exe
Token: SeCreatePagefilePrivilege	5036	WMIC.exe
Token: SeBackupPrivilege	5036	WMIC.exe
Token: SeRestorePrivilege	5036	WMIC.exe
Token: SeShutdownPrivilege	5036	WMIC.exe
Token: SeDebugPrivilege	5036	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5036	WMIC.exe
Token: SeRemoteShutdownPrivilege	5036	WMIC.exe
Token: SeUndockPrivilege	5036	WMIC.exe
Token: SeManageVolumePrivilege	5036	WMIC.exe
Token: 33	5036	WMIC.exe
Token: 34	5036	WMIC.exe
Token: 35	5036	WMIC.exe
Token: 36	5036	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5036	WMIC.exe
Token: SeSecurityPrivilege	5036	WMIC.exe
Token: SeTakeOwnershipPrivilege	5036	WMIC.exe
Token: SeLoadDriverPrivilege	5036	WMIC.exe
Token: SeSystemProfilePrivilege	5036	WMIC.exe
Token: SeSystemtimePrivilege	5036	WMIC.exe
Token: SeProfSingleProcessPrivilege	5036	WMIC.exe
Token: SeIncBasePriorityPrivilege	5036	WMIC.exe
Token: SeCreatePagefilePrivilege	5036	WMIC.exe
Token: SeBackupPrivilege	5036	WMIC.exe
Token: SeRestorePrivilege	5036	WMIC.exe
Token: SeShutdownPrivilege	5036	WMIC.exe
Token: SeDebugPrivilege	5036	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5036	WMIC.exe
Token: SeRemoteShutdownPrivilege	5036	WMIC.exe
Token: SeUndockPrivilege	5036	WMIC.exe
Token: SeManageVolumePrivilege	5036	WMIC.exe
Token: 33	5036	WMIC.exe
Token: 34	5036	WMIC.exe
Token: 35	5036	WMIC.exe
Token: 36	5036	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4872 wrote to memory of 316	4872	cmd.exe	88
PID 4872 wrote to memory of 316	4872	cmd.exe	88
PID 4872 wrote to memory of 316	4872	cmd.exe	88
PID 2044 wrote to memory of 2852	2044	powershell.exe	108
PID 2044 wrote to memory of 2852	2044	powershell.exe	108
PID 2044 wrote to memory of 2852	2044	powershell.exe	108
PID 2852 wrote to memory of 3540	2852	Autoit3.exe	109
PID 2852 wrote to memory of 3540	2852	Autoit3.exe	109
PID 2852 wrote to memory of 3540	2852	Autoit3.exe	109
PID 3540 wrote to memory of 5036	3540	cmd.exe	111
PID 3540 wrote to memory of 5036	3540	cmd.exe	111
PID 3540 wrote to memory of 5036	3540	cmd.exe	111
PID 2852 wrote to memory of 4888	2852	Autoit3.exe	116
PID 2852 wrote to memory of 4888	2852	Autoit3.exe	116
PID 2852 wrote to memory of 4888	2852	Autoit3.exe	116
PID 2852 wrote to memory of 3728	2852	Autoit3.exe	118
PID 2852 wrote to memory of 3728	2852	Autoit3.exe	118
PID 2852 wrote to memory of 3728	2852	Autoit3.exe	118
