darkgate | ff2f51fa09448e0ede9ced3abf33809e1f9c79c7569294a67a7d58fc6f32593b

Resubmissions

02/04/2025, 21:27

250402-1argnswpv8 3

02/04/2025, 21:16

250402-z4sq6attg1 10

Analysis

max time kernel
69s
max time network
67s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
02/04/2025, 21:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test/ActiveSync.exe
Size

3.7MB
MD5

d9ab5ec0952f1927aa013a9fb92d154e
SHA1

0f956f83b3db92b8017ef9450bf97c2bb0c170ab
SHA256

5f73318a2f599782b3f74cac4b200d0bd19ca7083551643db6972704992e8005
SHA512

be22fe9f0e6f121214720b6c4b6ac86b6edc3d8b75a65b9c0cb82ccd18c6baa6dde05b8d6b6b39046ebe2ef20c254a0a05d624c700c877d4221b381be6281dcc
SSDEEP

49152:k1JkqNY5gjjwtvJ6D4qYjE2DfOzcOzxAfEQjCsnrBU54+ZKlBtvtMt0+Jf1Gzyyi:k1JkqNYWjk6M3DfOzcOpcCsrBU54+mL

Score

10^/10

darkgate drk3 discovery execution persistence stealer

Malware Config

Extracted

Family

darkgate

Botnet

drk3

aspava-yachting.com

Attributes

anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
80
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
ZuMRODIC
minimum_disk
100
minimum_ram
4096
ping_interval
6
rootkit
false
startup_persistence
true
username
drk3

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate
Darkgate family
darkgate

Detect DarkGate stealer 6 IoCs

resource	yara_rule
behavioral1/memory/4444-52-0x00000000045F0000-0x0000000004945000-memory.dmp	family_darkgate_v6
behavioral1/memory/4444-87-0x00000000045F0000-0x0000000004945000-memory.dmp	family_darkgate_v6
behavioral1/memory/4444-90-0x00000000045F0000-0x0000000004945000-memory.dmp	family_darkgate_v6
behavioral1/memory/4444-89-0x00000000045F0000-0x0000000004945000-memory.dmp	family_darkgate_v6
behavioral1/memory/4444-88-0x00000000045F0000-0x0000000004945000-memory.dmp	family_darkgate_v6
behavioral1/memory/4444-86-0x00000000045F0000-0x0000000004945000-memory.dmp	family_darkgate_v6

Suspicious use of NtCreateUserProcessOtherParentProcess 32 IoCs

description	pid	Process	procid_target
PID 4444 created 2896	4444	Autoit3.exe	49
PID 4444 created 2896	4444	Autoit3.exe	49
PID 5496 created 4444	5496	Autoit3.exe	89
PID 5844 created 5040	5844	Autoit3.exe	86
PID 1128 created 3748	1128	Autoit3.exe	56
PID 2572 created 2896	2572	Autoit3.exe	49
PID 1696 created 5040	1696	Autoit3.exe	86
PID 4444 created 696	4444	Autoit3.exe	7
PID 1316 created 5040	1316	Autoit3.exe	86
PID 8 created 3696	8	Autoit3.exe	55
PID 3500 created 576	3500	Autoit3.exe	125
PID 5424 created 5116	5424	Autoit3.exe	87
PID 3352 created 3748	3352	Autoit3.exe	56
PID 4444 created 2144	4444	Autoit3.exe	37
PID 2012 created 3984	2012	Autoit3.exe	59
PID 4372 created 3020	4372	Autoit3.exe	50
PID 3516 created 5116	3516	Autoit3.exe	87
PID 1512 created 3696	1512	Autoit3.exe	55
PID 4444 created 1512	4444	Autoit3.exe	188
PID 2792 created 5116	2792	Autoit3.exe	87
PID 6116 created 2896	6116	Autoit3.exe	49
PID 1096 created 3748	1096	Autoit3.exe	56
PID 3180 created 3020	3180	Autoit3.exe	50
PID 4444 created 816	4444	Autoit3.exe	8
PID 4444 created 3964	4444	Autoit3.exe	206
PID 4084 created 4136	4084	Autoit3.exe	213
PID 1928 created 3760	1928	Autoit3.exe	57
PID 6068 created 3984	6068	Autoit3.exe	59
PID 3460 created 5116	3460	Autoit3.exe	87
PID 3468 created 3020	3468	Autoit3.exe	50
PID 4444 created 5984	4444	Autoit3.exe	70
PID 2260 created 4232	2260	Autoit3.exe	81

Executes dropped EXE 25 IoCs

pid	Process
5844	Autoit3.exe
5496	Autoit3.exe
1128	Autoit3.exe
2572	Autoit3.exe
1696	Autoit3.exe
1316	Autoit3.exe
8	Autoit3.exe
3500	Autoit3.exe
5424	Autoit3.exe
3352	Autoit3.exe
2012	Autoit3.exe
4372	Autoit3.exe
3516	Autoit3.exe
1512	Autoit3.exe
2792	Autoit3.exe
6116	Autoit3.exe
1096	Autoit3.exe
3180	Autoit3.exe
4084	Autoit3.exe
1928	Autoit3.exe
6068	Autoit3.exe
3460	Autoit3.exe
3468	Autoit3.exe
2260	Autoit3.exe
764	Autoit3.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000\Software\Microsoft\Windows\CurrentVersion\Run\bffedhc = "\"C:\\ProgramData\\bhgheha\\Autoit3.exe\" C:\\ProgramData\\bhgheha\\ebkbcfc.a3x"	Autoit3.exe

Command and Scripting Interpreter: AutoIT 1 TTPs 1 IoCs

Using AutoIT for possible automate script.

execution

AutoHotKey & AutoIT

T1059.010

pid	Process
4444	Autoit3.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ActiveSync.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ActiveSync.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe

