banload | 8c585bfa11483a908ab04c4492a44d701353ed2ceaa6ea82eb4d71f4e9da0123

Analysis

max time kernel
133s
max time network
123s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
06-05-2024 08:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

!@-FulL_SoftWare_2024_PassW0rd$.rar
Size

18.1MB
MD5

2c531ab5de72b3dea51ee62cef214e59
SHA1

20676bb9065b828050b98dce1e983ddc8415bd52
SHA256

9c3a371d452d44422fad9c4628758187f686527d36ad9a6f3e17766cd7c690f2
SHA512

f9c52edcd1087400be4b86b32b50f6f56c583a8352c5ecff9bd48233f056c406480288840f7708e888eb1c6f2378d7f7887ce9428b3c77c0ad4beb98f87725d9
SSDEEP

393216:ylD7PpwPSxfeIKkxonRgcsLu8zoJO/jrFzfifS/Jb8H:SDGPQGIKkxonR/sLQObrFW6/R4

Score

10^/10

banload downloader dropper evasion persistence trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

Setup.exeSetup.exeSetup.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Setup.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Setup.exeSetup.exeSetup.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Setup.exe

Executes dropped EXE 4 IoCs

Processes:

Setup.exeSetup.exeDavonevur.exeSetup.exe

pid	Process
2520	Setup.exe
1588	Setup.exe
1124	Davonevur.exe
2964	Setup.exe

Loads dropped DLL 46 IoCs

Processes:

Setup.exeSetup.exe

pid	Process
1156
1156
1156
1156
1156
1156
1156
1156
1156
1156
1156
2520	Setup.exe
2520	Setup.exe
2520	Setup.exe
2520	Setup.exe
2520	Setup.exe
2520	Setup.exe
2520	Setup.exe
2520	Setup.exe
2520	Setup.exe
2520	Setup.exe
2520	Setup.exe
1156
1156
1156
1156
1156
1156
1156
1156
1156
1156
1156
1156
1156
1588	Setup.exe
1588	Setup.exe
1588	Setup.exe
1588	Setup.exe
1588	Setup.exe
1588	Setup.exe
1588	Setup.exe
1588	Setup.exe
1588	Setup.exe
1588	Setup.exe
1588	Setup.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

Setup.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InProcServer32	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InProcServer32\ = "%SystemRoot%\\system32\\shell32.dll"	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InProcServer32\ThreadingModel = "Apartment"	Setup.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Setup.exemore.comSetup.exe

description	pid	Process	procid_target
PID 2520 set thread context of 2876	2520	Setup.exe	34
PID 2876 set thread context of 2736	2876	more.com	38
PID 2964 set thread context of 3044	2964	Setup.exe	58

Drops file in Windows directory 2 IoCs

Processes:

expand.exe

description	ioc	Process
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

regsvr32.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	regsvr32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	regsvr32.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exe

pid	Process
2824	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

POWERPNT.EXE

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	POWERPNT.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	POWERPNT.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	POWERPNT.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	POWERPNT.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	POWERPNT.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar	POWERPNT.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	POWERPNT.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	POWERPNT.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	POWERPNT.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	POWERPNT.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	POWERPNT.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	POWERPNT.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt	POWERPNT.EXE

Modifies registry class 64 IoCs

Processes:

POWERPNT.EXESetup.exeSetup.exeSetup.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\{8934AEBA-278E-13D1-B2E4-0060975B8649}\SQvpiiyKhcva\ = "XGhJbflzmvesjDsM[[rsN[_zt[\\~_D"	Setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	POWERPNT.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\{8934AEBA-278E-13D1-B2E4-0060975B8649}\hrxgl\ = "EdiFi\x7fGeg\x7fp[I\|]TyUrLi@wGE"	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\{8934AEBA-278E-13D1-B2E4-0060975B8649}\noaxpklIaM	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\{8934AEBA-278E-13D1-B2E4-0060975B8649}\ourzdsR\ = "NOj\x7f@^[Yen@lAEdf[NqtMn\\jC\\`"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\pgvxyaMGRiuU	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\{8934AEBA-278E-13D1-B2E4-0060975B8649}\vDmfdqzWc	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\hrxgl\ = "cYrBQmd`d~\|eBMPqippFtsfQx"	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\vDmfdqzWc\ = "d~{nK[bAK~WMRbciGkMZaW@Sqcqs{"	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\{8934AEBA-278E-13D1-B2E4-0060975B8649}\SQvpiiyKhcva\ = "XGhJbflzmvesjDsMK[rsN[_zd[\\~_D"	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\ltmeyvyOIzijc\ = "lkkE@J@vuT`wRD{YnG}BvEsjm^]"	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\{8934AEBA-278E-13D1-B2E4-0060975B8649}\ltmeyvyOIzijc\ = "leUHeQgNFCCA^BAg~W\|BgNr~[D~"	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	POWERPNT.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\SQvpiiyKhcva\ = "CY[nLhL\x7f^Ry^Bs}SNeAJv`Fyxi}{\\f"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}	Setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\SQvpiiyKhcva\ = "CY[nLhL\x7f^Ry^Bs}S~eAJv`FyHi}{\\f"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\{8934AEBA-278E-13D1-B2E4-0060975B8649}\pgvxyaMGRiuU	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\{8934AEBA-278E-13D1-B2E4-0060975B8649}\ctfqYQw\ = "xk"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\{8934AEBA-278E-13D1-B2E4-0060975B8649}\SQvpiiyKhcva\ = "XGhJbflzmvesjDsMK[rsN[_zd[\\~_D"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\SQvpiiyKhcva\ = "CY[nLhL\x7f^Ry^Bs}S~eAJv`FyHi}{\\f"	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\{8934AEBA-278E-13D1-B2E4-0060975B8649}\pgvxyaMGRiuU\ = "\x7f]\|~OJ\\pqvFfbM@QuxD^e\|zpOlTPd\|]"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\{8934AEBA-278E-13D1-B2E4-0060975B8649}\SQvpiiyKhcva\ = "XGhJbflzmvesjDsM{[rsN[_zT[\\~_D"	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	POWERPNT.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\vDmfdqzWc\ = "d~{nK[bAK~WMRbciGkM[AW@SqcfmN"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\{8934AEBA-278E-13D1-B2E4-0060975B8649}\vDmfdqzWc\ = "gcWQAyEn]Ry{a^@TnewNNbpDf\\fwL"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\pgvxyaMGRiuU\ = "iI`VgPvtAQWzkHiipRSnaDpFKPZ@jm\\"	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\{8934AEBA-278E-13D1-B2E4-0060975B8649}	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	POWERPNT.EXE

NTFS ADS 3 IoCs

Processes:

Setup.exeSetup.exe

description	ioc	Process
File created	C:\ProgramData\TEMP:8934AEBA	Setup.exe
File opened for modification	C:\ProgramData\TEMP:8934AEBA	Setup.exe
File opened for modification	C:\ProgramData\TEMP:8934AEBA	Setup.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

POWERPNT.EXE

pid	Process
1856	POWERPNT.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

Setup.exemore.comSetup.exeSetup.exemore.com

pid	Process
2520	Setup.exe
2520	Setup.exe
2876	more.com
2876	more.com
1588	Setup.exe
2964	Setup.exe
2964	Setup.exe
3044	more.com
3044	more.com

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

7zFM.exePOWERPNT.EXE7zFM.exe

pid	Process
2544	7zFM.exe
1856	POWERPNT.EXE
1104	7zFM.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

Setup.exemore.comSetup.exe

pid	Process
2520	Setup.exe
2876	more.com
2876	more.com
2964	Setup.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

7zFM.exe7zFM.exe

description	pid	Process
Token: SeRestorePrivilege	2544	7zFM.exe
Token: 35	2544	7zFM.exe
Token: SeSecurityPrivilege	2544	7zFM.exe
Token: SeRestorePrivilege	1104	7zFM.exe
Token: 35	1104	7zFM.exe
Token: SeSecurityPrivilege	1104	7zFM.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

7zFM.exe7zFM.exe

pid	Process
2544	7zFM.exe
2544	7zFM.exe
1104	7zFM.exe
1104	7zFM.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

cmd.exeSetup.exemore.comregsvr32.execmd.exePOWERPNT.EXEcmd.exetaskeng.exeSetup.exe