PID 2852 wrote to memory of 4444	2852	Autoit3.exe	124
PID 2852 wrote to memory of 4444	2852	Autoit3.exe	124
PID 2852 wrote to memory of 4444	2852	Autoit3.exe	124
PID 2732 wrote to memory of 3740	2732	cmd.exe	126
PID 2732 wrote to memory of 3740	2732	cmd.exe	126
PID 2732 wrote to memory of 3740	2732	cmd.exe	126
PID 4584 wrote to memory of 4144	4584	cmd.exe	127
PID 4584 wrote to memory of 4144	4584	cmd.exe	127
PID 4584 wrote to memory of 4144	4584	cmd.exe	127
PID 4144 wrote to memory of 4044	4144	Autoit3.exe	128
PID 4144 wrote to memory of 4044	4144	Autoit3.exe	128
PID 4144 wrote to memory of 4044	4144	Autoit3.exe	128
PID 2852 wrote to memory of 4640	2852	Autoit3.exe	131
PID 2852 wrote to memory of 4640	2852	Autoit3.exe	131
PID 2852 wrote to memory of 4640	2852	Autoit3.exe	131
PID 4708 wrote to memory of 2024	4708	cmd.exe	133
PID 4708 wrote to memory of 2024	4708	cmd.exe	133
PID 4708 wrote to memory of 2024	4708	cmd.exe	133
PID 4984 wrote to memory of 4476	4984	cmd.exe	136
PID 4984 wrote to memory of 4476	4984	cmd.exe	136
PID 4984 wrote to memory of 4476	4984	cmd.exe	136
PID 3740 wrote to memory of 2984	3740	Autoit3.exe	137
PID 3740 wrote to memory of 2984	3740	Autoit3.exe	137
PID 3740 wrote to memory of 2984	3740	Autoit3.exe	137
PID 2024 wrote to memory of 4840	2024	Autoit3.exe	139
PID 2024 wrote to memory of 4840	2024	Autoit3.exe	139
PID 2024 wrote to memory of 4840	2024	Autoit3.exe	139
PID 2004 wrote to memory of 3508	2004	cmd.exe	143
PID 2004 wrote to memory of 3508	2004	cmd.exe	143
PID 2004 wrote to memory of 3508	2004	cmd.exe	143
PID 3740 wrote to memory of 3604	3740	Autoit3.exe	144
PID 3740 wrote to memory of 3604	3740	Autoit3.exe	144
PID 3740 wrote to memory of 3604	3740	Autoit3.exe	144
PID 3136 wrote to memory of 788	3136	cmd.exe	148
PID 3136 wrote to memory of 788	3136	cmd.exe	148
PID 3136 wrote to memory of 788	3136	cmd.exe	148
PID 4476 wrote to memory of 4168	4476	Autoit3.exe	149
PID 4476 wrote to memory of 4168	4476	Autoit3.exe	149
PID 4476 wrote to memory of 4168	4476	Autoit3.exe	149
PID 2852 wrote to memory of 1816	2852	Autoit3.exe	150
PID 2852 wrote to memory of 1816	2852	Autoit3.exe	150
PID 2852 wrote to memory of 1816	2852	Autoit3.exe	150
PID 4548 wrote to memory of 4016	4548	cmd.exe	153
PID 4548 wrote to memory of 4016	4548	cmd.exe	153
PID 4548 wrote to memory of 4016	4548	cmd.exe	153
PID 3508 wrote to memory of 3968	3508	Autoit3.exe	154

