1ef6c1a4dfdc39b63bfe650ca81ab89510de6c0d3d7c608ac5be80033e559326

Analysis

max time kernel
149s
max time network
78s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 20:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dControl.exe
Size

447KB
MD5

58008524a6473bdf86c1040a9a9e39c3
SHA1

cb704d2e8df80fd3500a5b817966dc262d80ddb8
SHA256

1ef6c1a4dfdc39b63bfe650ca81ab89510de6c0d3d7c608ac5be80033e559326
SHA512

8cf492584303523bf6cdfeb6b1b779ee44471c91e759ce32fd4849547b6245d4ed86af5b38d1c6979729a77f312ba91c48207a332ae1589a6e25de67ffb96c31
SSDEEP

6144:Vzv+kSn74iCmfianQGDM3OXTWRDy9GYQDUmJFXIXHrsUBnBTF8JJCYrYNsQJzfgu:Vzcn7EanlQiWtYhmJFSwUBLcQZfgiD

Score

10^/10

evasion trojan upx

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "2"	dControl.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	dControl.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	dControl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\DefenderControl\dControl.exe = "0"	dControl.exe

Loads dropped DLL 1 IoCs

pid	Process
2720	dControl.exe

UPX packed file 27 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2932-0-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2960-23-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2932-22-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2960-45-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2720-46-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2720-120-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2304-121-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2304-142-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2720-161-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2720-162-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/1352-163-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/1352-184-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2720-185-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/files/0x0009000000014e5a-194.dat	upx
behavioral1/memory/2720-198-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/1604-199-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/1604-299-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2720-508-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2720-1052-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2720-1053-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2720-1058-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2720-1060-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2720-1061-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2720-1062-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2720-1063-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2720-1064-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2720-1065-0x0000000000400000-0x00000000004CD000-memory.dmp	upx

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\DisableAntiVirus = "1"	dControl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection	dControl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	dControl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	dControl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\DefenderControl\dControl.exe = "0"	dControl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\DisableAntiSpyware = "1"	dControl.exe

