86cc7751f22c46373f2eb0f20d26a321243fb78519ef5e62fb11af78d16725c3

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
26-07-2023 02:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cde/dControl.exe
Size

447KB
MD5

58008524a6473bdf86c1040a9a9e39c3
SHA1

cb704d2e8df80fd3500a5b817966dc262d80ddb8
SHA256

1ef6c1a4dfdc39b63bfe650ca81ab89510de6c0d3d7c608ac5be80033e559326
SHA512

8cf492584303523bf6cdfeb6b1b779ee44471c91e759ce32fd4849547b6245d4ed86af5b38d1c6979729a77f312ba91c48207a332ae1589a6e25de67ffb96c31
SSDEEP

6144:Vzv+kSn74iCmfianQGDM3OXTWRDy9GYQDUmJFXIXHrsUBnBTF8JJCYrYNsQJzfgu:Vzcn7EanlQiWtYhmJFSwUBLcQZfgiD

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral4/memory/2136-133-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral4/memory/2136-154-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral4/memory/996-176-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral4/memory/1508-175-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral4/memory/1508-197-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral4/memory/1508-198-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral4/memory/1508-199-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral4/memory/1508-200-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral4/memory/2424-221-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral4/memory/1508-222-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral4/memory/1508-223-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral4/memory/4864-245-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral4/memory/1508-298-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral4/memory/1508-316-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral4/memory/1508-317-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral4/memory/1508-318-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral4/memory/1508-325-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral4/memory/1508-326-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral4/memory/1508-327-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral4/memory/1508-328-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral4/memory/1508-329-0x0000000000400000-0x00000000004CD000-memory.dmp	upx