Checks processor information in registry 2 TTPs 52 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5116	powershell.exe
5116	powershell.exe
4444	Autoit3.exe
4444	Autoit3.exe
4444	Autoit3.exe
4444	Autoit3.exe
4444	Autoit3.exe
4444	Autoit3.exe
4444	Autoit3.exe
4444	Autoit3.exe
5844	Autoit3.exe
5844	Autoit3.exe
5496	Autoit3.exe
5496	Autoit3.exe
5496	Autoit3.exe
5496	Autoit3.exe
1128	Autoit3.exe
1128	Autoit3.exe
5844	Autoit3.exe
5844	Autoit3.exe
4444	Autoit3.exe
4444	Autoit3.exe
2572	Autoit3.exe
2572	Autoit3.exe
1128	Autoit3.exe
1128	Autoit3.exe
1696	Autoit3.exe
1696	Autoit3.exe
2572	Autoit3.exe
2572	Autoit3.exe
1316	Autoit3.exe
1316	Autoit3.exe
1696	Autoit3.exe
1696	Autoit3.exe
1128	Autoit3.exe
1128	Autoit3.exe
4444	Autoit3.exe
4444	Autoit3.exe
8	Autoit3.exe
8	Autoit3.exe
1316	Autoit3.exe
1316	Autoit3.exe
3500	Autoit3.exe
3500	Autoit3.exe
8	Autoit3.exe
8	Autoit3.exe
1696	Autoit3.exe
1696	Autoit3.exe
4444	Autoit3.exe
4444	Autoit3.exe
5424	Autoit3.exe
5424	Autoit3.exe
3500	Autoit3.exe
3500	Autoit3.exe
1316	Autoit3.exe
1316	Autoit3.exe
3352	Autoit3.exe
3352	Autoit3.exe
5424	Autoit3.exe
5424	Autoit3.exe
8	Autoit3.exe
8	Autoit3.exe
2012	Autoit3.exe
2012	Autoit3.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4444	Autoit3.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	5116	powershell.exe
Token: SeIncreaseQuotaPrivilege	2404	WMIC.exe
Token: SeSecurityPrivilege	2404	WMIC.exe
Token: SeTakeOwnershipPrivilege	2404	WMIC.exe
Token: SeLoadDriverPrivilege	2404	WMIC.exe
Token: SeSystemProfilePrivilege	2404	WMIC.exe
Token: SeSystemtimePrivilege	2404	WMIC.exe
Token: SeProfSingleProcessPrivilege	2404	WMIC.exe
Token: SeIncBasePriorityPrivilege	2404	WMIC.exe
Token: SeCreatePagefilePrivilege	2404	WMIC.exe
Token: SeBackupPrivilege	2404	WMIC.exe
Token: SeRestorePrivilege	2404	WMIC.exe
Token: SeShutdownPrivilege	2404	WMIC.exe
Token: SeDebugPrivilege	2404	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2404	WMIC.exe
Token: SeRemoteShutdownPrivilege	2404	WMIC.exe
Token: SeUndockPrivilege	2404	WMIC.exe
Token: SeManageVolumePrivilege	2404	WMIC.exe
Token: 33	2404	WMIC.exe
Token: 34	2404	WMIC.exe
Token: 35	2404	WMIC.exe
Token: 36	2404	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2404	WMIC.exe
Token: SeSecurityPrivilege	2404	WMIC.exe
Token: SeTakeOwnershipPrivilege	2404	WMIC.exe
Token: SeLoadDriverPrivilege	2404	WMIC.exe
Token: SeSystemProfilePrivilege	2404	WMIC.exe
Token: SeSystemtimePrivilege	2404	WMIC.exe
Token: SeProfSingleProcessPrivilege	2404	WMIC.exe
Token: SeIncBasePriorityPrivilege	2404	WMIC.exe
Token: SeCreatePagefilePrivilege	2404	WMIC.exe
Token: SeBackupPrivilege	2404	WMIC.exe
Token: SeRestorePrivilege	2404	WMIC.exe
Token: SeShutdownPrivilege	2404	WMIC.exe
Token: SeDebugPrivilege	2404	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2404	WMIC.exe
Token: SeRemoteShutdownPrivilege	2404	WMIC.exe
Token: SeUndockPrivilege	2404	WMIC.exe
Token: SeManageVolumePrivilege	2404	WMIC.exe
Token: 33	2404	WMIC.exe
Token: 34	2404	WMIC.exe
Token: 35	2404	WMIC.exe
Token: 36	2404	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4232	WindowsTerminal.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4232	WindowsTerminal.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 4232	1980	wt.exe	81
PID 1980 wrote to memory of 4232	1980	wt.exe	81
PID 1980 wrote to memory of 4232	1980	wt.exe	81
PID 4232 wrote to memory of 4352	4232	WindowsTerminal.exe	82
PID 4232 wrote to memory of 4352	4232	WindowsTerminal.exe	82
PID 4232 wrote to memory of 5040	4232	WindowsTerminal.exe	86
PID 4232 wrote to memory of 5040	4232	WindowsTerminal.exe	86
PID 4232 wrote to memory of 5040	4232	WindowsTerminal.exe	86
PID 4232 wrote to memory of 5116	4232	WindowsTerminal.exe	87
PID 4232 wrote to memory of 5116	4232	WindowsTerminal.exe	87
PID 5116 wrote to memory of 4520	5116	powershell.exe	88
PID 5116 wrote to memory of 4520	5116	powershell.exe	88
PID 5116 wrote to memory of 4520	5116	powershell.exe	88
PID 5116 wrote to memory of 4444	5116	powershell.exe	89
PID 5116 wrote to memory of 4444	5116	powershell.exe	89
PID 5116 wrote to memory of 4444	5116	powershell.exe	89
PID 4444 wrote to memory of 1736	4444	Autoit3.exe	90
PID 4444 wrote to memory of 1736	4444	Autoit3.exe	90
PID 4444 wrote to memory of 1736	4444	Autoit3.exe	90
PID 1736 wrote to memory of 2404	1736	cmd.exe	92
PID 1736 wrote to memory of 2404	1736	cmd.exe	92
PID 1736 wrote to memory of 2404	1736	cmd.exe	92
PID 4444 wrote to memory of 2388	4444	Autoit3.exe	94
PID 4444 wrote to memory of 2388	4444	Autoit3.exe	94
PID 4444 wrote to memory of 2388	4444	Autoit3.exe	94
PID 4444 wrote to memory of 3628	4444	Autoit3.exe	96
PID 4444 wrote to memory of 3628	4444	Autoit3.exe	96
PID 4444 wrote to memory of 3628	4444	Autoit3.exe	96
PID 4444 wrote to memory of 2448	4444	Autoit3.exe	102
PID 4444 wrote to memory of 2448	4444	Autoit3.exe	102
PID 4444 wrote to memory of 2448	4444	Autoit3.exe	102
PID 2296 wrote to memory of 5844	2296	cmd.exe	104
PID 2296 wrote to memory of 5844	2296	cmd.exe	104
PID 2296 wrote to memory of 5844	2296	cmd.exe	104
PID 2752 wrote to memory of 5496	2752	cmd.exe	105
PID 2752 wrote to memory of 5496	2752	cmd.exe	105
PID 2752 wrote to memory of 5496	2752	cmd.exe	105
PID 5496 wrote to memory of 4760	5496	Autoit3.exe	106
PID 5496 wrote to memory of 4760	5496	Autoit3.exe	106
PID 5496 wrote to memory of 4760	5496	Autoit3.exe	106
PID 2056 wrote to memory of 1128	2056	cmd.exe	110
PID 2056 wrote to memory of 1128	2056	cmd.exe	110
PID 2056 wrote to memory of 1128	2056	cmd.exe	110
PID 4444 wrote to memory of 2068	4444	Autoit3.exe	111
PID 4444 wrote to memory of 2068	4444	Autoit3.exe	111
PID 4444 wrote to memory of 2068	4444	Autoit3.exe	111
PID 5844 wrote to memory of 5516	5844	Autoit3.exe	113
PID 5844 wrote to memory of 5516	5844	Autoit3.exe	113
PID 5844 wrote to memory of 5516	5844	Autoit3.exe	113
PID 6056 wrote to memory of 2572	6056	cmd.exe	117
PID 6056 wrote to memory of 2572	6056	cmd.exe	117
PID 6056 wrote to memory of 2572	6056	cmd.exe	117
PID 1128 wrote to memory of 1112	1128	Autoit3.exe	120
PID 1128 wrote to memory of 1112	1128	Autoit3.exe	120
PID 1128 wrote to memory of 1112	1128	Autoit3.exe	120
PID 5696 wrote to memory of 1696	5696	cmd.exe	122
PID 5696 wrote to memory of 1696	5696	cmd.exe	122
PID 5696 wrote to memory of 1696	5696	cmd.exe	122
PID 2572 wrote to memory of 1200	2572	Autoit3.exe	123
PID 2572 wrote to memory of 1200	2572	Autoit3.exe	123
PID 2572 wrote to memory of 1200	2572	Autoit3.exe	123
PID 576 wrote to memory of 1316	576	cmd.exe	127
PID 576 wrote to memory of 1316	576	cmd.exe	127
PID 576 wrote to memory of 1316	576	cmd.exe	127