AutoIT Executable 25 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2960-23-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2932-22-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2960-45-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2720-46-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2720-120-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2304-121-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2304-142-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2720-161-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2720-162-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/1352-163-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/1352-184-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2720-185-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2720-198-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/1604-199-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/1604-299-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2720-508-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2720-1052-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2720-1053-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2720-1058-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2720-1060-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2720-1061-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2720-1062-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2720-1063-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2720-1064-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2720-1065-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	dControl.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	dControl.exe
File opened for modification	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	dControl.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\DefenderControl\dControl.exe	dControl.exe
File opened for modification	C:\Program Files (x86)\DefenderControl\dControl.exe	dControl.exe
File created	C:\Program Files (x86)\DefenderControl\dControl.ini	dControl.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Logs\CBS\CbsPersist_20240525203917.cab	makecab.exe
File opened for modification	C:\Windows\WindowsUpdate.log	MpCmdRun.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 46 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms\AskUser = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DOMStorage\sordum.org	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.sordum.org	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "29"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DOMStorage\sordum.org\Total = "29"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000ed8cc25e2df3d47aaa92aabf174bf4e00000000020000000000106600000001000020000000151a9e69ecba4933c4381cf3ad03cf08e698ab7f7e70fc82c4726c53477ce15b000000000e80000000020000200000001487989c38be6f93420df278657a898a5ef270307dde7ef6418b2a6b8bd3385b2000000095ce7d3f87de8ef18c836b796383d0c11adfe5a6f871daf6a068258c44b24947400000006216751155d1ca704d77b6c426f0baf6746f0a9a3c22df287d9fba1ece435ff98ee331ee29903ef916f373aa4f8f316c05a344e5426feea642a1a54f2edb4cad	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F53CC9E1-1AD6-11EF-9542-4A4F109F65B0} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.sordum.org\ = "29"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 7071b8bae3aeda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DOMStorage\sordum.org\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000ed8cc25e2df3d47aaa92aabf174bf4e00000000020000000000106600000001000020000000e8d88494b87afdfba8f95e296740e4768cc6d76f3f4c7dfa585843759ba74ba3000000000e8000000002000020000000643536862b2d74b8a4b2dd610e6071c8d748bf051749fab7b8a0c70b22b55fa790000000cca4b7f2b7c5fa3aeee152658127be8ae68f430758aea73983479810d4297fe5f3d58be594bc47e78df31671445fd97baaa468e678893ecd4cde98fd95dd0fb19009ca71da8929e6a44bfb0dffb5928fb395f70ef7c4aa6ffb1aa8737173ea4fc3a847f07553b9f5b9b944c1c7ffc132cc4dcc1d79811db1eb22528eda01569ac016f9d67e73e25162b109a472f46cce400000002f01f1b5eeb67f8bb77ed12634ea48952d0159a70155aaf0deb2cfa37aeaf9750041b849200f16910e8d2364c794e07a4c4265b69816a07eb34af26d357767a4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2932	dControl.exe
2932	dControl.exe
2932	dControl.exe
2960	dControl.exe
2960	dControl.exe
2960	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2304	dControl.exe
2304	dControl.exe
2304	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
1352	dControl.exe
1352	dControl.exe
1352	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
1604	dControl.exe
1604	dControl.exe
1604	dControl.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2720	dControl.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2932	dControl.exe
Token: SeAssignPrimaryTokenPrivilege	2932	dControl.exe
Token: SeIncreaseQuotaPrivilege	2932	dControl.exe
Token: 0	2932	dControl.exe
Token: SeDebugPrivilege	2960	dControl.exe
Token: SeAssignPrimaryTokenPrivilege	2960	dControl.exe
Token: SeIncreaseQuotaPrivilege	2960	dControl.exe
Token: SeDebugPrivilege	2720	dControl.exe
Token: SeAssignPrimaryTokenPrivilege	2720	dControl.exe
Token: SeIncreaseQuotaPrivilege	2720	dControl.exe
Token: 0	2720	dControl.exe
Token: SeDebugPrivilege	2720	dControl.exe
Token: SeAssignPrimaryTokenPrivilege	2720	dControl.exe
Token: SeIncreaseQuotaPrivilege	2720	dControl.exe
Token: 0	2720	dControl.exe
Token: SeDebugPrivilege	2720	dControl.exe
Token: SeAssignPrimaryTokenPrivilege	2720	dControl.exe
Token: SeIncreaseQuotaPrivilege	2720	dControl.exe
Token: 0	2720	dControl.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
540	MSASCui.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2680	iexplore.exe
2680	iexplore.exe
2268	IEXPLORE.EXE
2268	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 2304	2720	dControl.exe	36
PID 2720 wrote to memory of 2304	2720	dControl.exe	36
PID 2720 wrote to memory of 2304	2720	dControl.exe	36
PID 2720 wrote to memory of 2304	2720	dControl.exe	36
PID 1252 wrote to memory of 540	1252	explorer.exe	38
PID 1252 wrote to memory of 540	1252	explorer.exe	38
PID 1252 wrote to memory of 540	1252	explorer.exe	38
PID 2720 wrote to memory of 1352	2720	dControl.exe	43
PID 2720 wrote to memory of 1352	2720	dControl.exe	43
PID 2720 wrote to memory of 1352	2720	dControl.exe	43
PID 2720 wrote to memory of 1352	2720	dControl.exe	43
PID 1032 wrote to memory of 780	1032	explorer.exe	45
PID 1032 wrote to memory of 780	1032	explorer.exe	45
PID 1032 wrote to memory of 780	1032	explorer.exe	45
PID 2720 wrote to memory of 1604	2720	dControl.exe	48
PID 2720 wrote to memory of 1604	2720	dControl.exe	48
PID 2720 wrote to memory of 1604	2720	dControl.exe	48
PID 2720 wrote to memory of 1604	2720	dControl.exe	48
PID 2976 wrote to memory of 2680	2976	explorer.exe	50
PID 2976 wrote to memory of 2680	2976	explorer.exe	50
PID 2976 wrote to memory of 2680	2976	explorer.exe	50
PID 2680 wrote to memory of 2268	2680	iexplore.exe	52
PID 2680 wrote to memory of 2268	2680	iexplore.exe	52
PID 2680 wrote to memory of 2268	2680	iexplore.exe	52
PID 2680 wrote to memory of 2268	2680	iexplore.exe	52