description	pid	Process	procid_target
PID 2916 wrote to memory of 2544	2916	cmd.exe	29
PID 2916 wrote to memory of 2544	2916	cmd.exe	29
PID 2916 wrote to memory of 2544	2916	cmd.exe	29
PID 2520 wrote to memory of 2876	2520	Setup.exe	34
PID 2520 wrote to memory of 2876	2520	Setup.exe	34
PID 2520 wrote to memory of 2876	2520	Setup.exe	34
PID 2520 wrote to memory of 2876	2520	Setup.exe	34
PID 2520 wrote to memory of 2876	2520	Setup.exe	34
PID 2876 wrote to memory of 2736	2876	more.com	38
PID 2876 wrote to memory of 2736	2876	more.com	38
PID 2876 wrote to memory of 2736	2876	more.com	38
PID 2876 wrote to memory of 2736	2876	more.com	38
PID 2876 wrote to memory of 2736	2876	more.com	38
PID 2876 wrote to memory of 2736	2876	more.com	38
PID 2876 wrote to memory of 2736	2876	more.com	38
PID 2876 wrote to memory of 2736	2876	more.com	38
PID 2876 wrote to memory of 2736	2876	more.com	38
PID 2736 wrote to memory of 2256	2736	regsvr32.exe	43
PID 2736 wrote to memory of 2256	2736	regsvr32.exe	43
PID 2736 wrote to memory of 2256	2736	regsvr32.exe	43
PID 2736 wrote to memory of 2256	2736	regsvr32.exe	43
PID 2256 wrote to memory of 3000	2256	cmd.exe	45
PID 2256 wrote to memory of 3000	2256	cmd.exe	45
PID 2256 wrote to memory of 3000	2256	cmd.exe	45
PID 2256 wrote to memory of 3000	2256	cmd.exe	45
PID 1856 wrote to memory of 1208	1856	POWERPNT.EXE	46
PID 1856 wrote to memory of 1208	1856	POWERPNT.EXE	46
PID 1856 wrote to memory of 1208	1856	POWERPNT.EXE	46
PID 1856 wrote to memory of 1208	1856	POWERPNT.EXE	46
PID 2736 wrote to memory of 592	2736	regsvr32.exe	48
PID 2736 wrote to memory of 592	2736	regsvr32.exe	48
PID 2736 wrote to memory of 592	2736	regsvr32.exe	48
PID 2736 wrote to memory of 592	2736	regsvr32.exe	48
PID 592 wrote to memory of 2824	592	cmd.exe	50
PID 592 wrote to memory of 2824	592	cmd.exe	50
PID 592 wrote to memory of 2824	592	cmd.exe	50
PID 592 wrote to memory of 2824	592	cmd.exe	50
PID 1436 wrote to memory of 1124	1436	taskeng.exe	52
PID 1436 wrote to memory of 1124	1436	taskeng.exe	52
PID 1436 wrote to memory of 1124	1436	taskeng.exe	52
PID 1436 wrote to memory of 1124	1436	taskeng.exe	52
PID 2964 wrote to memory of 3044	2964	Setup.exe	58
PID 2964 wrote to memory of 3044	2964	Setup.exe	58
PID 2964 wrote to memory of 3044	2964	Setup.exe	58
PID 2964 wrote to memory of 3044	2964	Setup.exe	58
PID 2964 wrote to memory of 3044	2964	Setup.exe	58

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\!@-FulL_SoftWare_2024_PassW0rd$.rar
1⤵
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\!@-FulL_SoftWare_2024_PassW0rd$.rar"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2544

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2008

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Windows\SysWOW64\more.com
  C:\Windows\SysWOW64\more.com
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\SysWOW64\regsvr32.exe
    3⤵
    - Checks processor information in registry
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c expand.exe "C:\Users\Admin\AppData\Roaming\ServiceData\c2Gt4H.tmp" -F:* "C:\Users\Admin\AppData\Roaming\ServiceData"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2256
    - - C:\Windows\SysWOW64\expand.exe
        
        expand.exe "C:\Users\Admin\AppData\Roaming\ServiceData\c2Gt4H.tmp" -F:* "C:\Users\Admin\AppData\Roaming\ServiceData"
        5⤵
        Drops file in Windows directory
        
        PID:3000
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c schtasks /create /tn \Service\Data /tr """"C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.exe""" """C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.jpg"""" /st 00:01 /du 9800:59 /sc once /ri 1 /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:592
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn \Service\Data /tr """"C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.exe""" """C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.jpg"""" /st 00:01 /du 9800:59 /sc once /ri 1 /f
        5⤵
        Creates scheduled task(s)
        
        PID:2824

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:1588

C:\Users\Admin\AppData\Local\Temp\ose00000.exe
"C:\Users\Admin\AppData\Local\Temp\ose00000.exe"
1⤵
PID:2028