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4216

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:816

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2144
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:412

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2388
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:5732

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:5340
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5092

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
PID:3696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:2940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:5700

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5512

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2736

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5528

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:5984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6136

C:\Users\Admin\AppData\Local\Temp\test\ActiveSync.exe
"C:\Users\Admin\AppData\Local\Temp\test\ActiveSync.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4592

C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\wt.exe
"C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\wt.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe
  wt.exe
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4232
- - C:\Windows\system32\wsl.exe
    C:\Windows\system32\wsl.exe --list
    3⤵
    PID:4352
- - C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\OpenConsole.exe
    "C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\OpenConsole.exe" --headless --win32input --resizeQuirk --width 120 --height 27 --signal 0xa30 --server 0xa2c
    3⤵
    PID:5040
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
      4⤵
      PID:5516
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2784
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
      4⤵
      PID:1488
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5116
  - - C:\Users\Admin\AppData\Local\Temp\test\ActiveSync.exe
      "C:\Users\Admin\AppData\Local\Temp\test\ActiveSync.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4520
  - - C:\Users\Admin\AppData\Local\Temp\test\Autoit3.exe
      "C:\Users\Admin\AppData\Local\Temp\test\Autoit3.exe" .\script.a3x
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Adds Run key to start application
      Command and Scripting Interpreter: AutoIT
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of WriteProcessMemory
      PID:4444
    - - \??\c:\windows\SysWOW64\cmd.exe
        
        "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\bhgheha\dffcbgg
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1736
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic ComputerSystem get domain
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2404
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
        5⤵
        