AutoIT Executable 20 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral4/memory/2136-154-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral4/memory/996-176-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral4/memory/1508-175-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral4/memory/1508-197-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral4/memory/1508-198-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral4/memory/1508-199-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral4/memory/1508-200-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral4/memory/2424-221-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral4/memory/1508-222-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral4/memory/1508-223-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral4/memory/4864-245-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral4/memory/1508-298-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral4/memory/1508-316-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral4/memory/1508-317-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral4/memory/1508-318-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral4/memory/1508-325-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral4/memory/1508-326-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral4/memory/1508-327-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral4/memory/1508-328-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral4/memory/1508-329-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings	explorer.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
2136	dControl.exe
2136	dControl.exe
2136	dControl.exe
2136	dControl.exe
2136	dControl.exe
2136	dControl.exe
996	dControl.exe
996	dControl.exe
996	dControl.exe
996	dControl.exe
996	dControl.exe
996	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
2424	dControl.exe
2424	dControl.exe
2424	dControl.exe
2424	dControl.exe
2424	dControl.exe
2424	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
4864	dControl.exe
4864	dControl.exe
4864	dControl.exe
4864	dControl.exe
4864	dControl.exe
4864	dControl.exe
1436	msedge.exe
1436	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1508	dControl.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2136	dControl.exe
Token: SeAssignPrimaryTokenPrivilege	2136	dControl.exe
Token: SeIncreaseQuotaPrivilege	2136	dControl.exe
Token: 0	2136	dControl.exe
Token: SeDebugPrivilege	996	dControl.exe
Token: SeAssignPrimaryTokenPrivilege	996	dControl.exe
Token: SeIncreaseQuotaPrivilege	996	dControl.exe
Token: SeDebugPrivilege	1508	dControl.exe
Token: SeAssignPrimaryTokenPrivilege	1508	dControl.exe
Token: SeIncreaseQuotaPrivilege	1508	dControl.exe
Token: 0	1508	dControl.exe
Token: SeDebugPrivilege	1508	dControl.exe
Token: SeAssignPrimaryTokenPrivilege	1508	dControl.exe
Token: SeIncreaseQuotaPrivilege	1508	dControl.exe
Token: 0	1508	dControl.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe
1508	dControl.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3788	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 2424	1508	dControl.exe	99
PID 1508 wrote to memory of 2424	1508	dControl.exe	99
PID 1508 wrote to memory of 2424	1508	dControl.exe	99
PID 1508 wrote to memory of 4864	1508	dControl.exe	110
PID 1508 wrote to memory of 4864	1508	dControl.exe	110
PID 1508 wrote to memory of 4864	1508	dControl.exe	110
PID 4716 wrote to memory of 2996	4716	msedge.exe	119
PID 4716 wrote to memory of 2996	4716	msedge.exe	119
PID 4716 wrote to memory of 3388	4716	msedge.exe	120
PID 4716 wrote to memory of 3388	4716	msedge.exe	120
PID 4716 wrote to memory of 3388	4716	msedge.exe	120
PID 4716 wrote to memory of 3388	4716	msedge.exe	120
PID 4716 wrote to memory of 3388	4716	msedge.exe	120
PID 4716 wrote to memory of 3388	4716	msedge.exe	120
PID 4716 wrote to memory of 3388	4716	msedge.exe	120
PID 4716 wrote to memory of 3388	4716	msedge.exe	120
PID 4716 wrote to memory of 3388	4716	msedge.exe	120
PID 4716 wrote to memory of 3388	4716	msedge.exe	120
PID 4716 wrote to memory of 3388	4716	msedge.exe	120
PID 4716 wrote to memory of 3388	4716	msedge.exe	120
PID 4716 wrote to memory of 3388	4716	msedge.exe	120
PID 4716 wrote to memory of 3388	4716	msedge.exe	120
PID 4716 wrote to memory of 3388	4716	msedge.exe	120
PID 4716 wrote to memory of 3388	4716	msedge.exe	120
PID 4716 wrote to memory of 3388	4716	msedge.exe	120
PID 4716 wrote to memory of 3388	4716	msedge.exe	120
PID 4716 wrote to memory of 3388	4716	msedge.exe	120
PID 4716 wrote to memory of 3388	4716	msedge.exe	120
PID 4716 wrote to memory of 3388	4716	msedge.exe	120
PID 4716 wrote to memory of 3388	4716	msedge.exe	120
PID 4716 wrote to memory of 3388	4716	msedge.exe	120
PID 4716 wrote to memory of 3388	4716	msedge.exe	120
PID 4716 wrote to memory of 3388	4716	msedge.exe	120
PID 4716 wrote to memory of 3388	4716	msedge.exe	120
PID 4716 wrote to memory of 3388	4716	msedge.exe	120
PID 4716 wrote to memory of 3388	4716	msedge.exe	120
PID 4716 wrote to memory of 3388	4716	msedge.exe	120
PID 4716 wrote to memory of 3388	4716	msedge.exe	120
PID 4716 wrote to memory of 3388	4716	msedge.exe	120
PID 4716 wrote to memory of 3388	4716	msedge.exe	120
PID 4716 wrote to memory of 3388	4716	msedge.exe	120
PID 4716 wrote to memory of 3388	4716	msedge.exe	120
PID 4716 wrote to memory of 3388	4716	msedge.exe	120
PID 4716 wrote to memory of 3388	4716	msedge.exe	120
PID 4716 wrote to memory of 3388	4716	msedge.exe	120
PID 4716 wrote to memory of 3388	4716	msedge.exe	120
PID 4716 wrote to memory of 3388	4716	msedge.exe	120
PID 4716 wrote to memory of 3388	4716	msedge.exe	120
PID 4716 wrote to memory of 1436	4716	msedge.exe	121
PID 4716 wrote to memory of 1436	4716	msedge.exe	121
PID 4716 wrote to memory of 3140	4716	msedge.exe	122
PID 4716 wrote to memory of 3140	4716	msedge.exe	122
PID 4716 wrote to memory of 3140	4716	msedge.exe	122
PID 4716 wrote to memory of 3140	4716	msedge.exe	122
PID 4716 wrote to memory of 3140	4716	msedge.exe	122
PID 4716 wrote to memory of 3140	4716	msedge.exe	122
PID 4716 wrote to memory of 3140	4716	msedge.exe	122
PID 4716 wrote to memory of 3140	4716	msedge.exe	122
PID 4716 wrote to memory of 3140	4716	msedge.exe	122
PID 4716 wrote to memory of 3140	4716	msedge.exe	122
PID 4716 wrote to memory of 3140	4716	msedge.exe	122
PID 4716 wrote to memory of 3140	4716	msedge.exe	122
PID 4716 wrote to memory of 3140	4716	msedge.exe	122
PID 4716 wrote to memory of 3140	4716	msedge.exe	122

