banload | 27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83

Analysis

max time kernel
51s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 04:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.exe
Size

3.2MB
MD5

9d939a0e0267199dfe00ca6b67ce55ef
SHA1

25b73d95aeacbddd582f2368925c816c40a6dee0
SHA256

27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83
SHA512

050a623d9e6c8ab814ae89a9e510b1d1962b96d6905d1c3ca5efbebf4c673d843ec05f9f2688d22c45c69f9b914d65ca09fc9122bb597fdecfed69982efac7e3
SSDEEP

98304:XXz+eBX1C5Bs75yAsqAq01usThU1Amx6PRJTLuG:nKeV1CcZLF0Y+OmmxYCG

Score

10^/10

banload discovery downloader dropper evasion trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

codec_installer.execodec.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	codec_installer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	codec.exe

Executes dropped EXE 5 IoCs

Processes:

codec.execodec_installer.execodec.execodec_installer.execodec.exe

pid process

1896 codec.exe
5032 codec_installer.exe
4336 codec.exe
5052 codec_installer.exe
4384 codec.exe

pid	process
1896	codec.exe
5032	codec_installer.exe
4336	codec.exe
5052	codec_installer.exe
4384	codec.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

codec.execodec_installer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	codec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	codec_installer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	codec_installer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	codec.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.execodec.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	codec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 1 IoCs

Processes:

27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Àðáèòðàæíûé ñóä\Ïðèëîæåíèå Àðáèòðàæíîãî ñóäà\oops.exe	27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 35 IoCs

Processes:

codec.execodec_installer.exe27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF9E5CF6-C171-4C96-27A1-F6FF27A1F6FF}\ = "Microsoft Graph Application"	codec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF9E5CF6-C171-4C96-27A1-F6FF27A1F6FF}\Implemented Categories\{000C0118-0000-0000-C000-000000000046}	codec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF9E5CF6-C171-4C96-27A1-F6FF27A1F6FF}\ProgID\ = "MSGraph.Application.8"	codec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF9E5CF6-C171-4C96-27A1-F6FF27A1F6FF}\VersionIndependentProgID\ = "MSGraph.Application"	codec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF9E5CF6-C171-4C96-27A1-F6FF27A1F6FF}\Implemented Categories\{000C0118-0000-0000-C000-000000000046}	codec_installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF9E5CF6-C171-4C96-27A1-F6FF27A1F6FF}\ProgID	codec_installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF9E5CF6-C171-4C96-27A1-F6FF27A1F6FF}\ProgID\ = "MSGraph.Application.8"	codec_installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cbffile\shell\open\command	27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF9E5CF6-C171-4C96-27A1-F6FF27A1F6FF}\Implemented Categories	codec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF9E5CF6-C171-4C96-27A1-F6FF27A1F6FF}	codec_installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cbffile\DefaultIcon	27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF9E5CF6-C171-4C96-27A1-F6FF27A1F6FF}\InprocHandler32	codec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF9E5CF6-C171-4C96-27A1-F6FF27A1F6FF}\Implemented Categories\{000C0118-0000-0000-C000-000000000046}\	codec_installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF9E5CF6-C171-4C96-27A1-F6FF27A1F6FF}\LocalServer32	codec_installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cbf\ = "cbffile"	27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF9E5CF6-C171-4C96-27A1-F6FF27A1F6FF}\LocalServer32\ = "\"C:\\Program Files\\Microsoft Office\\Root\\Office16\\GRAPH.EXE\" /automation"	codec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF9E5CF6-C171-4C96-27A1-F6FF27A1F6FF}\InprocHandler32	codec_installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF9E5CF6-C171-4C96-27A1-F6FF27A1F6FF}\VersionIndependentProgID\ = "MSGraph.Application"	codec_installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF9E5CF6-C171-4C96-27A1-F6FF27A1F6FF}\Implemented Categories\{000C0118-0000-0000-C000-000000000046}\	codec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF9E5CF6-C171-4C96-27A1-F6FF27A1F6FF}\LocalServer32	codec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF9E5CF6-C171-4C96-27A1-F6FF27A1F6FF}\ = "Microsoft Graph Application"	codec_installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF9E5CF6-C171-4C96-27A1-F6FF27A1F6FF}\Implemented Categories	codec_installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cbffile\shell\open	27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cbffile\shell	27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cbffile\DefaultIcon\ = "C:\\Program Files (x86)\\Àðáèòðàæíûé ñóä\\Ïðèëîæåíèå Àðáèòðàæíîãî ñóäà\\oops.exe,0"	27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF9E5CF6-C171-4C96-27A1-F6FF27A1F6FF}\InprocHandler32\ = "ole32.dll"	codec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF9E5CF6-C171-4C96-27A1-F6FF27A1F6FF}\VersionIndependentProgID	codec_installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cbffile	27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF9E5CF6-C171-4C96-27A1-F6FF27A1F6FF}\InprocHandler32\ = "ole32.dll"	codec_installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cbffile\shell\open\command\ = "C:\\Program Files (x86)\\Àðáèòðàæíûé ñóä\\Ïðèëîæåíèå Àðáèòðàæíîãî ñóäà\\oops.exe \"%1\""	27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF9E5CF6-C171-4C96-27A1-F6FF27A1F6FF}\ProgID	codec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF9E5CF6-C171-4C96-27A1-F6FF27A1F6FF}\VersionIndependentProgID	codec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF9E5CF6-C171-4C96-27A1-F6FF27A1F6FF}\LocalServer32\ = "\"C:\\Program Files\\Microsoft Office\\Root\\Office16\\GRAPH.EXE\" /automation"	codec_installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cbf	27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