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4840

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3968

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:4044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:4168
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:1816

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\test\Autoit3.exe ~/appdata/local/test/script.a3x
1⤵
- Suspicious use of WriteProcessMemory
PID:4872
- C:\Users\Admin\AppData\Local\Temp\test\Autoit3.exe
  C:\Users\Admin\AppData\Local\Temp\test\Autoit3.exe ~/appdata/local/test/script.a3x
  2⤵
  - Command and Scripting Interpreter: AutoIT
  - System Location Discovery: System Language Discovery
  PID:316

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Users\Admin\AppData\Local\Temp\test\Autoit3.exe
  "C:\Users\Admin\AppData\Local\Temp\test\Autoit3.exe" .\script.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Adds Run key to start application
  - Command and Scripting Interpreter: AutoIT
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2852
- - \??\c:\windows\SysWOW64\cmd.exe
    "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\dkbfaha\bbhgdca
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3540
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ComputerSystem get domain
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:5036
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3728
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4640
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1292

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:1356
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\dkbfaha\Autoit3.exe" C:\ProgramData\dkbfaha\dhfacgd.a3x
1⤵
- Suspicious use of WriteProcessMemory
PID:2732
- C:\ProgramData\dkbfaha\Autoit3.exe
  C:\ProgramData\dkbfaha\Autoit3.exe C:\ProgramData\dkbfaha\dhfacgd.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Adds Run key to start application
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3740
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\dkbfaha\Autoit3.exe" C:\ProgramData\dkbfaha\dhfacgd.a3x
1⤵
- Suspicious use of WriteProcessMemory
PID:4584
- C:\ProgramData\dkbfaha\Autoit3.exe
  C:\ProgramData\dkbfaha\Autoit3.exe C:\ProgramData\dkbfaha\dhfacgd.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\dkbfaha\Autoit3.exe" C:\ProgramData\dkbfaha\dhfacgd.a3x
1⤵
- Suspicious use of WriteProcessMemory
PID:4708
- C:\ProgramData\dkbfaha\Autoit3.exe
  C:\ProgramData\dkbfaha\Autoit3.exe C:\ProgramData\dkbfaha\dhfacgd.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\dkbfaha\Autoit3.exe" C:\ProgramData\dkbfaha\dhfacgd.a3x
1⤵
- Suspicious use of WriteProcessMemory
PID:4984
- C:\ProgramData\dkbfaha\Autoit3.exe
  C:\ProgramData\dkbfaha\Autoit3.exe C:\ProgramData\dkbfaha\dhfacgd.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4476
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\dkbfaha\Autoit3.exe" C:\ProgramData\dkbfaha\dhfacgd.a3x
1⤵
- Suspicious use of WriteProcessMemory
PID:2004
- C:\ProgramData\dkbfaha\Autoit3.exe
  C:\ProgramData\dkbfaha\Autoit3.exe C:\ProgramData\dkbfaha\dhfacgd.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3508
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\dkbfaha\Autoit3.exe" C:\ProgramData\dkbfaha\dhfacgd.a3x
1⤵
- Suspicious use of WriteProcessMemory
PID:3136
- C:\ProgramData\dkbfaha\Autoit3.exe
  C:\ProgramData\dkbfaha\Autoit3.exe C:\ProgramData\dkbfaha\dhfacgd.a3x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\dkbfaha\Autoit3.exe" C:\ProgramData\dkbfaha\dhfacgd.a3x
1⤵
- Suspicious use of WriteProcessMemory
PID:4548
- C:\ProgramData\dkbfaha\Autoit3.exe
  C:\ProgramData\dkbfaha\Autoit3.exe C:\ProgramData\dkbfaha\dhfacgd.a3x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:4016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\dkbfaha\Autoit3.exe" C:\ProgramData\dkbfaha\dhfacgd.a3x
1⤵
PID:5092
- C:\ProgramData\dkbfaha\Autoit3.exe
  C:\ProgramData\dkbfaha\Autoit3.exe C:\ProgramData\dkbfaha\dhfacgd.a3x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:1568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\dkbfaha\Autoit3.exe" C:\ProgramData\dkbfaha\dhfacgd.a3x
1⤵
PID:4452
- C:\ProgramData\dkbfaha\Autoit3.exe
  C:\ProgramData\dkbfaha\Autoit3.exe C:\ProgramData\dkbfaha\dhfacgd.a3x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\dkbfaha\Autoit3.exe" C:\ProgramData\dkbfaha\dhfacgd.a3x
1⤵
PID:4996
- C:\ProgramData\dkbfaha\Autoit3.exe
  C:\ProgramData\dkbfaha\Autoit3.exe C:\ProgramData\dkbfaha\dhfacgd.a3x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\dkbfaha\Autoit3.exe" C:\ProgramData\dkbfaha\dhfacgd.a3x
1⤵
PID:640
- C:\ProgramData\dkbfaha\Autoit3.exe
  C:\ProgramData\dkbfaha\Autoit3.exe C:\ProgramData\dkbfaha\dhfacgd.a3x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\dkbfaha\Autoit3.exe" C:\ProgramData\dkbfaha\dhfacgd.a3x
1⤵
PID:5064
- C:\ProgramData\dkbfaha\Autoit3.exe
  C:\ProgramData\dkbfaha\Autoit3.exe C:\ProgramData\dkbfaha\dhfacgd.a3x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\dkbfaha\Autoit3.exe" C:\ProgramData\dkbfaha\dhfacgd.a3x
1⤵
PID:3200
- C:\ProgramData\dkbfaha\Autoit3.exe
  C:\ProgramData\dkbfaha\Autoit3.exe C:\ProgramData\dkbfaha\dhfacgd.a3x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