        PID:3628
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4760
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2068
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5604
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3404
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2616
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4792
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4436
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
      4⤵
      PID:4168
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:5740
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1900
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:1148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\bhgheha\Autoit3.exe" C:\ProgramData\bhgheha\ebkbcfc.a3x
1⤵
- Suspicious use of WriteProcessMemory
PID:2752
- C:\ProgramData\bhgheha\Autoit3.exe
  C:\ProgramData\bhgheha\Autoit3.exe C:\ProgramData\bhgheha\ebkbcfc.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\bhgheha\Autoit3.exe" C:\ProgramData\bhgheha\ebkbcfc.a3x
1⤵
- Suspicious use of WriteProcessMemory
PID:2296
- C:\ProgramData\bhgheha\Autoit3.exe
  C:\ProgramData\bhgheha\Autoit3.exe C:\ProgramData\bhgheha\ebkbcfc.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\bhgheha\Autoit3.exe" C:\ProgramData\bhgheha\ebkbcfc.a3x
1⤵
- Suspicious use of WriteProcessMemory
PID:2056
- C:\ProgramData\bhgheha\Autoit3.exe
  C:\ProgramData\bhgheha\Autoit3.exe C:\ProgramData\bhgheha\ebkbcfc.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1128
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\bhgheha\Autoit3.exe" C:\ProgramData\bhgheha\ebkbcfc.a3x
1⤵
- Suspicious use of WriteProcessMemory
PID:6056
- C:\ProgramData\bhgheha\Autoit3.exe
  C:\ProgramData\bhgheha\Autoit3.exe C:\ProgramData\bhgheha\ebkbcfc.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\bhgheha\Autoit3.exe" C:\ProgramData\bhgheha\ebkbcfc.a3x
1⤵
- Suspicious use of WriteProcessMemory
PID:5696
- C:\ProgramData\bhgheha\Autoit3.exe
  C:\ProgramData\bhgheha\Autoit3.exe C:\ProgramData\bhgheha\ebkbcfc.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:1696
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\bhgheha\Autoit3.exe" C:\ProgramData\bhgheha\ebkbcfc.a3x
1⤵
- Suspicious use of WriteProcessMemory
PID:576
- C:\ProgramData\bhgheha\Autoit3.exe
  C:\ProgramData\bhgheha\Autoit3.exe C:\ProgramData\bhgheha\ebkbcfc.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:1316
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\bhgheha\Autoit3.exe" C:\ProgramData\bhgheha\ebkbcfc.a3x
1⤵
PID:5956
- C:\ProgramData\bhgheha\Autoit3.exe
  C:\ProgramData\bhgheha\Autoit3.exe C:\ProgramData\bhgheha\ebkbcfc.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:8
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\bhgheha\Autoit3.exe" C:\ProgramData\bhgheha\ebkbcfc.a3x
1⤵
PID:4864
- C:\ProgramData\bhgheha\Autoit3.exe
  C:\ProgramData\bhgheha\Autoit3.exe C:\ProgramData\bhgheha\ebkbcfc.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:3500
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:4896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\bhgheha\Autoit3.exe" C:\ProgramData\bhgheha\ebkbcfc.a3x
1⤵
PID:5852
- C:\ProgramData\bhgheha\Autoit3.exe
  C:\ProgramData\bhgheha\Autoit3.exe C:\ProgramData\bhgheha\ebkbcfc.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:5424
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\bhgheha\Autoit3.exe" C:\ProgramData\bhgheha\ebkbcfc.a3x
1⤵
PID:2260
- C:\ProgramData\bhgheha\Autoit3.exe
  C:\ProgramData\bhgheha\Autoit3.exe C:\ProgramData\bhgheha\ebkbcfc.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:3352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\bhgheha\Autoit3.exe" C:\ProgramData\bhgheha\ebkbcfc.a3x
1⤵
PID:5172
- C:\ProgramData\bhgheha\Autoit3.exe
  C:\ProgramData\bhgheha\Autoit3.exe C:\ProgramData\bhgheha\ebkbcfc.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2012
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\bhgheha\Autoit3.exe" C:\ProgramData\bhgheha\ebkbcfc.a3x
1⤵
PID:4924
- C:\ProgramData\bhgheha\Autoit3.exe
  C:\ProgramData\bhgheha\Autoit3.exe C:\ProgramData\bhgheha\ebkbcfc.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Checks processor information in registry
  PID:4372
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\bhgheha\Autoit3.exe" C:\ProgramData\bhgheha\ebkbcfc.a3x
1⤵
PID:1176
- C:\ProgramData\bhgheha\Autoit3.exe
  C:\ProgramData\bhgheha\Autoit3.exe C:\ProgramData\bhgheha\ebkbcfc.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:3516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\bhgheha\Autoit3.exe" C:\ProgramData\bhgheha\ebkbcfc.a3x
1⤵
PID:2240
- C:\ProgramData\bhgheha\Autoit3.exe
  C:\ProgramData\bhgheha\Autoit3.exe C:\ProgramData\bhgheha\ebkbcfc.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:1512
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3924
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\bhgheha\Autoit3.exe" C:\ProgramData\bhgheha\ebkbcfc.a3x
1⤵
PID:4252
- C:\ProgramData\bhgheha\Autoit3.exe
  C:\ProgramData\bhgheha\Autoit3.exe C:\ProgramData\bhgheha\ebkbcfc.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:2792
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\bhgheha\Autoit3.exe" C:\ProgramData\bhgheha\ebkbcfc.a3x
1⤵
PID:2912
- C:\ProgramData\bhgheha\Autoit3.exe
  C:\ProgramData\bhgheha\Autoit3.exe C:\ProgramData\bhgheha\ebkbcfc.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:6116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\bhgheha\Autoit3.exe" C:\ProgramData\bhgheha\ebkbcfc.a3x
1⤵
PID:3964
- C:\ProgramData\bhgheha\Autoit3.exe
  C:\ProgramData\bhgheha\Autoit3.exe C:\ProgramData\bhgheha\ebkbcfc.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:1096
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\bhgheha\Autoit3.exe" C:\ProgramData\bhgheha\ebkbcfc.a3x
1⤵
PID:4136
- C:\ProgramData\bhgheha\Autoit3.exe
  C:\ProgramData\bhgheha\Autoit3.exe C:\ProgramData\bhgheha\ebkbcfc.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:3180
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\bhgheha\Autoit3.exe" C:\ProgramData\bhgheha\ebkbcfc.a3x
1⤵
PID:580
- C:\ProgramData\bhgheha\Autoit3.exe
  C:\ProgramData\bhgheha\Autoit3.exe C:\ProgramData\bhgheha\ebkbcfc.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Checks processor information in registry
  PID:4084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\bhgheha\Autoit3.exe" C:\ProgramData\bhgheha\ebkbcfc.a3x
1⤵
PID:248
- C:\ProgramData\bhgheha\Autoit3.exe
  C:\ProgramData\bhgheha\Autoit3.exe C:\ProgramData\bhgheha\ebkbcfc.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Checks processor information in registry
  PID:1928
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\bhgheha\Autoit3.exe" C:\ProgramData\bhgheha\ebkbcfc.a3x
1⤵
PID:4920
- C:\ProgramData\bhgheha\Autoit3.exe
  C:\ProgramData\bhgheha\Autoit3.exe C:\ProgramData\bhgheha\ebkbcfc.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:6068
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\bhgheha\Autoit3.exe" C:\ProgramData\bhgheha\ebkbcfc.a3x
1⤵
PID:728
- C:\ProgramData\bhgheha\Autoit3.exe
  C:\ProgramData\bhgheha\Autoit3.exe C:\ProgramData\bhgheha\ebkbcfc.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:3460
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\bhgheha\Autoit3.exe" C:\ProgramData\bhgheha\ebkbcfc.a3x
1⤵
PID:468
- C:\ProgramData\bhgheha\Autoit3.exe
  C:\ProgramData\bhgheha\Autoit3.exe C:\ProgramData\bhgheha\ebkbcfc.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:3468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\bhgheha\Autoit3.exe" C:\ProgramData\bhgheha\ebkbcfc.a3x
1⤵
PID:5436
- C:\ProgramData\bhgheha\Autoit3.exe
  C:\ProgramData\bhgheha\Autoit3.exe C:\ProgramData\bhgheha\ebkbcfc.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:2260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\bhgheha\Autoit3.exe" C:\ProgramData\bhgheha\ebkbcfc.a3x
1⤵
PID:3448
- C:\ProgramData\bhgheha\Autoit3.exe
  C:\ProgramData\bhgheha\Autoit3.exe C:\ProgramData\bhgheha\ebkbcfc.a3x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

