banload | 9f79190d363143b27efacf27d67a35f4f8ea781df79cdfa15fb1bde1a67641ca

Analysis

max time kernel
180s
max time network
190s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
23/05/2024, 19:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Todoist-win32-9.3.2.exe
Size

2.8MB
MD5

6756a24daf9628e691994def1e2ab195
SHA1

961a6658d2e6ddb0ba6cb2a489bcb692c93d4f85
SHA256

763f0e6d7e6700217888a98ef01e2e085ed81226e565b8b738ee4a2b48e9bdf1
SHA512

2683d573bcb29aa85e8c9f94df1a05901e234862f998d1db3f0ac40c1c97d465900cf9fb9f4272792b6319c4f6b516494b4fd8ac54671de560dd4b8eab3507dc
SSDEEP

24576:br4DpEFVbZL+N+coB8SBrCqJ6lPhgHxoeovCiaIhGGPThuaIvufnXfmeT3:n4DpwVbZL+ZoqSf6lPCoeovGGPw985T3

Score

10^/10

banload discovery downloader dropper evasion persistence trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ezcd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ezcd.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ezcd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	ezcd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ezcd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	ezcd.exe

Executes dropped EXE 4 IoCs

pid	Process
4088	ezcd.exe
2348	ezcd.exe
3224	VC_redist.x86.exe
2884	VC_redist.x86.exe

Loads dropped DLL 7 IoCs

pid	Process
4088	ezcd.exe
4088	ezcd.exe
4088	ezcd.exe
2348	ezcd.exe
2348	ezcd.exe
2348	ezcd.exe
2884	VC_redist.x86.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\ThreadingModel = "Both"	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\ = "C:\\Windows\\System32\\Srh.dll"	ezcd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2348 set thread context of 4868	2348	ezcd.exe	81
PID 4868 set thread context of 4684	4868	cmd.exe	83

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 48 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\VmbCe\ = "aR[zRs}SNeAJv`Fyxi}{"	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\mhxzdA	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\yZYeoguzxvq	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\VmbCe	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\VmbCe\ = "RvGWzDsM{[rsN[_zT[\\~"	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\PuoyOispcjS	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\VmbCe\ = "aR[zRs}S~eAJv`FyHi}{"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\lMmHbta\ = "{nK[bAK~WMRbciGkMZaW@S"	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\DsUuCzAntydD	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\DsUuCzAntydD\ = "Nrm[D~\x7f]\|~OJ\\pqv"	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\bgiiviXQ	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\lMmHbta\ = "{nK[bAK~WMRbciGkM[QW@S"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\PwycrzmqT\ = "lkkE@J@vuT`wRD{YnFqBv"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\PuoyOispcjS\ = "\\fcYrBQmd`d~\|eBMPqippFtsf"	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\PwycrzmqT\ = "leUHeQgNFCCA^BAg~VpBg"	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\lMmHbta	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\lMmHbta	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\SPusemmvnfcrX	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\PwycrzmqT	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\ = "C:\\Windows\\System32\\Srh.dll"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\bgiiviXQ\ = "WzkHiipRSnaDqJKTj@ym]{jJu"	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\PuoyOispcjS	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\bgiiviXQ\ = "FfbM@QuxD^e\|{\|OhdPw\|\\BOnO"	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\SPusemmvnfcrX\ = "f\\zCcQG"	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\lMmHbta\ = "WQAyEn]Ry{a^@TnewNNbpD"	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\yZYeoguzxvq	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\PuoyOispcjS\ = "_DEdiFi\x7fGeg\x7fp[I\|]TyUrLi@w"	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\yZYeoguzxvq\ = "GECHEmKUtRohUB}B]hrnygKC\\\x7fQgc"	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\VmbCe\ = "RvGWzDsMK[rsN[_zd[\\~"	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\SPusemmvnfcrX\ = "f^]W@}["	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\DsUuCzAntydD	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\mhxzdA\ = "ktajlEC^_{uMBdkyhBO@FBwsYHnLhLw"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\yZYeoguzxvq\ = "QxcpqUE~swmW~zVuq{y\x7fGYbHOV]d~"	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\SPusemmvnfcrX	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\SPusemmvnfcrX\ = "qaJSwK\|"	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\mhxzdA\ = "@M[XinD\\AVdgWNuDM}\\kO\\dhG{Jbflr"	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\lMmHbta\ = "WQAyEn]Ry{a^@TnewO~bpD"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\ = "SaSCallback Class"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\DsUuCzAntydD\ = "Esym^]iI`VgPvtAQ"	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\bgiiviXQ	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\mhxzdA	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\SPusemmvnfcrX\ = "qcmGTg`"	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\ThreadingModel = "Both"	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\PwycrzmqT	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\VmbCe	ezcd.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\ProgramData\TEMP:8934AEBA	ezcd.exe
File opened for modification	C:\ProgramData\TEMP:8934AEBA	ezcd.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
388	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1912	Todoist-win32-9.3.2.exe
1912	Todoist-win32-9.3.2.exe
4088	ezcd.exe
2348	ezcd.exe
2348	ezcd.exe
4868	cmd.exe
4868	cmd.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
2348	ezcd.exe
4868	cmd.exe
4868	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4684	MSBuild.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
388	EXCEL.EXE
388	EXCEL.EXE
388	EXCEL.EXE
388	EXCEL.EXE
388	EXCEL.EXE
388	EXCEL.EXE
388	EXCEL.EXE
388	EXCEL.EXE
388	EXCEL.EXE
388	EXCEL.EXE
388	EXCEL.EXE
388	EXCEL.EXE
388	EXCEL.EXE
388	EXCEL.EXE