AutoHotKey & AutoIT

T1059.010

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\dkbfaha\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\ProgramData\dkbfaha\bbhgdca

Filesize
54B

MD5
c8bbad190eaaa9755c8dfb1573984d81

SHA1
17ad91294403223fde66f687450545a2bad72af5

SHA256
7f136265128b7175fb67024a6ddd7524586b025725a878c07d76a9d8ad3dc2ac

SHA512
05f02cf90969b7b9a2de39eecdf810a1835325e7c83ffe81388c9866c6f79be6cdc8617f606a8fedc6affe6127bede4b143106a90289bbb9bf61d94c648059df

Download Submit
C:\ProgramData\dkbfaha\dafebhh

Filesize
1KB

MD5
71c8e08107aa188606c9786ed7a0899b

SHA1
210f709605fd8681b82c6a8c8d70157c1397db04

SHA256
d8e204f3bf6f4632910eb1bcbfe76e276d2b2c857b164ba40cf2c0ff8355fe92

SHA512
bc1bfbeccbc33f7e5ae03c0c6dfae77cd914b22143e6eb25838efba71016ecdd18f3344fa6252eac98be316711a3c4a41ded342332b29906aee07a715275ea29

Download Submit
C:\ProgramData\dkbfaha\dhfacgd.a3x

Filesize
585KB

MD5
19c3cd08cdf0b443297669fd94288fb5

SHA1
89e2519e2a0ff144f99e0f5d7a7419898e36ba77

SHA256
020740d11c15f7b3b5bbc2eef7e7237c91207089c06573fded479d03ab7f5092

SHA512
dc4e0b5fc15d5ce65d80792daffd2a8617b3079fd1a7877ca6e3c17cceb518972702b135524c076dd791d032e2f8247632cc43c4d0da296d12e0c38d1b439cc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\msbuild.exe.log

Filesize
841B

MD5
0efd0cfcc86075d96e951890baf0fa87

SHA1
6e98c66d43aa3f01b2395048e754d69b7386b511

SHA256
ff981780f37479af6a428dd121eef68cf6e0b471ae92f080893a55320cc993f7

SHA512
4e79f5a8494aac94f98af8dbbc71bdd0a57b02103757ad970da7e7d4e6a0dc5015ca008256a6bd2c5bdec3a0f5736a994e17b3ef004b0f374a3339e480ac41b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pkg32bdo.fyd.psm1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\EeAHCHh

Filesize
32B

MD5
11eee6a421bd61b40e162312a3ad72a1

SHA1
29032bcdc38833987d76db3c690e5bc57ec344eb

SHA256
5e6f86c1fe223a093361d9e4f433c8e1b2d26885c39c98636f880660bfd63be4

SHA512
b7f4ae1cfd1a2520d746a3faf425b308845eade22d286fb73cb00540454d5e8dd26da18309992d41f697e85179d1d8a29298ef9fd1e0a87323132fea976c902e

Download Submit
C:\temp\bcahhee

Filesize
4B

MD5
3d438dae80c54f483f5506d7e1cff5d5

SHA1
eac40137a72d1d98aa349301e884c3e817d6fb9e

SHA256
4257c1af3df11f19216d76e0f0069bab4e59483708b4ea1da240aaf84a26a920

SHA512
de51ae319960305efbbdf52737a767407cb18dfdc6ae99c608e6a930b6d5f12769d72e82af35775e39d7a4ba3b8ce537709d8ea3c25b35cbb2196e3a86054416