C:\Users\Admin\AppData\Local\Temp\dControl.exe
"C:\Users\Admin\AppData\Local\Temp\dControl.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2932
- C:\Users\Admin\AppData\Local\Temp\dControl.exe
  C:\Users\Admin\AppData\Local\Temp\dControl.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2960
- - C:\Users\Admin\AppData\Local\Temp\dControl.exe
    "C:\Users\Admin\AppData\Local\Temp\dControl.exe" /TI
    3⤵
    - Modifies security service
    - Windows security bypass
    - Loads dropped DLL
    - Windows security modification
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\Explorer.exe
      "C:\Windows\Explorer.exe" C:\Program Files\Windows Defender\MSASCui.exe
      4⤵
      PID:2056
  - - C:\Users\Admin\AppData\Local\Temp\dControl.exe
      "C:\Users\Admin\AppData\Local\Temp\dControl.exe" /EXP |1196|
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2304
  - - C:\Windows\Explorer.exe
      "C:\Windows\Explorer.exe" C:\Program Files\Windows Defender\MSASCui.exe
      4⤵
      PID:916
  - - C:\Users\Admin\AppData\Local\Temp\dControl.exe
      "C:\Users\Admin\AppData\Local\Temp\dControl.exe" /EXP |1196|
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1352
  - - C:\Windows\Explorer.exe
      "C:\Windows\Explorer.exe" https://www.sordum.org/donate/
      4⤵
      PID:1572
  - - C:\Users\Admin\AppData\Local\Temp\dControl.exe
      "C:\Users\Admin\AppData\Local\Temp\dControl.exe" /EXP |1196|
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1604

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240525203917.log C:\Windows\Logs\CBS\CbsPersist_20240525203917.cab
1⤵
- Drops file in Windows directory
PID:2488

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1676

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Program Files\Windows Defender\MSASCui.exe
  "C:\Program Files\Windows Defender\MSASCui.exe"
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:540

\??\c:\program files\windows defender\MpCmdRun.exe
"c:\program files\windows defender\MpCmdRun.exe" SignaturesUpdateService
1⤵
- Drops file in Windows directory
PID:988

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1696

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Program Files\Windows Defender\MSASCui.exe
  "C:\Program Files\Windows Defender\MSASCui.exe"
  2⤵
  PID:780

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://www.sordum.org/donate/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2680 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2268

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:3016

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2212

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2556

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:3048

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1452

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2172

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1272

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2328

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2336

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2420

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
300d4f077ba9c65c15569f230eb1da25

SHA1
cdcab2936ee7a95585b8b9c51adcd959d313e392

SHA256
9cbb041e9a47a4a74a60ca9da0f43421046b1a59e3a9018e934ab045431cdef5

SHA512
b9963afc55121a8a097870ecd6869b4c011e4f5830ad8bd50544a73dfab9cd06e7ea7a71aacf28b205aec8e0e26cc792533daf7e7b7f3c25b370fd993172df84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8c8babda45758bffbf376c4e8aac3a57

SHA1
a81ca7bc9d486eb57d32271089ccd8b3e1bc3ab8

SHA256
2d683add6a56e4d2ea39c00ec6dbc7d5e51ab539cf84501fbf0acb6afb955a44

SHA512
73be91e5a51247e40a466b30f79714872a009b22ed239aaea870f76180ba98f0adcfe1d90c8039c14880bf96a1623dd24a57a0e39305514bfee9207d3b8d8707