C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\File Pss$W0rd 2024.ppt"
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1208

C:\Windows\system32\taskeng.exe
taskeng.exe {EA236D30-727F-4DE9-BCB4-6A615659F00C} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.exe
  C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.exe "C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.jpg"
  2⤵
  - Executes dropped EXE
  PID:1124

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\!@-FulL_SoftWare_2024_PassW0rd$.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1104

C:\Setup.exe
"C:\Setup.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Windows\SysWOW64\more.com
  C:\Windows\SysWOW64\more.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Licenses\01D69EEBF42E950EA.Lic

Filesize
146B

MD5
f52d9b889289fd9c7ffb89a97a95202f

SHA1
a240cc696abf6a516ef34079b576168a73d6ccd8

SHA256
32ac637060879205bd17048d5d870c9cb1cf924805ef5605ea992fbebc09d2eb

SHA512
e15906b12c4f3be163999004318be1743d45cd7ab87bae3937d9cd457ba442a060018cda5424229e945f1d747a52c459f8791fae78a915f95444ff91d70bc0a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\782e2153

Filesize
1.4MB

MD5
cbb7f8b8b23564f1196461bdc47d8a36

SHA1
8898fe060d5ffef4aed94fb0c41dbcccd8103604

SHA256
b4030d54016c6328b3b19273dacd547bd5cc41af4db2495e0be842249412d27e

SHA512
cb086aa3e913eb014339bc0fecdbc2f1807b6bb07bb0a312f180185287b257f22a2c29084cc27427cfdd728de13bc8ad266d853da62d6d97bf04aa00e6305b7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\API-MS-WIN-CRT-STDIO-L1-1-0.DLL

Filesize
25KB

MD5
97f24295c9bd6e1acae0c391e68a64cf

SHA1
75700dce304c45ec330a9405523f0f22e5dcbb18

SHA256
189d551fb3cba3dbb9b9c1797e127a52ac486d996f0ac7cba864fe35984a8d28

SHA512
cac75f623545c41b2597a25c14f2af7eb93e3e768b345d3b0e1928d8fd1f12bec39b18b8277f9550aa6a66d9cfe1bf6c3db93ae1eb2a6c07019d4f210b3e5998

Download Submit
C:\Users\Admin\AppData\Local\Temp\callup.zip

Filesize
1.1MB

MD5
daa5d063fd362d8cd05dcb53b325d7d5

SHA1
88633bf31cbdc381c7a9a0e4321546de3eca7720

SHA256
2d5782626d017e182a02c5a21466310fb5d8b73ab215c62cdc165ba27707e802

SHA512
141c54a4d88ef01581f3a96961c3542b0115b2aa9448d768ab288ccdeefceaa38ec59a64afe00f2ff4d93fa4043b92c9ec4cd769a0fa4cf1943b2090042e9464

Download Submit
C:\Users\Admin\AppData\Local\Temp\leap.zip

Filesize
45KB

MD5
08f543471fca769417d792fa915ec287

SHA1
e1b010978178cfa854ebcbd7db2c7fd05cb1e267

SHA256
42fa279d41b30afdd4a016c64d64ea5967417179912e2d471be18a0a850d1cae

SHA512
a61a0310910a46dfd1755699eb5abae608572af0b0e5e7fd5faf9501f2c4d05e60d07a1886fd5c33c1d0730dd8c99993cf29086bbe052f226a0528445ebe4a2d

Download Submit
C:\x64\App.xbf

Filesize
1KB

MD5
fc6f983b839f1d0702c0d40f107313fb

SHA1
f0987f6305ff7b0e8d2b625ef5ad8fb5b0ce4081

SHA256
358b9f84ed4326fc989fb70f5d6d17e8e268eabb476b9e3ef6270872b00189f3

SHA512
f7e2b98d9898a99a14bb32d0ad478c0ea4d9713eb4424c0b1525d5e37855ed9f835db678d3ff590eaadf437c408d4a740eb3676adcee822d73a4c0e167b8e6f3

Download Submit
\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
8.5MB

MD5
98169506fec94c2b12ba9930ad704515

SHA1
bce662a9fb94551f648ba2d7e29659957fd6a428

SHA256
9b8a5b0a45adf843e24214b46c285e44e73bc6eaf9e2a3b2c14a6d93ae541363

SHA512
7f4f7ac2326a1a8b7afc72822dae328753578eb0a4ffcec5adb4e4fb0c49703070f71e7411df221ee9f44d6b43a0a94921fe530877c5d5e71640b807e96def30