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 4088	1912	Todoist-win32-9.3.2.exe	77
PID 1912 wrote to memory of 4088	1912	Todoist-win32-9.3.2.exe	77
PID 4088 wrote to memory of 2348	4088	ezcd.exe	78
PID 4088 wrote to memory of 2348	4088	ezcd.exe	78
PID 2348 wrote to memory of 3224	2348	ezcd.exe	79
PID 2348 wrote to memory of 3224	2348	ezcd.exe	79
PID 2348 wrote to memory of 3224	2348	ezcd.exe	79
PID 3224 wrote to memory of 2884	3224	VC_redist.x86.exe	80
PID 3224 wrote to memory of 2884	3224	VC_redist.x86.exe	80
PID 3224 wrote to memory of 2884	3224	VC_redist.x86.exe	80
PID 2348 wrote to memory of 4868	2348	ezcd.exe	81
PID 2348 wrote to memory of 4868	2348	ezcd.exe	81
PID 2348 wrote to memory of 4868	2348	ezcd.exe	81
PID 2348 wrote to memory of 4868	2348	ezcd.exe	81
PID 4868 wrote to memory of 4684	4868	cmd.exe	83
PID 4868 wrote to memory of 4684	4868	cmd.exe	83
PID 4868 wrote to memory of 4684	4868	cmd.exe	83
PID 4868 wrote to memory of 4684	4868	cmd.exe	83
PID 4868 wrote to memory of 4684	4868	cmd.exe	83

C:\Users\Admin\AppData\Local\Temp\Todoist-win32-9.3.2.exe
"C:\Users\Admin\AppData\Local\Temp\Todoist-win32-9.3.2.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Users\Admin\AppData\Local\Temp\Streamservice\ezcd.exe
  C:\Users\Admin\AppData\Local\Temp\Streamservice\ezcd.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Registers COM server for autorun
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4088
- - C:\Users\Admin\Streamservice\ezcd.exe
    C:\Users\Admin\Streamservice\ezcd.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Modifies registry class
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2348
  - - C:\Users\Admin\Streamservice\UWQVVABQNIGBFZEFYS\VC_redist.x86.exe
      C:\Users\Admin\Streamservice\UWQVVABQNIGBFZEFYS\VC_redist.x86.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3224
    - - C:\Windows\Temp\{ED2C64D6-7260-42A6-8932-FC7DAA9CD3D2}\.cr\VC_redist.x86.exe
        