AutoHotKey & AutoIT

T1059.010

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\bhgheha\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\ProgramData\bhgheha\dffcbgg

Filesize
54B

MD5
c8bbad190eaaa9755c8dfb1573984d81

SHA1
17ad91294403223fde66f687450545a2bad72af5

SHA256
7f136265128b7175fb67024a6ddd7524586b025725a878c07d76a9d8ad3dc2ac

SHA512
05f02cf90969b7b9a2de39eecdf810a1835325e7c83ffe81388c9866c6f79be6cdc8617f606a8fedc6affe6127bede4b143106a90289bbb9bf61d94c648059df

Download Submit
C:\ProgramData\bhgheha\ebkbcfc.a3x

Filesize
585KB

MD5
19c3cd08cdf0b443297669fd94288fb5

SHA1
89e2519e2a0ff144f99e0f5d7a7419898e36ba77

SHA256
020740d11c15f7b3b5bbc2eef7e7237c91207089c06573fded479d03ab7f5092

SHA512
dc4e0b5fc15d5ce65d80792daffd2a8617b3079fd1a7877ca6e3c17cceb518972702b135524c076dd791d032e2f8247632cc43c4d0da296d12e0c38d1b439cc3

Download Submit
C:\ProgramData\bhgheha\hafaafc

Filesize
1KB

MD5
ec9555a2c4a0094c1ed7e4931edd928b

SHA1
62b6f6fe3fa21444a009b979079353b09e8b9ae9

SHA256
5b628886254603ad9677d861d9dc6dab56b1dd924f26884e2929d6c986899ed6

SHA512
2a3f0c12a37629a3fcadcc8a01050047c58153e18039d424570f8f5a644bb59ce499b086883cb18cb8e33ac491308056fb8053aca3d71073dab413b52a298f48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\msbuild.exe.log

Filesize
841B

MD5
3e1d14e0e2cc17ee1d96b6b63f08b54a

SHA1
fc46ed5e8c8ecfa034f932d60903521e154be600

SHA256
a5b1dee69defc4e1c1f37c2e06a95a445cb747aae04317b30971fe996a69cd2c

SHA512
a6a4e78c6395e20f4897b8d84601aaac900f46d58b4e9859821654a453a3ae67ec91d8fa2756d1ca44bd6590e73ac533dee749b6054100a0f13040bca503884c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3hlj0kxi.axm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\cCFKbfa

Filesize
32B

MD5
378d7bbdfb264afd6c63e4dddf2da9e2

SHA1
d7cfc339dd299ad6a17478da89451efface4d60c

SHA256
f03e2db6d830d61d704652060b5196f6f591321020ecb8e1d7d5731894947225

SHA512
0e9a61d6e1731ac7b748904d55ce857c0184e08933541f0f71508caa918cd3e5296ef1b677d1aaf7dbbe66434df823c28c6a0ca504b9b75f1f4c5e8359dd5491

Download Submit
C:\temp\bbdhgek

Filesize
4B

MD5
389a8708b31abdc89ef879eeb4454ac2

SHA1
07034e7af89df10146002c473fd0d26a3394e08d

SHA256
4b21a98440e3ee64c2ecd6db5ab736301829248f5d89a3778ce9977231e4b5c0

SHA512
7ee60c1a78b53baae9e270aea14fd962c3861bfa1a157e6669b8b5bd7c54d4dac81dc9ba7c4a913bdff371d53f1cbc45f6fe651186ad808123644a471da5cf09

Download Submit
C:\temp\bbdhgek

Filesize
4B

MD5
dd23ea97d882a6a1fc370d6d8ae270f8

SHA1
8fc1eec5b3c28f6a6c3a9b38e34b69491a007e99

SHA256
70c818263122e67fe590b77efbd75db17e2afa970258f46128bee85e6a11fbfd

SHA512
e269592226998103283a0fcf443a59a30ea2d62e98379c02def9631a6bebf3f3cd29fb6533fba99f20f22b4457bed5f06b93a5a994c9fa32ea6e53ce36482345

Download Submit
C:\temp\bbdhgek

Filesize
4B

MD5
8e8d6f5e92cc137c90f12e2b78a9ba89

SHA1
84c92cdc36aa7e5e7f29c538220d66eea7723663

SHA256
fbb8dd2196cf1f4861200b132532f8c7efa3ad4dd665621f0b1ebf1511b6f9e9

SHA512
db08418739531e8c06c48dd6e74272d44c743fe237a80e9a854415c61cc0fc9f432acad6d8143c3d5e06217efad097a7e63fff2ab4d0b732103cd2b34aa7e686