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fdb0d2214c2a3d8178255c9451a8c346

SHA1
771b63323eee3fb9d6b710480247a5121fc8deef

SHA256
1199ae516835798c795462ae995214f1b0d995c58877c6d2618b006608c9d8e1

SHA512
dc9d6b3f8e4ea3571c7c5f79a9f0484952fa53d406fb48a1518eadb4e30ea37f0575ddd2e590613a77f58cd504e6a2d3a2cc6153cceb415ec6580402be09b54f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0c3d7faaf83d8005d10d29c97c52de60

SHA1
40ace9c3fbe5bead4ebaa5e3e889beddcd85b791

SHA256
06e8f3538948e52b74c869cdec9887013b3e67b06103bcb2c88857864c7bf94d

SHA512
0806c17bf04a57af1b1239ef076a83e8fddea29d01c2a52b22c6cc7e7377ff2dab0a683a2f4d7411fe3e052a954c4ffeadd5e81d2c72aa96653cd518759cd857

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
982afcd981bed16f52fc9cd4f6eefd74

SHA1
6d00f2b11ce4ffdf31c75e2d681f6a35ad76a0d3

SHA256
4e30cbab5dbc27a30abd00b76780cfb8fb80d1c96cad3ae2e2d3ffc7613b8329

SHA512
03fa7fe778539bc4671cebd00d991a3f67f20b7f4415f4c4aba5fba1fed1161827fc99e62953e0866be6fb275c2cd1352c7bd2a14d42b032d45aba338c469a7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c1c9bebd3b298f0e8737646cf69946b5

SHA1
74b8916ccc7cf559a44fcefcaeebc297d5b71a8f

SHA256
622a565bed02cd570f185130f7bec885eda0163227d6bba2e8ea5d31be33a485

SHA512
68466a116e852c04256fe91f4e2683ccfdcd8ce732dd5ec96196c77b6c5abc0ecddad1b9a3242fbfa6b6055f949a75a4d4e58a9396194860b8007ceb58cfdfd6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
de76f785479221e268d98291fe71fb24

SHA1
a51b85aed602766f42a31587364af3ded1fafa30

SHA256
aeaf2e78cd003beaac2f7603c7f91ae840143683548ba45ffb3c2394422850ed

SHA512
1588a0996e67467b80c3e37f3509f7e688437554b193dd3370095dca989382e656b92f62c9a3ccf236cfab158896af01db5f5c2ac8a7c8f00720ebbd57fd9e83

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f3fff5f20b9ed27d2817dc8ee4969c95

SHA1
0d30e5b6582a6f3a648529767a8ad680201f8c8e

SHA256
7a885c3150b8b601e490c395e98046f49a1271917b15bbbf089745241ea2ee8c

SHA512
10692fcb996ad80e758571c2e3e861fd220a7cd2c22b901a92859c81aa22806d7c36fadc20689061d1f35ec25bf0a481b5ded8fdf5ba1241e1cecbbdfc173443

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b8c47033addbee6b8f4258a7f14512f7

SHA1
17a857867b616f22706a6a111c1298dc0472b387

SHA256
e197f05e13d57e2db416ee55d179a56553825ac9c1b22943357568c5affca9a7

SHA512
dc37d13e6e204f891f26208421e4e27e9d46d0e95cf67c4a40e90754a6d151404e35c932a221a35a5f434410b8bc4d57bf64ff93705028726a952927fe536296

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4233cdb60a75e1ded2cceea1df77b23a

SHA1
25b6933d7ac293e3ec19180792974a70ff2af0c6

SHA256
5a2ef20a1b4c29e5fb88e5f53565df62e105ff7a092e4cb68a7e76499f01fa29

SHA512
93dce920e7fa44c42fa64c2016b1c4a2a95b57531a85cccfd247143b1f8fa7b7213a94ece845a66a7a7c8683c57348187758ce93f4f5f48d071b5a67aeb33f54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\sxsuh4u\imagestore.dat