codec.exe

pid process

4336 codec.exe
4336 codec.exe

pid	process
4336	codec.exe
4336	codec.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

codec.execodec_installer.exe

description	pid	process
Token: 33	4336	codec.exe
Token: SeIncBasePriorityPrivilege	4336	codec.exe
Token: 33	4336	codec.exe
Token: SeIncBasePriorityPrivilege	4336	codec.exe
Token: 33	5052	codec_installer.exe
Token: SeIncBasePriorityPrivilege	5052	codec_installer.exe
Token: 33	5052	codec_installer.exe
Token: SeIncBasePriorityPrivilege	5052	codec_installer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.execodec.execodec_installer.exe

description	pid	process	target process
PID 4636 wrote to memory of 1896	4636	27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.exe	codec.exe
PID 4636 wrote to memory of 1896	4636	27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.exe	codec.exe
PID 4636 wrote to memory of 1896	4636	27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.exe	codec.exe
PID 4636 wrote to memory of 5032	4636	27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.exe	codec_installer.exe
PID 4636 wrote to memory of 5032	4636	27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.exe	codec_installer.exe
PID 4636 wrote to memory of 5032	4636	27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.exe	codec_installer.exe
PID 4636 wrote to memory of 4300	4636	27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.exe	WScript.exe
PID 4636 wrote to memory of 4300	4636	27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.exe	WScript.exe
PID 4636 wrote to memory of 4300	4636	27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.exe	WScript.exe
PID 1896 wrote to memory of 4336	1896	codec.exe	codec.exe
PID 1896 wrote to memory of 4336	1896	codec.exe	codec.exe
PID 1896 wrote to memory of 4336	1896	codec.exe	codec.exe
PID 1896 wrote to memory of 4336	1896	codec.exe	codec.exe
PID 5032 wrote to memory of 5052	5032	codec_installer.exe	codec_installer.exe
PID 5032 wrote to memory of 5052	5032	codec_installer.exe	codec_installer.exe
PID 5032 wrote to memory of 5052	5032	codec_installer.exe	codec_installer.exe
PID 5032 wrote to memory of 5052	5032	codec_installer.exe	codec_installer.exe
PID 1896 wrote to memory of 4336	1896	codec.exe	codec.exe
PID 5032 wrote to memory of 5052	5032	codec_installer.exe	codec_installer.exe
PID 1896 wrote to memory of 4336	1896	codec.exe	codec.exe
PID 1896 wrote to memory of 4336	1896	codec.exe	codec.exe
PID 1896 wrote to memory of 4336	1896	codec.exe	codec.exe
PID 5032 wrote to memory of 5052	5032	codec_installer.exe	codec_installer.exe
PID 1896 wrote to memory of 4336	1896	codec.exe	codec.exe
PID 1896 wrote to memory of 4336	1896	codec.exe	codec.exe
PID 1896 wrote to memory of 4336	1896	codec.exe	codec.exe
PID 1896 wrote to memory of 4336	1896	codec.exe	codec.exe
PID 1896 wrote to memory of 4336	1896	codec.exe	codec.exe
PID 1896 wrote to memory of 4336	1896	codec.exe	codec.exe