Download Submit
\Users\Admin\AppData\Local\Temp\acdbase.dll

Filesize
2.9MB

MD5
dace23695dcfa0f7309b65366ac75bc0

SHA1
c5b1bad2dec36852fae90f81f0dbd00518479c01

SHA256
cf8b85beeff99b13d06ed15c79e555ab74e30dfa1491a36c4332f54ed09887e4

SHA512
0e1e5fc158fb39c3c3c7733226cb846407cd01ca1c49800fb7668134ebef129ab43030f2768a8b149b5ba9a18b2d1b0f8bf23d1a8de487a482e9268e0b679bbb

Download Submit
\Users\Admin\AppData\Local\Temp\api-ms-win-crt-convert-l1-1-0.dll

Filesize
25KB

MD5
9f812bd3815909e559b15cb13489f294

SHA1
df751c956f59b4e3c82496d86895adc7cc1a1619

SHA256
ce6fcc2ddf21720c92bee04f5736a4787acffa970a1b0dbeea39ff5efec52c75

SHA512
0a360e8b81bf80cb6bdf240d627ddcf71b1a4ca42759de61b2d27fab521a8e6e3afa308cc69caf5a7c8b14d98d3d448f0d400ae1826cbe7d0f0ceafd14682064

Download Submit
\Users\Admin\AppData\Local\Temp\api-ms-win-crt-environment-l1-1-0.dll

Filesize
21KB

MD5
1a72e5f24214eb723e03a22ff53f8a22

SHA1
578d1dbfb22e9ff3b10c095d6a06acaf15469709

SHA256
fda46141c236a11054d4d3756a36da4412c82dd7877daad86cb65bf53d81ca1a

SHA512
530e693daecc7c7080b21e39b856c538bb755516aafdb6839a23768f40bcfc38d71b19586e8c8e37bb1c2b7a7c31fcb8e24a2315a8dd90f50fec22f973d86cb4

Download Submit
\Users\Admin\AppData\Local\Temp\api-ms-win-crt-heap-l1-1-0.dll

Filesize
21KB

MD5
9d136bbecf98a931e6371346059b5626

SHA1
2466e66bfd88dd66c1c693cbb95ea8a91b9558cd

SHA256
7617838af1b589f57e4fe9fee1e1412101878e6d3287cdc52a51cd03e3983717

SHA512
8c720c798d2a06f48b106a0a1ef38be9b4a2aebe2a657c8721278afa9fdbab9da2a672f47b7996ca1ce7517015d361d77963c686e0ae637a98c32fd75e5d0610

Download Submit
\Users\Admin\AppData\Local\Temp\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
25KB

MD5
6b39d005deb6c5ef2c9dd9e013b32252

SHA1
79a0736454befd88ba8d6bd88794d07712e38a67

SHA256
b0e50572eb82a46ed499775e95bfde7cb25c498957432c18c20cf930f332efd0

SHA512
50bc1f669499589a480379d72166dae701914427d51223994d63a0363420ca6fdde07010803270a62451afea9e4ae55206d8a4c00ca4680e7a9120cd33f99a0f

Download Submit
\Users\Admin\AppData\Local\Temp\api-ms-win-crt-string-l1-1-0.dll

Filesize
25KB

MD5
d282a4fa046d05d40d138cc68c518914

SHA1
d5012090399f405ffe7d2fed09650e3544528322

SHA256
8b1471101145343da5f2c5981c515da4dfae783622ed71d40693fe59c3088d7a

SHA512
718926e728627f67ba60a391339b784accd861a15596f90d7f4e6292709ac3d170bcbca3cbf6267635136cb00b4f93da7dfd219fa0beee0cf8d95ce7090409e4

Download Submit
\Users\Admin\AppData\Local\Temp\api-ms-win-crt-time-l1-1-0.dll

Filesize
21KB

MD5
6d35a57a6d8d569f870b96e00e7f1f4d

SHA1
8407bdb3cd5ec15b2ce738b3dbd704aa289ce3e1

SHA256
f41511e477a164eb9451ca51fb3810437f3b15f21e6f5c6ce0956e84ec823723

SHA512
4317b86d32ca93e5f0d832819cf1ab8af68e853a19eb07dd1fa4d168a0b2a8eab309194884ed3a613b09fc6d511be872a053f76f00ea443499006cdd226fea8f