Filesize
16KB

MD5
b0bf0ec71acd4a486ae7ba22ed4bce94

SHA1
70f9bf9f3b6688332a16e7ec059b2400912b1d45

SHA256
3b42cb39685ab554b5aaddb517429fe624999018358f82b4232bf3e6eb63e3de

SHA512
39edea4ef30ded27c6b2bc003edc2b132cb67d26ba70dedffcb86675e240728bde852056eb619524460ff6a5fa192bc49e2e7c4e866542cfc6bbeda2d015b84b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3NPBB818\customscripts[1].js

Filesize
3KB

MD5
f822ba5ba5a9c59a9070625623a12919

SHA1
6e0550e04a32be99191196997466b0631729286b

SHA256
76245ee7168c5c6624963699800eb5f2da46d3c1b671aa1effa07dd73255ff0b

SHA512
a3391a73c20f501e1445717a6f93abc9c676f3c493043329fca2ff3f3e36545d90e3c39584d6f1bad7e147314beef3f6b64bec123da8630729149b0ef6974644

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3NPBB818\f[1].txt

Filesize
487KB

MD5
63e77baa8e78df23f9b74f16a49fb459

SHA1
011a41a87de462776aacc673a32fb0faa3ef6dfc

SHA256
41689b0ed0f419ed781f842e65d84665f5562bdbbbb09772abce8196a91873de

SHA512
c710e370eb195d6fb389b29394e05693c517ffe812fbf644419b7ebe234e596766696fb66c442953ccba598cf0e43860aa8ae1daf8ed824ba4fc2d770468d9a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3NPBB818\js[1].js

Filesize
271KB

MD5
980695de2920384a72e1abbdce800316

SHA1
efedbcd11699711ea0314b7c471c5731f1dfd2bc

SHA256
3465fc6a04f47e66925ce74761cd9a6b68ee3adb17c183fc673665d70958e0f0

SHA512
d7d381b4713e8840129c23ec5bdbd485a3fd4c4223d5323e2c3ebeee2ed7b6703b42115408e187e9df0f27dda0d7251b4b524523790e34c09bedf89f26513b80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3NPBB818\js[2].js

Filesize
254KB

MD5
ddb9859c78b0f8c35af525412fa02665

SHA1
11eb28a92c03d78dde0c2eb3e79aa4319c8fc86f

SHA256
9c96c68ace5c457040fc9d297c2fbaa266b3085e27ef52b5fb01013592ecbfa3

SHA512
9a5ddf4a1da91d9874ce39ebcd902bb4e6e66b83b9d388626bb0449c2e9e124b42428f7e559700e705ced20e94a86c9bc4f514743628aa48e134d1e6a24d2f8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3NPBB818\style.min[1].css

Filesize
110KB

MD5
51a8390b47aa0582cf2d9c96c5addee2

SHA1
b16a640874025d085c38119a1a02a3460f83f2de

SHA256
98cecf88a23542fa047ce46eedb650b5c5128761ed4386c0977b847094ddfa20

SHA512
711162ab43e59e0ff5f050cca4278682194248a13ef2ee1f00ab276b6221e7a4dddeb9645e8798e7f67a34f0001c8f63469f2b2c3e6d4e2519ada30b6775e191

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5OCCPTL4\jquery-migrate.min[1].js

Filesize
13KB

MD5
9ffeb32e2d9efbf8f70caabded242267

SHA1
3ad0c10e501ac2a9bfa18f9cd7e700219b378738

SHA256
5274f11e6fb32ae0cf2dfb9f8043272865c397a7c4223b4cfa7d50ea52fbde89

SHA512
8d6be545508a1c38278b8ad780c3758ae48a25e4e12eee443375aa56031d9b356f8c90f22d4f251140fa3f65603af40523165e33cae2e2d62fc78ec106e3d731