C:\Users\Admin\AppData\Local\Temp\cde\dControl.exe
"C:\Users\Admin\AppData\Local\Temp\cde\dControl.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2136
- C:\Users\Admin\AppData\Local\Temp\cde\dControl.exe
  C:\Users\Admin\AppData\Local\Temp\cde\dControl.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:996
- - C:\Users\Admin\AppData\Local\Temp\cde\dControl.exe
    "C:\Users\Admin\AppData\Local\Temp\cde\dControl.exe" /TI
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1508
  - - C:\Windows\Explorer.exe
      "C:\Windows\Explorer.exe" windowsdefender:
      4⤵
      PID:2952
  - - C:\Users\Admin\AppData\Local\Temp\cde\dControl.exe
      "C:\Users\Admin\AppData\Local\Temp\cde\dControl.exe" /EXP |672|
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2424
  - - C:\Windows\Explorer.exe
      "C:\Windows\Explorer.exe" ms-settings:windowsdefender
      4⤵
      PID:1172
  - - C:\Users\Admin\AppData\Local\Temp\cde\dControl.exe
      "C:\Users\Admin\AppData\Local\Temp\cde\dControl.exe" /EXP |672|
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4864

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:4636

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3788

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault00c80b8eh7fb5h46cfh85cehd532a0c74386
1⤵
- Suspicious use of WriteProcessMemory
PID:4716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffd025546f8,0x7ffd02554708,0x7ffd02554718
  2⤵
  PID:2996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,13391477036617674365,13056778794225338184,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
  2⤵
  PID:3388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,13391477036617674365,13056778794225338184,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,13391477036617674365,13056778794225338184,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2616 /prefetch:8
  2⤵
  PID:3140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fc99b0086d7714fd471ed4acc862ccc0

SHA1
39a3c43c97f778d67413a023d66e8e930d0e2314

SHA256
45ef01f81605bfd96126d5520c5aa0304c7fa7d5fdb3e4d5b2dd2bf84e2afd96

SHA512
c308fa3eda9235d67a506a5f058fefb9a769ec01d7b0d4f5a2397892cc4f8155301c55c1fac23bebacdd087ab3f47f1eacc9ff88eff4115a7d67aa7b1d6581a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f8c91741e4f19e1f6dd8bf236b3ff3d6

SHA1
49c4811f14ba52492b7ca6b164789d9e26bbe1b3

SHA256
f73556aba9fa868fff7f87049a8c27ab97c0f5d8c5244797e15c33c53ce5fe6d

SHA512
d6c91b190d50a329def8a675f4c230e1bd9a831778ac39f3ed05d763325f4abf494ef1d241bc64ad35781b6ee8328899bf180a0754f031ead7c6c152490a4139

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
69822abbe8522d471db60df434908f91

SHA1
874cb9164c48bd95cacd417c76b790b3930bdbce

SHA256
bb6d7bf125cc003b547c908340eba4b82f9f627c68143c89d4de3d85f2bedcb2

SHA512
60c65cc0f1dfdd0ddf2c2db872657865e59d6582d77ce236d2be5dd5a6e31e28eef6defd7ec2359f6d0eb54603057788472af5f0c17a3f9067995958e763aa56