Download Submit
C:\temp\bbdhgek

Filesize
4B

MD5
693dc0038f4b24af43c9a17bfc44d55a

SHA1
b4fbf38988391c4abf728b2433595e0b690960d6

SHA256
5dd5a96a5486f84e5613e7a030782dffc569d1e153653ae0757ff930459f47cb

SHA512
7908fa02ae9e8bd5c412e295be23d1beb0321515645146d246260f87db927f8bbe6722ea42ea8208f9d949ac8f8b90aae6870f4be6bf21d904c5456c8554d5d1

Download Submit
C:\temp\bbdhgek

Filesize
4B

MD5
b12c32751ee9b23b5b55a12589e7ff7a

SHA1
510e2e9bf0217d5602fcc2dc2be6d8bd169b8477

SHA256
fa78a05ad9bd66cdf6d4693d525dbb0c4edac440e213ed5e0c6962fa90626e1a

SHA512
2d28df0493533745751814218498f5dd25f2d2bcaf7d114aa3e93029faf589c56113d8c9af2a8a45f16512725bf1c342d4e1249380a1d4a70e291b8948bad615

Download Submit
C:\temp\bbdhgek

Filesize
4B

MD5
377a14198b91b7c9752e0dc2cf543dc9

SHA1
3b2c6f010c95166d621ff13c30ec070d8300ecce

SHA256
bf2675ff66ba127fa186f277fcb78e7af7126cd0f86780e5e26d6717c45b8c1c

SHA512
6a8425c801f4cd86b94c8e5d331baf804f4690760ac76f94ad712c7559602fb2e6faecb71f6c77717446ac8d6f9762508e3a5b6289dc4c70b9482b2a0217e285

Download Submit
C:\temp\bbdhgek

Filesize
4B

MD5
09700b421d0293517c6a308ba7516bac

SHA1
861999c153a0d172ee987d83804c2ff166db3c1e

SHA256
a5cc9f96368e0fb1130fe4bba4cb73b0d389c0454cdc9ad689fe8dbdf8f14da4

SHA512
6792016692998933991ac4fe078f192cbf6c9f5de1274d7334760cf5ead9af6f2e5cf7065796dc5bb3f1cbe265d339179d044727e05d1b2d7f497200390a06ea

Download Submit
C:\temp\bbdhgek

Filesize
4B

MD5
6ad01d1ec1ef4359c28b6176f7dfabc3

SHA1
a5b409de8737875e3b550745c68105f6d906d3ac

SHA256
1bb3ab36380183fde1d3f1f2169da6c73be9e4c80581be4a10236c91d6bd2c78

SHA512
5a31290c866b0bd90d6f2231f72048ff9332a16c87b3be177bde65c9621e054b390d8498589f7155f47ae233d60d2bf938bbff39e4a7af4c20add5d5293649fb

Download Submit
C:\temp\bbdhgek

Filesize
4B

MD5
e23cdf69797eb959d506fe1454dc988a

SHA1
05ea94c87b87070d7fbff97116a94c8cb047ad78

SHA256
02cb28864e0a84466a5ff29f3105b8fcfa4d2f4d38152381e6a3af219514a741

SHA512
c25639766554413ef17db0573cdb8951dd3e9c88ada715fff2b2ab27b29d09f521b8fb687bd88079fc47fa0fdc273beaa7a7765aee1845cb50276268e71c08dc

Download Submit
C:\temp\bbdhgek

Filesize
4B

MD5
27e7973108635877ec7c5e22623983a6

SHA1
7579520f4b4daef829a10e49c217ef525a232c43

SHA256
800ea40f8f2243d129510e9e92ca3a129994c245bced5fb634bacb9e2d88fbbf

SHA512
527c53268d859955e46004b97142cc27cc9646c5987a1dce51aebe646ef63a33dfca415e83fb50e20df68ff8cacd0cfe0f2785a3b2eee20a98e42fbea3f0be26

Download Submit
C:\temp\bbdhgek

Filesize
4B

MD5
b4d25000cfb4072cc18bb4a18e985f89

SHA1
23b73731b9cda1b279fad8a2a4929a78652f4faf

SHA256
169d5ef7fd4a1bff3789f07697a1bf53a6e2cab195361a1ec51f2ec65a46afc7

SHA512
d1e63c38ce04e7ba9f9b0289962011a98ef0c0d8dcd64f9f818eb885d5ea25863e16397c44c7d2b5296afe7c9fbbe63ef8d40a761ecc77313ad85fbe85e14e55

Download Submit
C:\temp\bbdhgek

Filesize
4B

MD5
036e3ff2c140f8503651af6fdce067cb

SHA1
a393d7f084d169ba89fd26aadd9976af771daf4a

SHA256
7580ba28b8302c6f3098abe4413603ab16e1321df167f7e7d1e534f8916f03da

SHA512
00f1262dc2b9e6512799875a91984b6894e7b8e9e3152f369b8a4479d3ef4ff87df4d512dfe1211b572b403c5fa672699ae7234621e9d1c15cf0da233c3ea202

Download Submit
C:\temp\bbdhgek

Filesize
4B

MD5
3f642d522dd60141ebe62753e5ade725

SHA1
0d9c7b05dba3f43e5191b91bf12215181413ef9b

SHA256
8e9f161e512fcc9c653ff2835b5c5801504230fd4fca8e7dd4346e462c6fdcc5

SHA512
f95b64b99746a38031a46a18921b4ac8b4810f6509e94e5ec3b807a6d7b28d16b2bb7675588c9d89317399b101d247a1ee0c121e1161a8b41f6be4be88d46fa5