Download Submit
\Users\Admin\AppData\Local\Temp\api-ms-win-crt-utility-l1-1-0.dll

Filesize
21KB

MD5
8ed70910380aa0b28317512d72762cc0

SHA1
0421518370f24f9559f96459d0798d98b81ea732

SHA256
f15af0db93d9385ff9d8efdc06aacd0729d0dfcb66e91ca0243bb160f2ed89d0

SHA512
b31ef07eaac310fdd3df3546246e7dc696595b8e92141e3db79a44ddc3358b12129e3829a53c76d0fef214e3f29dba77fa5d556211830a140ea34ff62258d9d7

Download Submit
\Users\Admin\AppData\Local\Temp\libmmd.dll

Filesize
4.0MB

MD5
f3918c71ae05882f8d47b776596dc5f2

SHA1
36e52c01b24db9d2daa36cf76697e5612d5c1470

SHA256
16a5bc32f74bbb0c1919cd18ce1cd64dfcf6a6ba90c35c9dd44791c3f464c17a

SHA512
45db3576b3ce685e361905d2fd8ecc96d8b7157d7113e6d41922dc5dbc04ace62ace113c09eeba36a6e4c70f94e39a1dadea4a39cf6cc7e87af166e14000af5a

Download Submit
\Users\Admin\AppData\Local\Temp\vcruntime140.dll

Filesize
116KB

MD5
699dd61122d91e80abdfcc396ce0ec10

SHA1
7b23a6562e78e1d4be2a16fc7044bdcea724855e

SHA256
f843cd00d9aff9a902dd7c98d6137639a10bd84904d81a085c28a3b29f8223c1

SHA512
2517e52f7f03580afd8f928c767d264033a191e831a78eed454ea35c9514c0f0df127f49a306088d766908af7880f713f5009c31ce6b0b1e4d0b67e49447bfff

Download Submit
memory/1588-430-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/1588-438-0x00000000047C0000-0x0000000004BBA000-memory.dmp

Filesize
4.0MB

Download
memory/1588-431-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/1588-433-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/1588-429-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/1588-427-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/1588-425-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/1588-415-0x0000000003DF0000-0x0000000003FD8000-memory.dmp

Filesize
1.9MB

Download
memory/1588-448-0x000007FEF6000000-0x000007FEF6158000-memory.dmp

Filesize
1.3MB

Download
memory/1588-434-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/1856-458-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1856-461-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2520-349-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/2520-340-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/2520-331-0x0000000003DC0000-0x0000000003FA8000-memory.dmp

Filesize
1.9MB

Download
memory/2520-346-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/2520-342-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/2520-390-0x000007FEF60A0000-0x000007FEF61F8000-memory.dmp

Filesize
1.3MB

Download
memory/2520-345-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/2520-356-0x0000000004680000-0x0000000004A7A000-memory.dmp

Filesize
4.0MB

Download
memory/2520-376-0x000007FEF60A0000-0x000007FEF61F8000-memory.dmp

Filesize
1.3MB

Download
memory/2520-347-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/2520-344-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/2736-460-0x0000000000400000-0x0000000000B35000-memory.dmp

Filesize
7.2MB

Download
memory/2736-400-0x0000000000400000-0x0000000000B35000-memory.dmp

Filesize
7.2MB

Download
memory/2736-398-0x0000000000400000-0x0000000000B35000-memory.dmp

Filesize
7.2MB

Download
memory/2736-449-0x0000000000400000-0x0000000000B35000-memory.dmp

Filesize
7.2MB

Download
memory/2736-397-0x0000000077740000-0x00000000778E9000-memory.dmp

Filesize
1.7MB

Download
memory/2736-396-0x0000000072CC0000-0x0000000073D22000-memory.dmp

Filesize
16.4MB

Download
memory/2876-394-0x0000000074DD0000-0x0000000074F44000-memory.dmp

Filesize
1.5MB

Download
memory/2876-393-0x0000000077740000-0x00000000778E9000-memory.dmp

Filesize
1.7MB

Download
memory/2964-756-0x0000000003C40000-0x0000000003E28000-memory.dmp

Filesize
1.9MB

Download
memory/2964-769-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/2964-767-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/2964-771-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/2964-765-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/2964-772-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/2964-770-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/2964-775-0x0000000004780000-0x0000000004B7A000-memory.dmp

Filesize
4.0MB

Download