248a5c1ef93baa512192d26f62dbb505628e874f61119b87793e16ef6764566f

Analysis

max time kernel
153s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 08:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

248a5c1ef93baa512192d26f62dbb505628e874f61119b87793e16ef6764566f.exe
Size

1.1MB
MD5

ad3bbd955c15dc9c0704c4830fab4392
SHA1

b82360e64607a92bf16ee0a543a324a3ce457a87
SHA256

248a5c1ef93baa512192d26f62dbb505628e874f61119b87793e16ef6764566f
SHA512

daf4cad977c8a7043819399f89b314ab45543c6aef383a34790254cc3eb0a11e67e5f14ad527e05fdfdcd25a46053a4c712905721ac9efd43ef3dd0bc8469c0a
SSDEEP

12288:xqXUHkUXe3GOkx2LIaKMgdBQGb1wyyy0/n:xjHPO2Okx2LFKMgdBQGpA

Score

10^/10

upx

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3176 created 608	3176	Explorer.EXE	79

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\qTSMDMP.sys	BdeHdCfg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	248a5c1ef93baa512192d26f62dbb505628e874f61119b87793e16ef6764566f.exe

Executes dropped EXE 2 IoCs

pid	Process
3392	49be0da0
2672	BdeHdCfg.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3048-0-0x0000000000580000-0x0000000000609000-memory.dmp	upx
behavioral2/files/0x001000000001e746-2.dat	upx
behavioral2/memory/3392-4-0x0000000000900000-0x0000000000989000-memory.dmp	upx
behavioral2/files/0x001000000001e746-3.dat	upx
behavioral2/memory/3048-29-0x0000000000580000-0x0000000000609000-memory.dmp	upx
behavioral2/memory/3048-31-0x0000000000580000-0x0000000000609000-memory.dmp	upx
behavioral2/memory/3392-38-0x0000000000900000-0x0000000000989000-memory.dmp	upx
behavioral2/memory/3392-46-0x0000000000900000-0x0000000000989000-memory.dmp	upx
behavioral2/memory/3392-71-0x0000000000900000-0x0000000000989000-memory.dmp	upx

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114

Drops file in System32 directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475	BdeHdCfg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	49be0da0
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	49be0da0
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3	BdeHdCfg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173	BdeHdCfg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DED9969D7ED2C6E555C5C9254A43EDE4	49be0da0
File created	C:\Windows\SysWOW64\49be0da0	248a5c1ef93baa512192d26f62dbb505628e874f61119b87793e16ef6764566f.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475	BdeHdCfg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A	49be0da0
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3	BdeHdCfg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C	BdeHdCfg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	49be0da0
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	49be0da0
File created	C:\Windows\system32\ \Windows\System32\WnJWiNBnT.sys	BdeHdCfg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B	BdeHdCfg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B	BdeHdCfg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E	49be0da0
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E	49be0da0
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	49be0da0
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173	BdeHdCfg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A	49be0da0
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C	BdeHdCfg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	49be0da0
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	49be0da0
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DED9969D7ED2C6E555C5C9254A43EDE4	49be0da0
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	49be0da0