PID 1896 wrote to memory of 4336	1896	codec.exe	codec.exe
PID 1896 wrote to memory of 4336	1896	codec.exe	codec.exe
PID 1896 wrote to memory of 4336	1896	codec.exe	codec.exe
PID 1896 wrote to memory of 4336	1896	codec.exe	codec.exe
PID 1896 wrote to memory of 4336	1896	codec.exe	codec.exe
PID 1896 wrote to memory of 4336	1896	codec.exe	codec.exe
PID 1896 wrote to memory of 4336	1896	codec.exe	codec.exe
PID 1896 wrote to memory of 4336	1896	codec.exe	codec.exe
PID 1896 wrote to memory of 4336	1896	codec.exe	codec.exe
PID 1896 wrote to memory of 4336	1896	codec.exe	codec.exe
PID 1896 wrote to memory of 4336	1896	codec.exe	codec.exe
PID 1896 wrote to memory of 4336	1896	codec.exe	codec.exe
PID 1896 wrote to memory of 4336	1896	codec.exe	codec.exe
PID 1896 wrote to memory of 4336	1896	codec.exe	codec.exe
PID 1896 wrote to memory of 4336	1896	codec.exe	codec.exe
PID 1896 wrote to memory of 4336	1896	codec.exe	codec.exe
PID 1896 wrote to memory of 4336	1896	codec.exe	codec.exe
PID 1896 wrote to memory of 4336	1896	codec.exe	codec.exe
PID 1896 wrote to memory of 4336	1896	codec.exe	codec.exe
PID 1896 wrote to memory of 4336	1896	codec.exe	codec.exe
PID 1896 wrote to memory of 4336	1896	codec.exe	codec.exe
PID 1896 wrote to memory of 4336	1896	codec.exe	codec.exe
PID 1896 wrote to memory of 4336	1896	codec.exe	codec.exe
PID 1896 wrote to memory of 4336	1896	codec.exe	codec.exe
PID 1896 wrote to memory of 4336	1896	codec.exe	codec.exe
PID 1896 wrote to memory of 4336	1896	codec.exe	codec.exe
PID 1896 wrote to memory of 4336	1896	codec.exe	codec.exe
PID 1896 wrote to memory of 4336	1896	codec.exe	codec.exe
PID 1896 wrote to memory of 4336	1896	codec.exe	codec.exe
PID 1896 wrote to memory of 4336	1896	codec.exe	codec.exe
PID 1896 wrote to memory of 4336	1896	codec.exe	codec.exe
PID 1896 wrote to memory of 4336	1896	codec.exe	codec.exe
PID 1896 wrote to memory of 4336	1896	codec.exe	codec.exe
PID 1896 wrote to memory of 4336	1896	codec.exe	codec.exe
PID 1896 wrote to memory of 4336	1896	codec.exe	codec.exe

C:\Users\Admin\AppData\Local\Temp\27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.exe
"C:\Users\Admin\AppData\Local\Temp\27aac56d3df98439a82ebd528bc6cf4446792f38b7dfb21bd379978d167a3d83.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4636

C:\Users\Admin\AppData\Local\Temp\codec.exe
"C:\Users\Admin\AppData\Local\Temp\codec.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1896

C:\Users\Admin\AppData\Local\Temp\codec.exe
"C:\Users\Admin\AppData\Local\Temp\codec.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4336

C:\Users\Admin\AppData\Local\Temp\codec.exe
"C:\Users\Admin\AppData\Local\Temp\codec.exe" runas
4⤵
- Executes dropped EXE
PID:4384

C:\Users\Admin\AppData\Local\Temp\codec.exe
"C:\Users\Admin\AppData\Local\Temp\codec.exe" runas
5⤵
PID:4212

C:\Users\Admin\AppData\Local\Temp\codec_installer.exe
"C:\Users\Admin\AppData\Local\Temp\codec_installer.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032