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5OCCPTL4\jquery.min[1].js

Filesize
85KB

MD5
826eb77e86b02ab7724fe3d0141ff87c

SHA1
79cd3587d565afe290076a8d36c31c305a573d18

SHA256
cb6f2d32c49d1c2b25e9ffc9aaafa3f83075346c01bcd4ae6eb187392a4292cf

SHA512
fc79fdb76763025dc39fac045a215ff155ef2f492a0e9640079d6f089fa6218af2b3ab7c6eaf636827dee9294e6939a95ab24554e870c976679c25567ad6374c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5OCCPTL4\style[1].css

Filesize
59KB

MD5
a408b24260ecd57fbe6b1471af515773

SHA1
8fff2eb4cea8d61011c02d439dc66eac82e36fe6

SHA256
fa9b92bcd574b8dd79e7e8783e3e94c2cd6b93d945e08b22055b3d4e23c5541a

SHA512
d5e8cdabcf45f655db0c4b317b0c477359172b83d37399838d23c065dd20b2e5bac7adb8602e2c9e7fafe00afac575f602b0f68aaaa72dc053923ba9ece2f0bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B1014REI\analytics[1].js

Filesize
51KB

MD5
575b5480531da4d14e7453e2016fe0bc

SHA1
e5c5f3134fe29e60b591c87ea85951f0aea36ee1

SHA256
de36e50194320a7d3ef1ace9bd34a875a8bd458b253c061979dd628e9bf49afd

SHA512
174e48f4fb2a7e7a0be1e16564f9ed2d0bbcc8b4af18cb89ad49cf42b1c3894c8f8e29ce673bc5d9bc8552f88d1d47294ee0e216402566a3f446f04aca24857a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B1014REI\front.min[1].css

Filesize
4KB

MD5
216d791e61641ace57d8d11a12bde01e

SHA1
28bde6d98d1c689a712efe037a9592e9fa103b09

SHA256
029dedf319bc4536d9c663ae9c0b10c95d1e9f5dd1de0aa73172e9e89ae254cc

SHA512
cd31993e3719a13c971386cbca73ae88cb95e0833f2e8d9cd8ff9e0d070cee43589a4dc34fd973a9e2001aeeeb0ea9cf44e96b7536f85f2a31a47f33e6c9fac8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B1014REI\sordum.org_logo2[1].png

Filesize
16KB

MD5
983b4075e56400ebc51a83de8db52c24

SHA1
0fc289febf1e549caf17131b407a5229b91042ca

SHA256
42e6631ede5f686c5b589e6305a0253e599014361a1c198721e30d95c3b481be

SHA512
afc60e52de7448719d7f53c7c2813be81c88b5529d081f90209e75cca2c9e0be116b095f9cc5ce051b88f0908b92d271815a82c91e1c5bf0d8eee58b80330a24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EDQW9R5V\f[1].txt

Filesize
179KB

MD5
4e718a8b0d21e81d6d8520e3ac9b949a

SHA1
a92cc747b20314db0b1587c1630a7b979e4f2501

SHA256
2e86ef2fb0c15278c3651d98ddc0253a8ab6bbb72c9396c008a4c361bdfc23eb

SHA512
7fba675f6f061971dedf4ac448587f82eacf74455f2b9b399b3f1ad68c7ae34763d5dc76081255a02c208b795da6fd6bc2afa798984e885d6f9a64aae37a1218

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EDQW9R5V\front.min[1].js

Filesize
8KB

MD5
38f95416d5f7349b65699f64e6a587fd

SHA1
2ca6f6f77481c3cdbcaacfc61a56c24f3c933ade

SHA256
08756c47213d461baa3b01f42448a76d11f524470c7a34f9018733889bd4f49c

SHA512
e855ab926916cc3a9aef67e6bcac01056180650710804624452f2d2acb7ce5ce563fbdc5146d51ffe6607fbcdff8d806765d4fe14c6316ae559bb0c6281edafa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EDQW9R5V\js[1].js