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\3a1280	49be0da0
File created	C:\Windows\Help\BdeHdCfg.exe	Explorer.EXE
File opened for modification	C:\Windows\Help\BdeHdCfg.exe	Explorer.EXE
File created	C:\Windows\MeWmYff5I.sys	BdeHdCfg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	BdeHdCfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	BdeHdCfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	BdeHdCfg.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
1388	timeout.exe
4676	timeout.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	BdeHdCfg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	49be0da0
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	49be0da0
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	BdeHdCfg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	BdeHdCfg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	BdeHdCfg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	49be0da0
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	49be0da0
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	BdeHdCfg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	49be0da0
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	BdeHdCfg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	49be0da0
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	49be0da0
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	49be0da0
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	BdeHdCfg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	49be0da0
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	BdeHdCfg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	BdeHdCfg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3392	49be0da0
3392	49be0da0
3392	49be0da0
3392	49be0da0
3392	49be0da0
3392	49be0da0
3392	49be0da0
3392	49be0da0
3392	49be0da0
3392	49be0da0
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3392	49be0da0
3392	49be0da0
2672	BdeHdCfg.exe
2672	BdeHdCfg.exe
2672	BdeHdCfg.exe
2672	BdeHdCfg.exe
2672	BdeHdCfg.exe
2672	BdeHdCfg.exe
2672	BdeHdCfg.exe
2672	BdeHdCfg.exe
2672	BdeHdCfg.exe
2672	BdeHdCfg.exe
2672	BdeHdCfg.exe
2672	BdeHdCfg.exe
2672	BdeHdCfg.exe
2672	BdeHdCfg.exe
2672	BdeHdCfg.exe
2672	BdeHdCfg.exe
2672	BdeHdCfg.exe
2672	BdeHdCfg.exe
2672	BdeHdCfg.exe
2672	BdeHdCfg.exe
2672	BdeHdCfg.exe
2672	BdeHdCfg.exe
2672	BdeHdCfg.exe
2672	BdeHdCfg.exe
2672	BdeHdCfg.exe
2672	BdeHdCfg.exe
2672	BdeHdCfg.exe
2672	BdeHdCfg.exe
2672	BdeHdCfg.exe
2672	BdeHdCfg.exe
2672	BdeHdCfg.exe
2672	BdeHdCfg.exe
2672	BdeHdCfg.exe
2672	BdeHdCfg.exe
2672	BdeHdCfg.exe
2672	BdeHdCfg.exe
2672	BdeHdCfg.exe
2672	BdeHdCfg.exe
2672	BdeHdCfg.exe
2672	BdeHdCfg.exe
2672	BdeHdCfg.exe
2672	BdeHdCfg.exe
2672	BdeHdCfg.exe
2672	BdeHdCfg.exe
2672	BdeHdCfg.exe
2672	BdeHdCfg.exe
2672	BdeHdCfg.exe
2672	BdeHdCfg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3176	Explorer.EXE

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
656	Process not Found
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	3048	248a5c1ef93baa512192d26f62dbb505628e874f61119b87793e16ef6764566f.exe
Token: SeTcbPrivilege	3048	248a5c1ef93baa512192d26f62dbb505628e874f61119b87793e16ef6764566f.exe
Token: SeDebugPrivilege	3392	49be0da0
Token: SeTcbPrivilege	3392	49be0da0
Token: SeDebugPrivilege	3392	49be0da0
Token: SeDebugPrivilege	3176	Explorer.EXE
Token: SeDebugPrivilege	3176	Explorer.EXE
Token: SeIncBasePriorityPrivilege	3048	248a5c1ef93baa512192d26f62dbb505628e874f61119b87793e16ef6764566f.exe
Token: SeDebugPrivilege	3392	49be0da0
Token: SeDebugPrivilege	2672	BdeHdCfg.exe
Token: SeDebugPrivilege	2672	BdeHdCfg.exe
Token: SeDebugPrivilege	2672	BdeHdCfg.exe
Token: SeShutdownPrivilege	3176	Explorer.EXE
Token: SeCreatePagefilePrivilege	3176	Explorer.EXE
Token: SeIncBasePriorityPrivilege	3392	49be0da0
Token: SeShutdownPrivilege	3176	Explorer.EXE
Token: SeCreatePagefilePrivilege	3176	Explorer.EXE
Token: SeShutdownPrivilege	3176	Explorer.EXE
Token: SeCreatePagefilePrivilege	3176	Explorer.EXE
Token: SeShutdownPrivilege	3176	Explorer.EXE
Token: SeCreatePagefilePrivilege	3176	Explorer.EXE
Token: SeShutdownPrivilege	3176	Explorer.EXE
Token: SeCreatePagefilePrivilege	3176	Explorer.EXE
Token: SeShutdownPrivilege	3176	Explorer.EXE
Token: SeCreatePagefilePrivilege	3176	Explorer.EXE
Token: SeShutdownPrivilege	3176	Explorer.EXE
Token: SeCreatePagefilePrivilege	3176	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3176	Explorer.EXE