C:\Users\Admin\AppData\Local\Temp\codec_installer.exe
"C:\Users\Admin\AppData\Local\Temp\codec_installer.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5052

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\error.vbs"
2⤵
PID:4300

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\TEMP\RAIDTest
Filesize
4B

MD5
959dedb23f3421e58d16c60eff6a367b

SHA1
7bdb5d6220d393c9020ba05bedeedb7fbb31b6ab

SHA256
205549d84f02f8d00a6547a0259b5ce7728d3af0a248cac8a6d3fcda2b287ce0

SHA512
c8151442fb6e2f0437550eb3e99f696f9fbd41230ee47d5de41223e2ad62e23bc1e7a05afb05d4a978b147f313fc9220282619d9b0dee594644573be22fbb491

Download Submit
C:\Users\Admin\AppData\Local\Temp\codec.exe
Filesize
2.2MB

MD5
7310f856bc9f09ac48c232139e0b5d32

SHA1
3cfd1e7c824d78842253f3c72e91840225bff41c

SHA256
9110f0baf6781cd2056799b66fc0731baa84eda37e6b58518aa267f08ef4c5a1

SHA512
4d78fe5625f04e331d47f3fb8a87d14e2665c9ff809f863d30523307d81274d6acfe5e910d411c9d3b2b05b89870b8a4fbc9d4b4c4a0d90239732156506cf220

Download Submit
C:\Users\Admin\AppData\Local\Temp\codec.exe
Filesize
2.2MB

MD5
7310f856bc9f09ac48c232139e0b5d32

SHA1
3cfd1e7c824d78842253f3c72e91840225bff41c

SHA256
9110f0baf6781cd2056799b66fc0731baa84eda37e6b58518aa267f08ef4c5a1

SHA512
4d78fe5625f04e331d47f3fb8a87d14e2665c9ff809f863d30523307d81274d6acfe5e910d411c9d3b2b05b89870b8a4fbc9d4b4c4a0d90239732156506cf220

Download Submit
C:\Users\Admin\AppData\Local\Temp\codec.exe
Filesize
2.2MB

MD5
7310f856bc9f09ac48c232139e0b5d32

SHA1
3cfd1e7c824d78842253f3c72e91840225bff41c

SHA256
9110f0baf6781cd2056799b66fc0731baa84eda37e6b58518aa267f08ef4c5a1

SHA512
4d78fe5625f04e331d47f3fb8a87d14e2665c9ff809f863d30523307d81274d6acfe5e910d411c9d3b2b05b89870b8a4fbc9d4b4c4a0d90239732156506cf220

Download Submit
C:\Users\Admin\AppData\Local\Temp\codec.exe
Filesize
2.2MB

MD5
630943d2d79d3c9fe24d2ab46ac69599

SHA1
e583453e389c6ac45873b7ba0dc0c5c11dc5e80f

SHA256
6c157c1f11e7800ecf5606242f7623a290f568f97365069853a14465b0325c15

SHA512
47ff440c3e5c9440eac073a5a02c762fc11b79ecf9b8f53bd9ca064ded5ad654a81eff4b7412e02743076c5f98549729f4d25a4523778b56bc779dccb461f057

Download Submit
C:\Users\Admin\AppData\Local\Temp\codec.exe
Filesize
768KB

MD5
ef0b86fdc23fd61e401e82ab66d2fc22

SHA1
15f92cf86a7faf8c1ba7e9cb31b77afd3d4b48ec

SHA256
bef5f5acec0dc751ca6eed72fefdb08d4734b1fa9b79018de46bda4e91f5c4fc

SHA512
6673675740c85b16d6e47dd8077e315247bfe4769de6245a90542110a4beddc2ff533c5509cd681d40b7440a2c1437c65144a28f593c82b668602a63a9193591

Download Submit
C:\Users\Admin\AppData\Local\Temp\codec_installer.exe
Filesize
1.8MB

MD5
84511956d93b9b4639fcc0a467de5f37

SHA1
c578e017eea863ce8026805ca8061204bf700b1d

SHA256
fd15fda9a35b58c1a0693b250f4f0837ac100306a678531e59d0b31775a613d0

SHA512
407d84bc02ca42a812f0c8bd172f16cbb70d9852cd5e58684a48d9ff3f0fdb48e1c4cb5e7c7fd3212e70831910f3ae40f5b35751477017567a180b37bccc11c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\codec_installer.exe
Filesize
1.8MB