Filesize
203KB

MD5
ccf682da0fb3615141bc74509efb4eb3

SHA1
940f554769a81b428d2fb573d4974f1e37b4960f

SHA256
549e3a14d4d826f45a3b404d4978ca2e9ab08047a94f6eb9e07cbf5b230aca0f

SHA512
b33ea33d03b0f5837c4bce7b0e442fef71919a95b0dc09e77f093aec5176c6c3191b49a67bcd2398e153daefe095bb9849c9c430ff7f064dcd2223674d8f333b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EDQW9R5V\point[1].eot

Filesize
10KB

MD5
05d2027c3e235a6199a80e7ed65c0a0e

SHA1
4db88085bbaaa804a6b9c210d5338d22187ef3e5

SHA256
83678f06120870beeea3c13fe07b193613216750af245210b75b552945871db7

SHA512
abf9216f5cbc5eb7f6aed40c642a050ba536cb96b4e282017d7682d01856e71760e23cd2a755b97ecac57356fd6f4c8db1b975b2d9affc34c49e04d075c14a7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE0D1.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE0D0.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE1D1.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\dControl.ini

Filesize
2KB

MD5
db61dcff12ce2af5ee931936ed11d54d

SHA1
047d97b5c3ee8cd1c178477e00d8433297c336be

SHA256
4127582c6669dbf990d64e1bffb7804f15a13dbb7316a22add6f8f7361e1f758

SHA512
bf49e00a5f3f484bffd88b7ecca8a8a89f4326d4cc026998c6e61315f30e97d631d5ea992b1d670677b1e2d1b86a3012fd2d11791164c67b58678f2c7207fa43

Download Submit
C:\Users\Admin\AppData\Local\Temp\dControl.ini

Filesize
2KB

MD5
0e6ae6b712fd3b5cbdb3002ecf1ddad5

SHA1
e03616cd55252ca3853d0e2982cbb4229a2c66b8

SHA256
877f2c2bbc5584cef32197e0dd73dec081a7fea46d5ea32ce7b7e54ab3ae3e7b

SHA512
6b46106547721df87deb9b30914c981962a7484288fbd5b48049b0ec4d37081d0710af4d1ff50d26b8499768b0de54db1fe7cc206c3253e9e6f5f049bafe2778

Download Submit
C:\Windows\System32\GroupPolicy\Machine\Registry.pol

Filesize
8B

MD5
8e1b08222f20e45a3e8db04c569f9cb7

SHA1
a6ac68fbadf96faba3af7000a7514790157f930f

SHA256
5bb1f21f806938a043563024b13b33d74a2b95b767c5f81bde8456e9d0413a89

SHA512
414d30dec0fce6b4e3ab52c50f064262e0df00cf9dbbeacca271a0991555371a37cfffdd0486c07a9096838942a69cdbefea4a4399ef2848139678daff589c31

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
233B

MD5
cd4326a6fd01cd3ca77cfd8d0f53821b

SHA1
a1030414d1f8e5d5a6e89d5a309921b8920856f9

SHA256
1c59482111e657ef5190e22de6c047609a67e46e28d67fd70829882fd8087a9c

SHA512
29ce5532fb3adf55caa011e53736507fbf241afee9d3ca516a1d9bffec6e5cb2f87c4cd73e4da8c33b8706f96ba3b31f13ce229746110d5bd248839f67ec6d67

Download Submit
C:\Windows\Temp\1z3y5b2z.tmp

Filesize
37KB

MD5
1f8c95b97229e09286b8a531f690c661

SHA1
b15b21c4912267b41861fb351f192849cca68a12

SHA256
557a903f0f2177e3e62b1a534dee554cf2eff3dd3991bc2310f064bf9c7d2152

SHA512
0f0e5b85b6ef73ecebcd70ca90ce54c019eec1ea99966c469f357dd3393d0067f591b3690fe0b7922d7ba4aa25ebefd76a092d28c3377e6035720f8630a1a186