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3392 wrote to memory of 3176	3392	49be0da0	37
PID 3392 wrote to memory of 3176	3392	49be0da0	37
PID 3392 wrote to memory of 3176	3392	49be0da0	37
PID 3392 wrote to memory of 3176	3392	49be0da0	37
PID 3392 wrote to memory of 3176	3392	49be0da0	37
PID 3176 wrote to memory of 2672	3176	Explorer.EXE	90
PID 3176 wrote to memory of 2672	3176	Explorer.EXE	90
PID 3176 wrote to memory of 2672	3176	Explorer.EXE	90
PID 3176 wrote to memory of 2672	3176	Explorer.EXE	90
PID 3176 wrote to memory of 2672	3176	Explorer.EXE	90
PID 3176 wrote to memory of 2672	3176	Explorer.EXE	90
PID 3176 wrote to memory of 2672	3176	Explorer.EXE	90
PID 3392 wrote to memory of 608	3392	49be0da0	79
PID 3392 wrote to memory of 608	3392	49be0da0	79
PID 3392 wrote to memory of 608	3392	49be0da0	79
PID 3392 wrote to memory of 608	3392	49be0da0	79
PID 3392 wrote to memory of 608	3392	49be0da0	79
PID 3048 wrote to memory of 5004	3048	248a5c1ef93baa512192d26f62dbb505628e874f61119b87793e16ef6764566f.exe	95
PID 3048 wrote to memory of 5004	3048	248a5c1ef93baa512192d26f62dbb505628e874f61119b87793e16ef6764566f.exe	95
PID 3048 wrote to memory of 5004	3048	248a5c1ef93baa512192d26f62dbb505628e874f61119b87793e16ef6764566f.exe	95
PID 5004 wrote to memory of 1388	5004	cmd.exe	97
PID 5004 wrote to memory of 1388	5004	cmd.exe	97
PID 5004 wrote to memory of 1388	5004	cmd.exe	97
PID 3392 wrote to memory of 3628	3392	49be0da0	101
PID 3392 wrote to memory of 3628	3392	49be0da0	101
PID 3392 wrote to memory of 3628	3392	49be0da0	101
PID 3628 wrote to memory of 4676	3628	cmd.exe	104
PID 3628 wrote to memory of 4676	3628	cmd.exe	104
PID 3628 wrote to memory of 4676	3628	cmd.exe	104

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3176
- C:\Users\Admin\AppData\Local\Temp\248a5c1ef93baa512192d26f62dbb505628e874f61119b87793e16ef6764566f.exe
  "C:\Users\Admin\AppData\Local\Temp\248a5c1ef93baa512192d26f62dbb505628e874f61119b87793e16ef6764566f.exe"
  2⤵
  - Checks computer location settings
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\248a5c1ef93baa512192d26f62dbb505628e874f61119b87793e16ef6764566f.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5004
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:1388

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:608
- C:\Windows\Help\BdeHdCfg.exe
  "C:\Windows\Help\BdeHdCfg.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2672

C:\Windows\Syswow64\49be0da0
C:\Windows\Syswow64\49be0da0
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3392
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Windows\Syswow64\49be0da0"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3628
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:4676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\83495e79.tmp

Filesize
11.6MB

MD5
5244c87dbafa1f764b258766005dea73

SHA1
84cb8b4fb3e0910cfecfb31b6fa54c16d940e703

SHA256
077035f93ddc3ac5a8b5631d43826baf7722256eb1c4716b3c2567f07379bc40

SHA512
54d64d32e73e2752cdf9a110db17ad64574eb072df0ed0dc34a7e4bc469c03aa79ef7d45465e279ef85d5fc6b33a1b750b181476cdea7ea98898ddba9aa60438

Download Submit
C:\Windows\Help\BdeHdCfg.exe

Filesize
131KB

MD5
89d0572c9b53f34230c8514f6b11bd56

SHA1
c8111fa4bb979386bd9c7923eb5e8ba3cb2947fb

SHA256
a6797c873af8f7fefe1352876113cd912e329759e838cf2f49ecd7bdf4bf4f26

SHA512
ec6199df2daca0de2bc279e891d5996ba4afc6ee1892aa878fb17c438f7c2ebc4e7678a582151acc56d7fb74e8787e3ec8d5aa0c370df0b5d0dea0dedfc30ea0