        "C:\Windows\Temp\{ED2C64D6-7260-42A6-8932-FC7DAA9CD3D2}\.cr\VC_redist.x86.exe" -burn.clean.room="C:\Users\Admin\Streamservice\UWQVVABQNIGBFZEFYS\VC_redist.x86.exe" -burn.filehandle.attached=564 -burn.filehandle.self=572
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2884
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:4868
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4684

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2024

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Streamservice\battleship.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Licenses\01D69EEBF42E950EA.Lic

Filesize
146B

MD5
1fcac270a86b0a384cfd0f66302a29d4

SHA1
907c259d9d9c4a2b1a99b0e56cdcd1a0dadb8f4b

SHA256
750b599686d42d09dd203bc72424ce61f65b774e847a46432223d543bc60e95e

SHA512
61dfd0bf6732906614a7d0b7126b14b714bf2824ab4f18163220728466ac5820915757d59161d20c9c27178115f611933a1ef4bcf09404d56142f7ff22573f65

Download Submit
C:\Users\Admin\AppData\Local\Temp\796b5bec

Filesize
14.0MB

MD5
570492f689f30b3f0123eee18d084787

SHA1
6ca0001eebad2f283f61a18b2603aa23d8362e91

SHA256
2e19d4828e803be6b296ce0cdd1f0bc9431a458af93e88c441509b9a39a48ec6

SHA512
69bc4666add40858d7bb9091db059cd7c0b252fb1ddf64adaab656e5625a60004bbdf06768b6dc83223cb4dd6deec9b5d79ca236d3ef83addbc670a4e336983f

Download Submit
C:\Users\Admin\AppData\Local\Temp\9a27d61

Filesize
29.0MB

MD5
5a37dcc53b6ccf47452d629b3b90e9d6

SHA1
13b8614654e2cc550bb7ebc7d6e9f68b38e1bf4f

SHA256
46760e50b40c3b9c07ebc61ffb5baeed4e4129b3ca2a889097321602bf2f2640

SHA512
10dadd91a58012c24c89bb16888daaff16e30257b69f0f47d143592cda8200a084b97828d87139484a7a5fea9fcf507fd73f2c23c3c3e4faba11ff6927a72a87

Download Submit
C:\Users\Admin\AppData\Local\Temp\Streamservice\ACDBASE.DLL

Filesize
2.9MB

MD5
dace23695dcfa0f7309b65366ac75bc0

SHA1
c5b1bad2dec36852fae90f81f0dbd00518479c01

SHA256
cf8b85beeff99b13d06ed15c79e555ab74e30dfa1491a36c4332f54ed09887e4

SHA512
0e1e5fc158fb39c3c3c7733226cb846407cd01ca1c49800fb7668134ebef129ab43030f2768a8b149b5ba9a18b2d1b0f8bf23d1a8de487a482e9268e0b679bbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Streamservice\api-ms-win-crt-convert-l1-1-0.dll

Filesize
25KB

MD5
9f812bd3815909e559b15cb13489f294

SHA1
df751c956f59b4e3c82496d86895adc7cc1a1619

SHA256
ce6fcc2ddf21720c92bee04f5736a4787acffa970a1b0dbeea39ff5efec52c75

SHA512
0a360e8b81bf80cb6bdf240d627ddcf71b1a4ca42759de61b2d27fab521a8e6e3afa308cc69caf5a7c8b14d98d3d448f0d400ae1826cbe7d0f0ceafd14682064

Download Submit
C:\Users\Admin\AppData\Local\Temp\Streamservice\api-ms-win-crt-environment-l1-1-0.dll

Filesize
21KB

MD5
1a72e5f24214eb723e03a22ff53f8a22

SHA1
578d1dbfb22e9ff3b10c095d6a06acaf15469709

SHA256
fda46141c236a11054d4d3756a36da4412c82dd7877daad86cb65bf53d81ca1a

SHA512
530e693daecc7c7080b21e39b856c538bb755516aafdb6839a23768f40bcfc38d71b19586e8c8e37bb1c2b7a7c31fcb8e24a2315a8dd90f50fec22f973d86cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Streamservice\api-ms-win-crt-heap-l1-1-0.dll