Download Submit
C:\temp\bcahhee

Filesize
4B

MD5
cb393475c684a5f49acb70b811f59928

SHA1
0fcaa5dac57537fd9a6d3837869ca58e99c72edf

SHA256
4e68f95072a9125ed1d659aac561d4fee6ee20067bd0396e550b1fc618fb0d32

SHA512
bd2ad2f7b212c9ea09455ec7f6adaa31310d3658a3dccf35728be10e265656c014803cefacff27681ff269ab4bbd33a182939d165b8a38b011d84f9c52f74512

Download Submit
C:\temp\bcahhee

Filesize
4B

MD5
3dfacd6c0401ddda00abef65d6a04e89

SHA1
958690b4e92df1cde34bb4a1833e80725dc7e2b7

SHA256
320f849bafa2b7745c9adabb40824516882e226aec9444e5fb8c79fca7531a65

SHA512
a89c216f4136aee5b0b46c33b0c64fd7a4faeb16bf7d01ef8d160c0af368d1cdd00ebb7e6defb38535fb626a405ad854282ccf314d4ad09e1f440872471a9228

Download Submit
C:\temp\bcahhee

Filesize
4B

MD5
987d5460b5e2225a4ba513c923e34898

SHA1
0da2d02cb8093a99b12853be29a0572c74c76758

SHA256
738c17a2b938a8f9fbee9cecfc25d529c1aeddcf5070ae9ef5883cf0a2d824d8

SHA512
6a2d8e3cb7348ac85b81717df4555c14a927d01a94136a174911a85147203a1191501252c46f3144eb39f25fca7e8fcc2d1c28c11ae65e2dd5b8b58cdb7129b3

Download Submit
C:\temp\bcahhee

Filesize
4B

MD5
9384c2319b6ef222423396bf0799902b

SHA1
0b284eeb0310c2329cad281ed67aeced9659c439

SHA256
777019203eccffaaeac2501eef49c18356d957fd75d9e44ec4b1dd86114c991b

SHA512
54708c0065ffb3270f3551b2b707e93708df0a15ed593a0d191d5cfc4bec15174df6782a720644b866ccfc6590e5276b03e810d262c87f9f52b4537e6cb84dbb

Download Submit
C:\temp\ecbbcbg

Filesize
4B

MD5
f145586793a392db53dcb3ba78eaeacb

SHA1
93fec9e0581419de492574271381a1f77fad938d

SHA256
c5bc0217077f450e947d13d8530078d799a3e5063d1ee6a804dd72691f7efdfb

SHA512
42d1bb1bcdbb4e8208a8e195a9db0541b187d9a70f0c780c21ed8a78f6b3ece1ace7bd5bde2d421f42bec6047e1712c623daad2dfd75e8f9fde3aed3ab3d8a1c

Download Submit
C:\temp\ecbbcbg

Filesize
4B

MD5
09e2ade48111883ccc9e45d56e37f3da

SHA1
9a9ffc8fa96ed47337db80088fe2ef7155d7fcf2

SHA256
969475e568a0ce62be0f1612c1288072bbdddb54f9fb3c18a9b1c9d6e7dca351

SHA512
b74573c7ae5444937715acd4deb4250741072152cd96c783b41c84315e833d4bab86589aa12ec8c3fa1467c1f70c9dd49656866b438d28a262c680ae9a56cbbc

Download Submit
C:\temp\ecbbcbg

Filesize
4B

MD5
ccb0eaf8e162159e199a3404f741ea70

SHA1
931722637dd33445c59d3193df46aacc0c6413d4

SHA256
822f531f021d471751f6fc96487f35478fca9bfe03ebe67f11a2c06d98928133

SHA512
e9e1d17121d03f247509e68c881225dafaee5205fc39a05343143d748484d919408e4e38dfc7db338f5a2e5a22bef794de85c7ffe4262c06e06a449c460bb0d2

Download Submit
C:\temp\ecbbcbg

Filesize
4B

MD5
292a75663fa1b81f09f385f886ef40f2

SHA1
ce4ccca087faf1d43d58bfb04f754ae257d0bbab

SHA256
693364105373bec3a898c8c44f70936fc9f09c32d035ea2426619199d6142a37

SHA512
000b8207bf5162f12552ad1a4946b785c48c132f996259dbb220a7318481478cd3d46e72163483ca34493dae0e695595fc603c9e568bd90dd003f98d591a54e0