Download Submit
C:\Windows\Temp\2r9q6i0l.tmp

Filesize
37KB

MD5
3bc9acd9c4b8384fb7ce6c08db87df6d

SHA1
936c93e3a01d5ae30d05711a97bbf3dfa5e0921f

SHA256
a3d7de3d70c7673e8af7275eede44c1596156b6503a9614c47bad2c8e5fa3f79

SHA512
f8508376d9fb001bce10a8cc56da5c67b31ff220afd01fb57e736e961f3a563731e84d6a6c046123e1a5c16d31f39d9b07528b64a8f432eac7baa433e1d23375

Download Submit
C:\Windows\Temp\aut1767.tmp

Filesize
14KB

MD5
9d5a0ef18cc4bb492930582064c5330f

SHA1
2ec4168fd3c5ea9f2b0ab6acd676a5b4a95848c8

SHA256
8f5bbcc572bc62feb13a669f856d21886a61888fd6288afd066272a27ea79bb3

SHA512
1dc3387790b051c3291692607312819f0967848961bc075799b5a2353efadd65f54db54ddf47c296bb6a9f48e94ec83086a4f8bf7200c64329a73fc7ec4340a4

Download Submit
C:\Windows\Temp\aut1768.tmp

Filesize
12KB

MD5
efe44d9f6e4426a05e39f99ad407d3e7

SHA1
637c531222ee6a56780a7fdcd2b5078467b6e036

SHA256
5ea3b26c6b1b71edaef17ce365d50be963ae9f4cb79b39ec723fe6e9e4054366

SHA512
8014b60cef62ff5c94bf6338ee3385962cfc62aaa6c101a607c592ba00aea2d860f52e5f52be2a2a3b35310f135548e8d0b00211bfcf32d6b71198f5d3046b63

Download Submit
C:\Windows\Temp\aut1779.tmp

Filesize
7KB

MD5
ecffd3e81c5f2e3c62bcdc122442b5f2

SHA1
d41567acbbb0107361c6ee1715fe41b416663f40

SHA256
9874ab363b07dcc7e9cd6022a380a64102c1814343642295239a9f120cb941c5

SHA512
7f84899b77e3e2c0a35fb4973f4cd57f170f7a22f862b08f01938cf7537c8af7c442ef2ae6e561739023f6c9928f93a59b50d463af6373ed344f68260bc47c76

Download Submit
\Program Files (x86)\DefenderControl\dControl.exe

Filesize
447KB

MD5
58008524a6473bdf86c1040a9a9e39c3

SHA1
cb704d2e8df80fd3500a5b817966dc262d80ddb8

SHA256
1ef6c1a4dfdc39b63bfe650ca81ab89510de6c0d3d7c608ac5be80033e559326

SHA512
8cf492584303523bf6cdfeb6b1b779ee44471c91e759ce32fd4849547b6245d4ed86af5b38d1c6979729a77f312ba91c48207a332ae1589a6e25de67ffb96c31

Download Submit
memory/1352-163-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1352-184-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1604-299-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1604-199-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2304-121-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2304-142-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2720-1052-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2720-1060-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2720-508-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2720-162-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2720-185-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2720-46-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2720-1065-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2720-196-0x00000000039A0000-0x00000000039B0000-memory.dmp

Filesize
64KB

Download
memory/2720-1064-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2720-1063-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2720-198-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2720-161-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2720-1051-0x00000000039A0000-0x00000000039B0000-memory.dmp

Filesize
64KB

Download
memory/2720-120-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2720-1053-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2720-1058-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2720-1062-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2720-1061-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2932-0-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2932-22-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2960-23-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2960-45-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download