MD5
84511956d93b9b4639fcc0a467de5f37

SHA1
c578e017eea863ce8026805ca8061204bf700b1d

SHA256
fd15fda9a35b58c1a0693b250f4f0837ac100306a678531e59d0b31775a613d0

SHA512
407d84bc02ca42a812f0c8bd172f16cbb70d9852cd5e58684a48d9ff3f0fdb48e1c4cb5e7c7fd3212e70831910f3ae40f5b35751477017567a180b37bccc11c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\codec_installer.exe
Filesize
1.8MB

MD5
84511956d93b9b4639fcc0a467de5f37

SHA1
c578e017eea863ce8026805ca8061204bf700b1d

SHA256
fd15fda9a35b58c1a0693b250f4f0837ac100306a678531e59d0b31775a613d0

SHA512
407d84bc02ca42a812f0c8bd172f16cbb70d9852cd5e58684a48d9ff3f0fdb48e1c4cb5e7c7fd3212e70831910f3ae40f5b35751477017567a180b37bccc11c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\error.vbs
Filesize
143B

MD5
e607596ab74fe74b9476affbdd6c1b13

SHA1
e3b6975f483da4a24c729cb37e5421184dc63392

SHA256
82668703d21f77ba26104eb17ce4def042a11981cd0c403294a9a1b0091940fd

SHA512
ed0713b0945e7c5aed88baedfec9c16214078d27325a722792e2726677e0f3c819d0ab0c22c14a354c4b5ed8bdd58829f057a52253759a1b27ce8d6cbf240cf3

Download Submit
memory/1896-135-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/1896-445-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/1896-132-0x0000000000000000-mapping.dmp

Download
memory/4212-444-0x0000000000000000-mapping.dmp

Download
memory/4300-141-0x0000000000000000-mapping.dmp

Download
memory/4336-211-0x000000000042C000-0x000000000042D000-memory.dmp

Filesize
4KB

Download
memory/4336-199-0x0000000000426000-0x0000000000427000-memory.dmp

Filesize
4KB

Download
memory/4336-142-0x0000000000000000-mapping.dmp

Download
memory/4336-164-0x00000000028F0000-0x0000000002AFC000-memory.dmp

Filesize
2.0MB

Download
memory/4336-148-0x00000000028F0000-0x0000000002AFC000-memory.dmp

Filesize
2.0MB

Download
memory/4336-166-0x00000000028F0000-0x0000000002AFC000-memory.dmp

Filesize
2.0MB

Download
memory/4336-225-0x0000000000422000-0x0000000000423000-memory.dmp

Filesize
4KB

Download
memory/4336-154-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/4336-169-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/4336-170-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/4336-171-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/4336-172-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/4336-224-0x0000000000455000-0x0000000000456000-memory.dmp

Filesize
4KB

Download
memory/4336-223-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/4336-222-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/4336-221-0x000000000041C000-0x000000000041D000-memory.dmp

Filesize
4KB

Download
memory/4336-182-0x0000000000407000-0x0000000000408000-memory.dmp

Filesize
4KB

Download
memory/4336-183-0x0000000000412000-0x0000000000413000-memory.dmp

Filesize
4KB

Download
memory/4336-184-0x000000000040E000-0x000000000040F000-memory.dmp

Filesize
4KB

Download
memory/4336-185-0x0000000000405000-0x0000000000406000-memory.dmp

Filesize
4KB

Download
memory/4336-186-0x0000000000402000-0x0000000000403000-memory.dmp

Filesize
4KB

Download
memory/4336-187-0x000000000040D000-0x000000000040E000-memory.dmp

Filesize
4KB

Download
memory/4336-188-0x0000000000408000-0x0000000000409000-memory.dmp

Filesize
4KB

Download
memory/4336-189-0x000000000040C000-0x000000000040D000-memory.dmp

Filesize
4KB

Download
memory/4336-190-0x0000000000409000-0x000000000040A000-memory.dmp

Filesize
4KB

Download
memory/4336-191-0x000000000040F000-0x0000000000410000-memory.dmp

Filesize
4KB

Download
memory/4336-192-0x0000000000411000-0x0000000000412000-memory.dmp

Filesize
4KB

Download
memory/4336-193-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/4336-194-0x000000000041D000-0x000000000041E000-memory.dmp