Download Submit
C:\temp\bbdhgek

Filesize
4B

MD5
6e116e79831e9943b8245b2060232213

SHA1
188cceedc859992feefd7e346c0335331eabb3b7

SHA256
cc4f9b9fb9c2fa28e6544c75a14098e991fe2c9bf0d75458d2e0b3d02798863f

SHA512
84cf89d3369d74d7f254e3605731fa042cac296b161007a00aedfa3cc9b0e39d4849b778d9ff379729a1915281047a6409fc6885426c8256adf3542ba99c0a72

Download Submit
C:\temp\bbdhgek

Filesize
4B

MD5
52aad9d4f64bf6bfbe8d820ecd9bf89a

SHA1
1816e6acbeff0a65a9148530beeff25126aa4c61

SHA256
8c0fa8e8813ec05fdb3873860d59f5b033bebe45f92f1bc8db05110e2c3480df

SHA512
965eeddf3d35908f74eebb8ee77ead9d1fb64e4cd18bb9e417d8bc927900c55295d1d5b2fd342ec54efc727cc0d40efcdfb0be2a5ae5ab8729bb6ead7c9bbd35

Download Submit
C:\temp\bbdhgek

Filesize
4B

MD5
0076c0c2e3efa513c9f7bcc3190399f1

SHA1
4a3262f831089ecc3c9983678a9aa72ebf67a728

SHA256
fbe545f15e126bb5f6c23ef3eec88cca553cde2d5d007880615e6310eccedff8

SHA512
4a6a06ff899d6c5f98946d3fba77f248da1de72cd0f48703c22f93a9a96fdcf3d6d600e1bd4a2bc64e03beb16ca9712b83391ff095dd89106401ee5315faa52f

Download Submit
C:\temp\bbdhgek

Filesize
4B

MD5
290fc5f85ce9d8efe0ad7e5b7aab9cbb

SHA1
c5da1d120e0c1922ce41a26212549f63fe786990

SHA256
3ea3d22d22934d4333c5be8cb91ecab6c4dc8cc1723b23bf2b1c65002e246b6f

SHA512
e280a586fb35bddaf4d93e32ae5ed7b0c990f2599e03ea415b6f5f05deb3ced2bda5756b52ae45810465f1ed45cf2cff9eb827c7ca8887fbb5a5defa89344192

Download Submit
C:\temp\bbdhgek

Filesize
4B

MD5
62f5fefeeaaf77707278c631aa51fc7e

SHA1
91d834768d1c6fce19da41958215ec57b348d21a

SHA256
42b4522e169cb5e0d875fb8bead15ce04f15608aae3aac0da7424bbfe4aec6b5

SHA512
10c3857318b16892eb45c2b5d84ccc75b133f7f683e3a5523d77663727598a2102bcd73cf15e06a8d8fa8f23ac62c70f28def0773e93d0f1472a62023efa889f

Download Submit
C:\temp\bbdhgek

Filesize
4B

MD5
01ff54aef42ddff47dc8200e4930c5d7

SHA1
efab49bb8122219673b14085af9a3d716ad04e80

SHA256
6df1acb935737e8de1bd49ab0b1eeadf2c5da26f819bcc9d57cfa24ab39fde96

SHA512
c24c59eeef43c4c50b592887e7f76b6a668a1b4df42226b6af03d2724652cd845fa06e1bdd93b448f685c4bf55b2d5af9afb17a37cd88d6946d6bbae9dda82b8

Download Submit
C:\temp\hcfckde

Filesize
4B

MD5
6012c8d3fcf8b123f828a76023805128

SHA1
15872103567040eee402938bb43cbfe586b2ab10

SHA256
ba3899e9584470642bcd12d999238f5c7df109a678dc2d57a8286b9dd454eb32

SHA512
57e6ea88c4ee1deb478438fb446fa4ddc1e84b08a30ca526bf19d839fa8a7788bdb1dc8ed4c675911f34aba790289683011c9a074a06547d202ff574d4340c40

Download Submit
C:\temp\hcfckde

Filesize
4B

MD5
54eee90072256c6005b81e6ce71b9d10

SHA1
8220f3e0f9df1f86f3bbdb3fe987adb22b1738a5

SHA256
834acf6e622298f71fadb18dc7ff0dd0371978ed426624ca2ce18b2df3631d80

SHA512
18fc902552c65b515cb8ccdd7c89be4c31c5dd0543cdf81bb305065100cc73323b572f21b150a7f0638cc2977a9c35cc941574cf16e75ec2e894df6af6217883

Download Submit
C:\temp\hcfckde

Filesize
4B

MD5
ecdb7dc46a31d8d84b12a2eb8a2544cc

SHA1
6fd7f041434449d146ebf839361964bb249c362b

SHA256
8a201795e0b6d16de5d4e731eb37bf5ad682fc2d28a56c8faeead19750e480f6

SHA512
927e9187be234ab05faa78388bcee275b75d74896e7468841530b3a8a46383f9a88498570d5a9e05d955387f64339be293c59ba7dde7add195d0e0a4ef6f9c2d

Download Submit
C:\temp\hcfckde

Filesize
4B

MD5
f7e4c9619f650b4fac6e5042d1963cc4

SHA1
b123f39dc2f1273549975a781984f845210723b4

SHA256
41b21e52a623905b2403198c8d5dc914e6417fe819ee36a3b68bf4af13db4e01

SHA512
4e412d88b6be02a3df4562a15ae3306c9c6c2f7cdc1b9be1e603463e3f6d9ff770cd7b4ab8581f3dc0b51237569b7b4f90dbc88a694965cf607ab364d64fcbb4

Download Submit
C:\temp\hcfckde

Filesize
4B

MD5
669af409f1332d10a8edbc82397bc6f5

SHA1
7e9743be6d6b7272b626ae4bc25f30bc6ea87c9e

SHA256
921db8236cdfb9e7f8eddc1ce2654cdc00501be40cdbf805e7e00d075c285f73

SHA512
8dad474aa1c8e5fe35788416b8afdfd4594c9e6fd81238492e62eefcb75625673f49e8bbcd4645cbe8b827ca0428ddae7e1049f27f4675ca42619917978af05a