Download Submit
C:\Windows\Help\BdeHdCfg.exe

Filesize
131KB

MD5
89d0572c9b53f34230c8514f6b11bd56

SHA1
c8111fa4bb979386bd9c7923eb5e8ba3cb2947fb

SHA256
a6797c873af8f7fefe1352876113cd912e329759e838cf2f49ecd7bdf4bf4f26

SHA512
ec6199df2daca0de2bc279e891d5996ba4afc6ee1892aa878fb17c438f7c2ebc4e7678a582151acc56d7fb74e8787e3ec8d5aa0c370df0b5d0dea0dedfc30ea0

Download Submit
C:\Windows\SysWOW64\49be0da0

Filesize
1.1MB

MD5
c8369b435499765258632870612943e7

SHA1
3492ed1332f3339685ad9408ec87dbe572b46dc0

SHA256
221be23b60fc23d65fbe4a169f988e61d8edd9e28d669bb783fc4b15edaea5c1

SHA512
b8e3d060e398075cad005e0bf51539d1b965317d7a06b40f69378a3915c945ca8efcf01fbb3ccad46e68b0b9bcbc03cb007a846094378899e88b1c061ef93d44

Download Submit
C:\Windows\SysWOW64\49be0da0

Filesize
1.1MB

MD5
c8369b435499765258632870612943e7

SHA1
3492ed1332f3339685ad9408ec87dbe572b46dc0

SHA256
221be23b60fc23d65fbe4a169f988e61d8edd9e28d669bb783fc4b15edaea5c1

SHA512
b8e3d060e398075cad005e0bf51539d1b965317d7a06b40f69378a3915c945ca8efcf01fbb3ccad46e68b0b9bcbc03cb007a846094378899e88b1c061ef93d44