Filesize
21KB

MD5
9d136bbecf98a931e6371346059b5626

SHA1
2466e66bfd88dd66c1c693cbb95ea8a91b9558cd

SHA256
7617838af1b589f57e4fe9fee1e1412101878e6d3287cdc52a51cd03e3983717

SHA512
8c720c798d2a06f48b106a0a1ef38be9b4a2aebe2a657c8721278afa9fdbab9da2a672f47b7996ca1ce7517015d361d77963c686e0ae637a98c32fd75e5d0610

Download Submit
C:\Users\Admin\AppData\Local\Temp\Streamservice\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
25KB

MD5
6b39d005deb6c5ef2c9dd9e013b32252

SHA1
79a0736454befd88ba8d6bd88794d07712e38a67

SHA256
b0e50572eb82a46ed499775e95bfde7cb25c498957432c18c20cf930f332efd0

SHA512
50bc1f669499589a480379d72166dae701914427d51223994d63a0363420ca6fdde07010803270a62451afea9e4ae55206d8a4c00ca4680e7a9120cd33f99a0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Streamservice\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
25KB

MD5
97f24295c9bd6e1acae0c391e68a64cf

SHA1
75700dce304c45ec330a9405523f0f22e5dcbb18

SHA256
189d551fb3cba3dbb9b9c1797e127a52ac486d996f0ac7cba864fe35984a8d28

SHA512
cac75f623545c41b2597a25c14f2af7eb93e3e768b345d3b0e1928d8fd1f12bec39b18b8277f9550aa6a66d9cfe1bf6c3db93ae1eb2a6c07019d4f210b3e5998

Download Submit
C:\Users\Admin\AppData\Local\Temp\Streamservice\api-ms-win-crt-string-l1-1-0.dll

Filesize
25KB

MD5
d282a4fa046d05d40d138cc68c518914

SHA1
d5012090399f405ffe7d2fed09650e3544528322

SHA256
8b1471101145343da5f2c5981c515da4dfae783622ed71d40693fe59c3088d7a

SHA512
718926e728627f67ba60a391339b784accd861a15596f90d7f4e6292709ac3d170bcbca3cbf6267635136cb00b4f93da7dfd219fa0beee0cf8d95ce7090409e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Streamservice\api-ms-win-crt-time-l1-1-0.dll

Filesize
21KB

MD5
6d35a57a6d8d569f870b96e00e7f1f4d

SHA1
8407bdb3cd5ec15b2ce738b3dbd704aa289ce3e1

SHA256
f41511e477a164eb9451ca51fb3810437f3b15f21e6f5c6ce0956e84ec823723

SHA512
4317b86d32ca93e5f0d832819cf1ab8af68e853a19eb07dd1fa4d168a0b2a8eab309194884ed3a613b09fc6d511be872a053f76f00ea443499006cdd226fea8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Streamservice\api-ms-win-crt-utility-l1-1-0.dll

Filesize
21KB

MD5
8ed70910380aa0b28317512d72762cc0

SHA1
0421518370f24f9559f96459d0798d98b81ea732

SHA256
f15af0db93d9385ff9d8efdc06aacd0729d0dfcb66e91ca0243bb160f2ed89d0

SHA512
b31ef07eaac310fdd3df3546246e7dc696595b8e92141e3db79a44ddc3358b12129e3829a53c76d0fef214e3f29dba77fa5d556211830a140ea34ff62258d9d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Streamservice\battleship.xls

Filesize
92KB

MD5
3272e65683cd79782a3a8043ce5b461e

SHA1
e14c9b66440fa540bcde49286f39331a04ff3de5

SHA256
3636342541ef8d2be6da12f2aa3f56b89de4385511ad5bbf71b0fc02704d8526

SHA512
f68556580618becf72466461528f7fe528e7f042e7cbf0c8e202296e6d029eb2b4a1f8256e540ed60c689325a0c7a58643aa614d6c9f9bbbb35226415dbcc555