Download Submit
C:\temp\hcfckde

Filesize
4B

MD5
e9782d958177b240071982760a40daa1

SHA1
626044a68b17461fd5c83e9cf666f13190e356ee

SHA256
365267f9b775b199f468a52fa5f4e8de97039e7f5fb2286ea0a45f8c5c2be748

SHA512
1bfec1216c4ac8dbfbe405329e79633aeb921c9ec0b9ea96fe4d1efa67ae0ea287924c33fd7edcb47fb37108341078202b983035fa96655906f0ba21d1ac4516

Download Submit
C:\temp\hcfckde

Filesize
4B

MD5
f6ca5a3a15fe6d1332b17b2bcfc92256

SHA1
1d52d943fd89b2c0a5bd1020df0c9f04e6eae4d7

SHA256
6debd869df762f650a0a0fbd121de65799745669ef7015e278767b97cf5ceb41

SHA512
a076a7d67bef34c1e6012fff339f647c7d224674bebfc29122df3f20e97a97b24ec8226c58617f1ca4d3f078767fcf6c33e6e720965fa7706f260d2bbb6a5297

Download Submit
C:\temp\hcfckde

Filesize
4B

MD5
f67f5f3bf3ba97a2b75b6b02cc651bc9

SHA1
4ce5dd3cf3f64afcc1a7433aa7ec7091f4dc65fb

SHA256
288f9886ba0b7b66db01e2c40c8c06cc1eeb6c99efe93d797c00adab1a191695

SHA512
f838de97eb12e079298159a499798675294810c4668bf5d73d9f202caf441b376696594c75f26fae83609bdcd4addae39030c0da68735a014c0d672da3c09089

Download Submit
C:\temp\hcfckde

Filesize
4B

MD5
ef7b3cfdc86b30f397fba14601602664

SHA1
1d7ecc672ad430c50ae6b8182a5b6601267f95d2

SHA256
459c9d8b811d1c148dbe5b335796c29fdf8bc7c7c0cac231588507c315db5386

SHA512
62bbbcc7e80349e43c64c601d30550a2181ba27aacd1ac3962bd7a7a0a46bd3261bc5ba8af330691f7630269742fd85184d1bc1cb6e051cf75fe80ec4a2b27aa

Download Submit
C:\temp\hcfckde

Filesize
4B

MD5
ddc36c1e64de9f73b95ba61915a63872

SHA1
9c818c6895028a5cc782f5e096fbafba62562481

SHA256
985510f68c310234acf71f997e7280720b84666c9a06de6574dc15f2c936cc70

SHA512
19f48735cc3fe845dd2d82488b9d7d85839c8bdede71be367864e57004041316ea3aeb8064a4b934e10bfac62b0c5e21b9a000440f3e01a0fa195a735340c0f1

Download Submit
C:\temp\lp.txt

Filesize
4B

MD5
8e930496927757aac0dbd2438cb3f4f6

SHA1
bf64e500ca8ff5f34f830084c9f7db87d7a7092b

SHA256
9992c69a82eaba0fc969138c6b27152615b3a57b09ed936bd09b75f1b80d0117

SHA512
b0f574c1fa66049856fb2dd995791de13701c70eacccf7df67e7d66e4bad8f29dca0fb008ff69687ad15d3b394e7e4a670efb2ef15902895ab205e2912816a81

Download Submit
C:\temp\lp.txt

Filesize
4B

MD5
dfa037a53e121ecc9e0926800c3e814e

SHA1
3d01c313c38258a1b78a7c1a4a662e0c10588d84

SHA256
13105809c5b30ef11331cc0b62b71c70623c0353e7c32de4cf1d6d589bf3f286

SHA512
b149fe4774b2a5ad26539318c6f06d1930216b1cd4678dfc39590e1757f0b41b5182669a94f1034812e54bf9b1a88c02eb0a773dda12c2c68e50ed7d96da672a

Download Submit
C:\temp\lp.txt

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
memory/2388-43-0x0000000005270000-0x00000000053CA000-memory.dmp

Filesize
1.4MB

Download
memory/2388-42-0x0000000005050000-0x000000000506A000-memory.dmp

Filesize
104KB

Download
memory/2388-41-0x0000000000650000-0x0000000000690000-memory.dmp

Filesize
256KB

Download
memory/4444-87-0x00000000045F0000-0x0000000004945000-memory.dmp

Filesize
3.3MB

Download
memory/4444-86-0x00000000045F0000-0x0000000004945000-memory.dmp

Filesize
3.3MB

Download
memory/4444-52-0x00000000045F0000-0x0000000004945000-memory.dmp

Filesize
3.3MB

Download
memory/4444-90-0x00000000045F0000-0x0000000004945000-memory.dmp

Filesize
3.3MB

Download
memory/4444-89-0x00000000045F0000-0x0000000004945000-memory.dmp

Filesize
3.3MB

Download
memory/4444-88-0x00000000045F0000-0x0000000004945000-memory.dmp

Filesize
3.3MB

Download
memory/4520-26-0x0000000004320000-0x0000000006011000-memory.dmp

Filesize
28.9MB

Download
memory/4520-31-0x0000000000D40000-0x0000000000D53000-memory.dmp

Filesize
76KB

Download
memory/4592-0-0x00000000044A0000-0x0000000006191000-memory.dmp

Filesize
28.9MB

Download
memory/4592-5-0x0000000000930000-0x0000000000943000-memory.dmp

Filesize
76KB

Download
memory/4592-4-0x00000000027B0000-0x0000000004495000-memory.dmp

Filesize
28.9MB

Download
memory/5116-20-0x00000203317B0000-0x00000203317CE000-memory.dmp

Filesize
120KB

Download
memory/5116-19-0x0000020331CE0000-0x0000020331D56000-memory.dmp

Filesize
472KB

Download
memory/5116-18-0x0000020331760000-0x00000203317A6000-memory.dmp

Filesize
280KB

Download
memory/5116-9-0x0000020331670000-0x0000020331692000-memory.dmp

Filesize
136KB

Download