Filesize
4KB

Download
memory/4336-195-0x000000000041B000-0x000000000041C000-memory.dmp

Filesize
4KB

Download
memory/4336-196-0x0000000000414000-0x0000000000415000-memory.dmp

Filesize
4KB

Download
memory/4336-197-0x0000000000413000-0x0000000000414000-memory.dmp

Filesize
4KB

Download
memory/4336-198-0x0000000000415000-0x0000000000416000-memory.dmp

Filesize
4KB

Download
memory/4336-219-0x000000000044D000-0x000000000044E000-memory.dmp

Filesize
4KB

Download
memory/4336-200-0x0000000000427000-0x0000000000428000-memory.dmp

Filesize
4KB

Download
memory/4336-201-0x0000000000428000-0x0000000000429000-memory.dmp

Filesize
4KB

Download
memory/4336-202-0x000000000041E000-0x000000000041F000-memory.dmp

Filesize
4KB

Download
memory/4336-203-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/4336-204-0x000000000041F000-0x0000000000420000-memory.dmp

Filesize
4KB

Download
memory/4336-205-0x0000000000445000-0x0000000000446000-memory.dmp

Filesize
4KB

Download
memory/4336-206-0x000000000044B000-0x000000000044C000-memory.dmp

Filesize
4KB

Download
memory/4336-207-0x0000000000433000-0x0000000000434000-memory.dmp

Filesize
4KB

Download
memory/4336-208-0x0000000000417000-0x0000000000418000-memory.dmp

Filesize
4KB

Download
memory/4336-209-0x0000000000446000-0x0000000000447000-memory.dmp

Filesize
4KB

Download
memory/4336-210-0x0000000000429000-0x000000000042A000-memory.dmp

Filesize
4KB

Download
memory/4336-220-0x0000000000454000-0x0000000000455000-memory.dmp

Filesize
4KB

Download
memory/4336-212-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4336-213-0x000000000042A000-0x000000000042B000-memory.dmp

Filesize
4KB

Download
memory/4336-214-0x000000000040A000-0x000000000040B000-memory.dmp

Filesize
4KB

Download
memory/4336-215-0x000000000042B000-0x000000000042C000-memory.dmp

Filesize
4KB

Download
memory/4336-216-0x000000000042D000-0x000000000042E000-memory.dmp

Filesize
4KB

Download
memory/4336-217-0x0000000000442000-0x0000000000443000-memory.dmp

Filesize
4KB

Download
memory/4336-218-0x0000000000434000-0x0000000000435000-memory.dmp

Filesize
4KB

Download
memory/4384-441-0x0000000000000000-mapping.dmp

Download
memory/5032-152-0x0000000000400000-0x000000000064A000-memory.dmp

Filesize
2.3MB

Download
memory/5032-136-0x0000000000000000-mapping.dmp

Download
memory/5052-167-0x00000000033D0000-0x00000000035DC000-memory.dmp

Filesize
2.0MB

Download
memory/5052-176-0x0000000000400000-0x000000000064A000-memory.dmp

Filesize
2.3MB

Download
memory/5052-173-0x0000000000400000-0x000000000064A000-memory.dmp

Filesize
2.3MB

Download
memory/5052-177-0x0000000000400000-0x000000000064A000-memory.dmp

Filesize
2.3MB

Download
memory/5052-262-0x0000000000400000-0x000000000064A000-memory.dmp

Filesize
2.3MB

Download
memory/5052-179-0x000000000040E000-0x000000000040F000-memory.dmp

Filesize
4KB

Download
memory/5052-165-0x00000000033D0000-0x00000000035DC000-memory.dmp

Filesize
2.0MB

Download
memory/5052-158-0x00000000033D0000-0x00000000035DC000-memory.dmp

Filesize
2.0MB

Download
memory/5052-143-0x0000000000000000-mapping.dmp

Download
memory/5052-156-0x0000000000400000-0x000000000064A000-memory.dmp

Filesize
2.3MB

Download