Download Submit
C:\Users\Admin\AppData\Local\Temp\Streamservice\ezcd.exe

Filesize
8.5MB

MD5
98169506fec94c2b12ba9930ad704515

SHA1
bce662a9fb94551f648ba2d7e29659957fd6a428

SHA256
9b8a5b0a45adf843e24214b46c285e44e73bc6eaf9e2a3b2c14a6d93ae541363

SHA512
7f4f7ac2326a1a8b7afc72822dae328753578eb0a4ffcec5adb4e4fb0c49703070f71e7411df221ee9f44d6b43a0a94921fe530877c5d5e71640b807e96def30

Download Submit
C:\Users\Admin\AppData\Local\Temp\Streamservice\libmmd.dll

Filesize
4.0MB

MD5
b2d52e7ea7d839f9b58784090274e0f0

SHA1
0172f78a2f915ef189ecaf07cc97dc3bdcb52ba9

SHA256
517452273bd0502855aadec65001c22dc076873e9879115f0e1ebd1e2b8f721d

SHA512
fe3656f8864ae47c2ecfd8aede7cc9c8cb6d8db6206366799657514c28db9bd3db111b2c30bd3f60094ffcda73d18132f9b33adedde5b640f5f041e6c7cb8c1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Streamservice\purpurin.dat

Filesize
13.7MB

MD5
51f1557e0ff242cd8f5381ec18842103

SHA1
a0547e8c79a20285967749c6153d1af3891ab3ed

SHA256
3a764cb5a5f8ac87ab00c6acef86786b9d0259cc2f76ad3ddda5c0f1b29c9f57

SHA512
eb225b1fd4418ca1b11916606d1803368f207d6f5fb523c1b0963c53fa0af28353f077a186e87643e710a3098f4fc8f665dd187729c1e4d054e96a7265acc704

Download Submit
C:\Users\Admin\AppData\Local\Temp\Streamservice\vcruntime140.dll

Filesize
116KB

MD5
699dd61122d91e80abdfcc396ce0ec10

SHA1
7b23a6562e78e1d4be2a16fc7044bdcea724855e

SHA256
f843cd00d9aff9a902dd7c98d6137639a10bd84904d81a085c28a3b29f8223c1

SHA512
2517e52f7f03580afd8f928c767d264033a191e831a78eed454ea35c9514c0f0df127f49a306088d766908af7880f713f5009c31ce6b0b1e4d0b67e49447bfff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
253B

MD5
1997b057ceb3944b1fac3122a2def86f

SHA1
f5095033f5e8b151d27015ba9becea7de942a9c3

SHA256
b4b55f41e1c1bc341f5e6b59f42c6183c74c7cfe7ee5e79a25ca8825ce83f704

SHA512
099d481446cc79468d493582e22a1284ee371a4738725a862684fd165ed11c6e4a49dc6a22291b37c1bf955a476aa6be4bb9c4c058fdfda9dd08bbcac3d01c93

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
793B

MD5
a402dd032436a045ebec78b14763d010

SHA1
0197b1583d73687a6ed58e9873f56cf60cc071d7

SHA256
f852d2ea55eaf428961b2d3bf85d1097e465294fe3dfc16339318873616a027a

SHA512
f255c2d324c4d256dcaecc6d0b86bf24d238c56995906c50fdfda39a58fa2a248e7adec88ca65e02356aa12a46915f1a08931e9ec93cf931f707cbe3c176ad4d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
24B

MD5
4fcb2a3ee025e4a10d21e1b154873fe2

SHA1
57658e2fa594b7d0b99d02e041d0f3418e58856b

SHA256
90bf6baa6f968a285f88620fbf91e1f5aa3e66e2bad50fd16f37913280ad8228

SHA512
4e85d48db8c0ee5c4dd4149ab01d33e4224456c3f3e3b0101544a5ca87a0d74b3ccd8c0509650008e2abed65efd1e140b1e65ae5215ab32de6f6a49c9d3ec3ff

Download Submit
C:\Users\Admin\Streamservice\UWQVVABQNIGBFZEFYS\VC_redist.x86.exe