Download Submit
C:\temp\ecbbcbg

Filesize
4B

MD5
cff75f11ced78425a33a1d9a9d51eb31

SHA1
f7574f38f084e5006051ca9f00e0d69d11b22d9f

SHA256
dd43b6deba5bb5dd71cb4925ee14a262e3beb779f763d39e6c74456f9e2d2902

SHA512
25f1c26e0d97c6167e3a18af1796bda8ecab523fa8513487fae407ae1b4edf3b17467c7312e3ed8606a5df42a25abf7fcffec280a8abefbe46d8c57d01a2ff0c

Download Submit
C:\temp\ecbbcbg

Filesize
4B

MD5
739ff4d68be01b2d6ca1cf4f6efca7aa

SHA1
06bab75dd66aef885d2c36f0b64f8e39e9b73d80

SHA256
aeae991bbad6a680d0578a55305806be5739e853036ee65d814a2ef425d78571

SHA512
824b71a43157a2b9cb153602224e8eec636e7564aa32fd1f1266180b73663e1876175c3b2dde78ae8f24e79a0f209d18c5d8ff170d5e59356cce5bd33ef1b900

Download Submit
C:\temp\ecbbcbg

Filesize
4B

MD5
39a4bed96449f8fcd08408578c8e6189

SHA1
0eea3e06a8c52e7c3d25f331fa44597961b615e5

SHA256
c2a81c5e7febdfb5f6311894686d374343f578214c7462002105d1d7187bf7d0

SHA512
1380458341051701bae8225a99f60c8c139986bfbedb3c098f5d3d3eb2c2fa123f72d3bc0f9ea07a2a9438f3f460ec79e566865c3d1d38af0fb891b71bc18bf8

Download Submit
C:\temp\ecbbcbg

Filesize
4B

MD5
0d9a3a1f1f61ac93737213618d57e727

SHA1
a179ceb596ce14a9bc39ac53a42350a9bfc07e98

SHA256
1fcc0958c5cf2eed82ed451ad2036b8461571aa4a979f4b5179750e1665f1ab5

SHA512
e80bb4b963cccf6b5c998a290d9e60eb6a42ece0683ff766c491dbefeb35c8a3e8d305caa77e8366089dbacc4bae521bef65761ed8ba6ff569784107f92ce22e

Download Submit
C:\temp\ecbbcbg

Filesize
4B

MD5
a8cc4db7b3cc60cce2cfe2e61c81d5d4

SHA1
617de04ad3f4d2f3b5aeec1694ebe3de8353e2ed

SHA256
c20a8f2a1584d2f46a5730882b00919230bbda7e979809438b5b4417997ef016

SHA512
64e4dc5cf3b0a574f8505cd561818dda627956c352314f358d8484f87be1e1c784235c5383f4df64b8181570f609ee875b492d941db007558abf9728174d2cfb

Download Submit
C:\temp\ecbbcbg

Filesize
4B

MD5
02b506322edfcd861cd10719cc1c66cf

SHA1
95dd2e93e81129027a50b29f1ae6baf65fac241d

SHA256
88b9b60758ca3c1ab3591cb806150107b3e9c0e2d2172b9642987a2ea13c8e95

SHA512
f5d17496fdfeb9f3bf085852b86e281ea652cf6059c1e817fd461dc53e99ca97f744dc6acd959e91b10c77d64bf264849df713f34c3e5b26b5768e7de5abf8e8

Download Submit
C:\temp\ecbbcbg

Filesize
4B

MD5
85c3e564624d4fdb8391f36f5d7b3bff

SHA1
8b0992230210e3bf3e9e61e817c2e0a41d33cc53

SHA256
88b625eb52315bff4f5ed16c180706cbbb5bebe24cbaadb9356d6d84d0279945

SHA512
450fe5456ff004d4d581c27b5e24e271db9997a700c63805cc9aa8f2acf2168a8939de912a45a067e44c2e360f9211e59bb686f1b906a7cdecda017b2355c33a