Download Submit
memory/608-67-0x00000212B5210000-0x00000212B5211000-memory.dmp

Filesize
4KB

Download
memory/608-30-0x00000212B51A0000-0x00000212B51C8000-memory.dmp

Filesize
160KB

Download
memory/608-28-0x00000212B5210000-0x00000212B5211000-memory.dmp

Filesize
4KB

Download
memory/608-26-0x00000212B5190000-0x00000212B5193000-memory.dmp

Filesize
12KB

Download
memory/2672-65-0x0000014779E40000-0x0000014779E41000-memory.dmp

Filesize
4KB

Download
memory/2672-113-0x000001477BAB0000-0x000001477BAB8000-memory.dmp

Filesize
32KB

Download
memory/2672-20-0x0000014779D30000-0x0000014779DFB000-memory.dmp

Filesize
812KB

Download
memory/2672-24-0x00007FF997B30000-0x00007FF997B40000-memory.dmp

Filesize
64KB

Download
memory/2672-23-0x0000014779E40000-0x0000014779E41000-memory.dmp

Filesize
4KB

Download
memory/2672-115-0x000001477C6D0000-0x000001477C895000-memory.dmp

Filesize
1.8MB

Download
memory/2672-116-0x000001477BA40000-0x000001477BA42000-memory.dmp

Filesize
8KB

Download
memory/2672-107-0x000001477BA40000-0x000001477BA41000-memory.dmp

Filesize
4KB

Download
memory/2672-117-0x000001477BAB0000-0x000001477BAB1000-memory.dmp

Filesize
4KB

Download
memory/2672-108-0x000001477BA50000-0x000001477BA51000-memory.dmp

Filesize
4KB

Download
memory/2672-118-0x000001477BAB0000-0x000001477BAB8000-memory.dmp

Filesize
32KB

Download
memory/2672-22-0x0000014779D30000-0x0000014779DFB000-memory.dmp

Filesize
812KB

Download
memory/2672-112-0x000001477BAB0000-0x000001477BAB1000-memory.dmp

Filesize
4KB

Download
memory/2672-57-0x0000014779D30000-0x0000014779DFB000-memory.dmp

Filesize
812KB

Download
memory/2672-64-0x00007FF997B30000-0x00007FF997B40000-memory.dmp

Filesize
64KB

Download
memory/2672-109-0x000001477C6D0000-0x000001477C895000-memory.dmp

Filesize
1.8MB

Download
memory/2672-66-0x000001477B6E0000-0x000001477B6E2000-memory.dmp

Filesize
8KB

Download
memory/2672-126-0x000001477C6D0000-0x000001477C895000-memory.dmp

Filesize
1.8MB

Download
memory/2672-111-0x000001477BA40000-0x000001477BA41000-memory.dmp

Filesize
4KB

Download
memory/2672-110-0x000001477BA40000-0x000001477BA42000-memory.dmp

Filesize
8KB

Download
memory/3048-0-0x0000000000580000-0x0000000000609000-memory.dmp

Filesize
548KB

Download
memory/3048-31-0x0000000000580000-0x0000000000609000-memory.dmp

Filesize
548KB

Download
memory/3048-29-0x0000000000580000-0x0000000000609000-memory.dmp

Filesize
548KB

Download
memory/3176-102-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3176-132-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3176-78-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3176-81-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3176-82-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3176-80-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3176-83-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3176-84-0x0000000002FA0000-0x0000000002FB0000-memory.dmp

Filesize
64KB

Download
memory/3176-85-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3176-86-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3176-87-0x0000000002FA0000-0x0000000002FB0000-memory.dmp

Filesize
64KB

Download
memory/3176-88-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3176-90-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3176-92-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3176-94-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3176-96-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3176-97-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3176-98-0x0000000002FA0000-0x0000000002FB0000-memory.dmp

Filesize
64KB

Download
memory/3176-99-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3176-103-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3176-104-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3176-105-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3176-76-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3176-101-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3176-106-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3176-75-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3176-74-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3176-73-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3176-72-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3176-200-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3176-56-0x0000000008AE0000-0x0000000008BD9000-memory.dmp

Filesize
996KB

Download
memory/3176-198-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3176-196-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3176-15-0x0000000008AE0000-0x0000000008BD9000-memory.dmp

Filesize
996KB

Download
memory/3176-12-0x0000000002B70000-0x0000000002B73000-memory.dmp

Filesize
12KB

Download
memory/3176-13-0x0000000002B70000-0x0000000002B73000-memory.dmp

Filesize
12KB

Download
memory/3176-14-0x0000000002E00000-0x0000000002E01000-memory.dmp

Filesize
4KB

Download
memory/3176-10-0x0000000002B70000-0x0000000002B73000-memory.dmp

Filesize
12KB

Download
memory/3176-194-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3176-131-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3176-77-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3176-134-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3176-135-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3176-133-0x0000000002C10000-0x0000000002C20000-memory.dmp

Filesize
64KB

Download
memory/3176-136-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3176-137-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3176-138-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3176-140-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3176-142-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3176-143-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3176-144-0x0000000002C20000-0x0000000002C30000-memory.dmp

Filesize
64KB

Download
memory/3176-145-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3176-147-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3176-149-0x0000000002C20000-0x0000000002C30000-memory.dmp

Filesize
64KB

Download
memory/3176-151-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3176-148-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3176-153-0x0000000002C10000-0x0000000002C20000-memory.dmp

Filesize
64KB

Download
memory/3176-154-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3176-152-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3176-155-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3176-156-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3176-157-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3176-158-0x0000000002C20000-0x0000000002C30000-memory.dmp

Filesize
64KB

Download
memory/3176-159-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3176-161-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3176-163-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3176-160-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3176-164-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3176-167-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3176-169-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3176-171-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3176-173-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3176-180-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3176-183-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3392-4-0x0000000000900000-0x0000000000989000-memory.dmp

Filesize
548KB

Download
memory/3392-38-0x0000000000900000-0x0000000000989000-memory.dmp

Filesize
548KB

Download
memory/3392-46-0x0000000000900000-0x0000000000989000-memory.dmp

Filesize
548KB

Download
memory/3392-71-0x0000000000900000-0x0000000000989000-memory.dmp

Filesize
548KB

Download