Filesize
13.2MB

MD5
9882a328c8414274555845fa6b542d1e

SHA1
ab4a97610b127d68c45311deabfbcd8aa7066f4b

SHA256
510fc8c2112e2bc544fb29a72191eabcc68d3a5a7468d35d7694493bc8593a79

SHA512
c08d1aa7e6e6215a0cee2793592b65668066c8c984b26675d2b8c09bc7fee21411cb3c0a905eaee7a48e7a47535fa777de21eeb07c78bca7bf3d7bb17192acf2

Download Submit
C:\Windows\Temp\{A04923BA-919E-42FC-A5C9-25A785B63BEE}\.ba\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\Temp\{A04923BA-919E-42FC-A5C9-25A785B63BEE}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
C:\Windows\Temp\{ED2C64D6-7260-42A6-8932-FC7DAA9CD3D2}\.cr\VC_redist.x86.exe

Filesize
634KB

MD5
7bd0b2d204d75012d3a9a9ce107c379e

SHA1
41edd6321965d48e11ecded3852eb32e3c13848d

SHA256
d4c6f5c74bbb45c4f33d9cb7ddce47226ea0a5ab90b8ff3f420b63a55c3f6dd2

SHA512
d85ac030ebb3ba4412e69b5693406fe87e46696ca2a926ef75b6f6438e16b0c7ed1342363098530cdceb4db8e50614f33f972f7995e4222313fcef036887d0f0

Download Submit
memory/388-192-0x00007FFAC58F0000-0x00007FFAC5900000-memory.dmp

Filesize
64KB

Download
memory/1912-0-0x0000000000400000-0x0000000000752000-memory.dmp

Filesize
3.3MB

Download
memory/1912-7-0x00007FFAF68A0000-0x00007FFAF6A1A000-memory.dmp

Filesize
1.5MB

Download
memory/1912-9-0x00007FFAF68A0000-0x00007FFAF6A1A000-memory.dmp

Filesize
1.5MB

Download
memory/1912-36-0x00007FFAF68B8000-0x00007FFAF68B9000-memory.dmp

Filesize
4KB

Download
memory/1912-37-0x00007FFAF68A0000-0x00007FFAF6A1A000-memory.dmp

Filesize
1.5MB

Download
memory/1912-70-0x00007FFAF68A0000-0x00007FFAF6A1A000-memory.dmp

Filesize
1.5MB

Download
memory/2348-179-0x00007FFAF6430000-0x00007FFAF65AA000-memory.dmp

Filesize
1.5MB

Download
memory/2348-108-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/2348-110-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/2348-112-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/2348-114-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/2348-117-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/2348-115-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/2348-113-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/2348-126-0x00007FFAF6430000-0x00007FFAF65AA000-memory.dmp

Filesize
1.5MB

Download
memory/2348-128-0x00007FFAF6430000-0x00007FFAF65AA000-memory.dmp

Filesize
1.5MB

Download
memory/2348-97-0x0000000003F20000-0x0000000004108000-memory.dmp

Filesize
1.9MB

Download
memory/4088-54-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/4088-59-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/4088-40-0x0000000003F10000-0x00000000040F8000-memory.dmp

Filesize
1.9MB

Download
memory/4088-56-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/4088-57-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/4088-58-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/4088-61-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/4088-72-0x00007FFAF6A60000-0x00007FFAF6BDA000-memory.dmp

Filesize
1.5MB

Download
memory/4088-52-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/4684-191-0x0000000000760000-0x000000000077C000-memory.dmp

Filesize
112KB

Download
memory/4684-188-0x0000000072770000-0x0000000073A87000-memory.dmp

Filesize
19.1MB

Download
memory/4868-186-0x0000000073BF0000-0x0000000073D6D000-memory.dmp

Filesize
1.5MB

Download
memory/4868-184-0x0000000073BF0000-0x0000000073D6D000-memory.dmp

Filesize
1.5MB

Download
memory/4868-183-0x00007FFB05860000-0x00007FFB05A69000-memory.dmp

Filesize
2.0MB

Download