Download Submit
C:\temp\lp.txt

Filesize
4B

MD5
df5354693177e83e8ba089e94b7b6b55

SHA1
a2996f06709eec814cf3d144e7c505baa7cab557

SHA256
f14e5d1984c9b8d75fa57ccdfbbda927a6a7fd5b02248ae949db7bc14e846f2b

SHA512
c172acc5346292b054de6d66cc4457534a5a34e3ee5a9bf516d069545486469b4d3084779238f8eb1fafda9190f6d6969f030ffc2bb7ac5ccf6553f1073090c1

Download Submit
C:\temp\lp.txt

Filesize
4B

MD5
e46bc064f8e92ac2c404b9871b2a4ef2

SHA1
689a93dc62f20464ceb70cf30746f363ccf85ec9

SHA256
bdf27cc797d40a3b96e45913422ad961f80891145524b854ca2928ad1655efc4

SHA512
eab9e4954ca35a0d9bc758e8586e72516e8b0f55759e7f67c96c6336adc15de34f84047c46617e9d023bfa799f63a43605fdcb3a25f59ac2d12a97408e1c49dd

Download Submit
C:\temp\lp.txt

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
memory/2044-17-0x00000196FD680000-0x00000196FD69E000-memory.dmp

Filesize
120KB

Download
memory/2044-16-0x00000196FD6C0000-0x00000196FD736000-memory.dmp

Filesize
472KB

Download
memory/2044-28-0x00007FFBB35C0000-0x00007FFBB4081000-memory.dmp

Filesize
10.8MB

Download
memory/2044-20-0x00007FFBB35C0000-0x00007FFBB4081000-memory.dmp

Filesize
10.8MB

Download
memory/2044-19-0x00007FFBB35C0000-0x00007FFBB4081000-memory.dmp

Filesize
10.8MB

Download
memory/2044-18-0x00007FFBB35C3000-0x00007FFBB35C5000-memory.dmp

Filesize
8KB

Download
memory/2044-13-0x00007FFBB35C0000-0x00007FFBB4081000-memory.dmp

Filesize
10.8MB

Download
memory/2044-14-0x00007FFBB35C0000-0x00007FFBB4081000-memory.dmp

Filesize
10.8MB

Download
memory/2044-12-0x00000196FC330000-0x00000196FC352000-memory.dmp

Filesize
136KB

Download
memory/2044-15-0x00000196FC710000-0x00000196FC754000-memory.dmp

Filesize
272KB

Download
memory/2044-2-0x00007FFBB35C3000-0x00007FFBB35C5000-memory.dmp

Filesize
8KB

Download
memory/2044-23-0x00007FFBB35C0000-0x00007FFBB4081000-memory.dmp

Filesize
10.8MB

Download
memory/2852-75-0x0000000003BA0000-0x0000000003EF5000-memory.dmp

Filesize
3.3MB

Download
memory/2852-73-0x0000000003BA0000-0x0000000003EF5000-memory.dmp

Filesize
3.3MB

Download
memory/2852-48-0x0000000003BA0000-0x0000000003EF5000-memory.dmp

Filesize
3.3MB

Download
memory/2852-74-0x0000000003BA0000-0x0000000003EF5000-memory.dmp

Filesize
3.3MB

Download
memory/2852-77-0x0000000003BA0000-0x0000000003EF5000-memory.dmp

Filesize
3.3MB

Download
memory/2852-76-0x0000000003BA0000-0x0000000003EF5000-memory.dmp

Filesize
3.3MB

Download
memory/3740-111-0x00000000040C0000-0x0000000004415000-memory.dmp

Filesize
3.3MB

Download
memory/4888-39-0x00000000056E0000-0x000000000583A000-memory.dmp

Filesize
1.4MB

Download
memory/4888-38-0x0000000003110000-0x000000000312A000-memory.dmp

Filesize
104KB

Download
memory/4888-37-0x0000000000DB0000-0x0000000000DF0000-memory.dmp

Filesize
256KB

Download