Download Submit
C:\Users\Admin\AppData\Local\Temp\cde\dControl.ini

Filesize
85KB

MD5
1c5b3052cb8ad745d07abc297798dc4c

SHA1
3965f681c996a1e608b5b47e12f3cef9c24261ca

SHA256
f3ac4deff7bf6ee1c850177ec881f0dc6c09ac3111f6ff048ea1674de6d55d0d

SHA512
a2b786eae58cc9fbc8c2c460cccb62f99ef48851739a1fb4b5f625845359c5e01720877d4dbe70a39cf4506c0ee6b90f75fcd8737101df48ea82840769584aa4

Download Submit
C:\Windows\Temp\6eji9k9t.tmp

Filesize
37KB

MD5
1f8c95b97229e09286b8a531f690c661

SHA1
b15b21c4912267b41861fb351f192849cca68a12

SHA256
557a903f0f2177e3e62b1a534dee554cf2eff3dd3991bc2310f064bf9c7d2152

SHA512
0f0e5b85b6ef73ecebcd70ca90ce54c019eec1ea99966c469f357dd3393d0067f591b3690fe0b7922d7ba4aa25ebefd76a092d28c3377e6035720f8630a1a186

Download Submit
C:\Windows\Temp\6eji9k9t.tmp

Filesize
37KB

MD5
3bc9acd9c4b8384fb7ce6c08db87df6d

SHA1
936c93e3a01d5ae30d05711a97bbf3dfa5e0921f

SHA256
a3d7de3d70c7673e8af7275eede44c1596156b6503a9614c47bad2c8e5fa3f79

SHA512
f8508376d9fb001bce10a8cc56da5c67b31ff220afd01fb57e736e961f3a563731e84d6a6c046123e1a5c16d31f39d9b07528b64a8f432eac7baa433e1d23375

Download Submit
C:\Windows\Temp\aut6E79.tmp

Filesize
14KB

MD5
9d5a0ef18cc4bb492930582064c5330f

SHA1
2ec4168fd3c5ea9f2b0ab6acd676a5b4a95848c8

SHA256
8f5bbcc572bc62feb13a669f856d21886a61888fd6288afd066272a27ea79bb3

SHA512
1dc3387790b051c3291692607312819f0967848961bc075799b5a2353efadd65f54db54ddf47c296bb6a9f48e94ec83086a4f8bf7200c64329a73fc7ec4340a4

Download Submit
C:\Windows\Temp\aut6E7A.tmp

Filesize
12KB

MD5
efe44d9f6e4426a05e39f99ad407d3e7

SHA1
637c531222ee6a56780a7fdcd2b5078467b6e036

SHA256
5ea3b26c6b1b71edaef17ce365d50be963ae9f4cb79b39ec723fe6e9e4054366

SHA512
8014b60cef62ff5c94bf6338ee3385962cfc62aaa6c101a607c592ba00aea2d860f52e5f52be2a2a3b35310f135548e8d0b00211bfcf32d6b71198f5d3046b63

Download Submit
C:\Windows\Temp\aut6E7B.tmp

Filesize
7KB

MD5
ecffd3e81c5f2e3c62bcdc122442b5f2

SHA1
d41567acbbb0107361c6ee1715fe41b416663f40

SHA256
9874ab363b07dcc7e9cd6022a380a64102c1814343642295239a9f120cb941c5

SHA512
7f84899b77e3e2c0a35fb4973f4cd57f170f7a22f862b08f01938cf7537c8af7c442ef2ae6e561739023f6c9928f93a59b50d463af6373ed344f68260bc47c76

Download Submit
memory/996-176-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1508-316-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1508-175-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1508-222-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1508-223-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1508-329-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1508-200-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1508-199-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1508-198-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1508-197-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1508-328-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1508-298-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1508-327-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1508-326-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1508-317-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1508-318-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1508-325-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2136-133-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2136-154-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2424-221-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/4864-245-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download