banload | 3e79d4e30a37e43e13033008ca5bfe51b54e12d24c8dbba76da259d26789b9f1

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
05-06-2024 00:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

15.1MB
MD5

679e3f0e646a1a26b3264d08f398b228
SHA1

feedf0799a22cdfb393960a2b8edc06b35019664
SHA256

3e79d4e30a37e43e13033008ca5bfe51b54e12d24c8dbba76da259d26789b9f1
SHA512

46038281c1c73ba9a0265db68a4be35fee3fb640d95c04407424a9cd7bc97013ca5b40ae546f7e25dc77c9d047ee9d4fea98d54e1c7a44977f204623543af99f
SSDEEP

393216:A8+b3itt/k6pMm/aGib3gQuq6C2CT9U3TC6dRR8H0ZH3P:qS9CmqzTGunIH3P

Score

10^/10

banload lumma downloader dropper evasion persistence stealer trojan

Malware Config

Extracted

Family

lumma

https://fomremywellmadderw.shop/api

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ezcd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ezcd.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ezcd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	ezcd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ezcd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	ezcd.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Setup.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Setup.tmp

Executes dropped EXE 5 IoCs

pid	Process
2440	Setup.tmp
452	Setup.tmp
2504	UnRAR.exe
3608	ezcd.exe
5284	ezcd.exe

Loads dropped DLL 9 IoCs

pid	Process
2440	Setup.tmp
452	Setup.tmp
3608	ezcd.exe
3608	ezcd.exe
3608	ezcd.exe
5284	ezcd.exe
5284	ezcd.exe
5284	ezcd.exe
5504	Ftur.au3

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\ = "%SystemRoot%\\System32\\CIWmi.dll"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\ThreadingModel = "Both"	ezcd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5284 set thread context of 2156	5284	ezcd.exe	96

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 50 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\dzKwSlbxfwYnp\ = "uJvdtii\x7fOGrBhcXunLhLBtGoPBs}S~"	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\leoWfh\ = "KUtRohUB}B]hrnygKC\\\x7fQgcWQAyE"	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\bomsuvReDgnIl	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\lgZkhpuhih\ = "AK~WMRbciGkMZaW@Sq"	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\wfupofqpfsue	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\ = "Code Integrity Wmi Provider"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\leoWfh\ = "E~swmW~zVuq{y\x7fGYbHOV]d~{nK[b"	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\elmIzEEoyh\ = "leUHeQgNFCCA^BAg~QDBgNsP"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\lavehmfkxU\ = "~\|eBMPqippFtsfQxcpqU"	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\bjHeczDb\ = "[D~\x7f]\|~OJ\\pqvFfbM@QuxD"	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\usrfxujwv	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\lgZkhpuhih\ = "n]Ry{a^@TnewNNbpDf"	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\bjHeczDb	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\dzKwSlbxfwYnp\ = "uJvdtii\x7fOGrBhcXunLhLBtGoPBs}SN"	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\leoWfh	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\wfupofqpfsue\ = "[rsN[_zd[\\~_DEdiFi\x7fGeg"	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\leoWfh	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\usrfxujwv	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\usrfxujwv\ = "blrc[M"	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\wfupofqpfsue\ = "[rsN[_zT[\\~_DEdiFi\x7fGeg"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\ = "%SystemRoot%\\System32\\CIWmi.dll"	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\elmIzEEoyh	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\bjHeczDb	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\lavehmfkxU	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\lgZkhpuhih\ = "n]Ry{a^@TnewO~bpDf"	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\dzKwSlbxfwYnp	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\lavehmfkxU	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\usrfxujwv\ = "]{vTmj"	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\elmIzEEoyh	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\bomsuvReDgnIl	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\dzKwSlbxfwYnp	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\wfupofqpfsue\ = "eAJv`FyHi}{\\fcYrBQmd`d"	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\usrfxujwv\ = "`Kf@wQ"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\ThreadingModel = "Both"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\wfupofqpfsue\ = "eAJv`Fyxi}{\\fcYrBQmd`d"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\bomsuvReDgnIl\ = "naDv~KKzADmZOjUejIamXE\\N^F"	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\dzKwSlbxfwYnp\ = "d`cNjTL@\\l{\\{xFFJbflGGcs}jDsM{"	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\lavehmfkxU\ = "\x7fp[I\|]TyUrLi@wGECHEm"	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\dzKwSlbxfwYnp\ = "d`cNjTL@\\l{\\{xFFJbflGGcs}jDsMK"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\elmIzEEoyh\ = "lkkE@J@vuT`wRD{YnAEBvErD"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\bjHeczDb\ = "m^]iI`VgPvtAQWzkHiipRS"	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\wfupofqpfsue	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\usrfxujwv\ = "_\\bwAv"	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\lgZkhpuhih	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\lgZkhpuhih\ = "AK~WMRbciGkM[QW@Sq"	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\lgZkhpuhih	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\bomsuvReDgnIl\ = "^e\|\|HOwtQJ\|[vOq_Ap[_]n[L@k"	ezcd.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\ProgramData\TEMP:8934AEBA	ezcd.exe
File opened for modification	C:\ProgramData\TEMP:8934AEBA	ezcd.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
452	Setup.tmp
452	Setup.tmp
3608	ezcd.exe
5284	ezcd.exe
5284	ezcd.exe
2156	more.com
2156	more.com

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
5284	ezcd.exe
2156	more.com

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
452	Setup.tmp

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 5800 wrote to memory of 2440	5800	Setup.exe	84
PID 5800 wrote to memory of 2440	5800	Setup.exe	84
PID 5800 wrote to memory of 2440	5800	Setup.exe	84
PID 2440 wrote to memory of 1868	2440	Setup.tmp	85
PID 2440 wrote to memory of 1868	2440	Setup.tmp	85
PID 2440 wrote to memory of 1868	2440	Setup.tmp	85
PID 1868 wrote to memory of 452	1868	Setup.exe	86
PID 1868 wrote to memory of 452	1868	Setup.exe	86
PID 1868 wrote to memory of 452	1868	Setup.exe	86
PID 452 wrote to memory of 2504	452	Setup.tmp	87
PID 452 wrote to memory of 2504	452	Setup.tmp	87
PID 452 wrote to memory of 3608	452	Setup.tmp	93
PID 452 wrote to memory of 3608	452	Setup.tmp	93
PID 3608 wrote to memory of 5284	3608	ezcd.exe	95
PID 3608 wrote to memory of 5284	3608	ezcd.exe	95
PID 5284 wrote to memory of 2156	5284	ezcd.exe	96
PID 5284 wrote to memory of 2156	5284	ezcd.exe	96
PID 5284 wrote to memory of 2156	5284	ezcd.exe	96
PID 5284 wrote to memory of 2156	5284	ezcd.exe	96
PID 2156 wrote to memory of 5504	2156	more.com	101
PID 2156 wrote to memory of 5504	2156	more.com	101
PID 2156 wrote to memory of 5504	2156	more.com	101
PID 2156 wrote to memory of 5504	2156	more.com	101
PID 2156 wrote to memory of 5504	2156	more.com	101

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5800
- C:\Users\Admin\AppData\Local\Temp\is-ETIP8.tmp\Setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-ETIP8.tmp\Setup.tmp" /SL5="$A01E6,11439742,799232,C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Users\Admin\AppData\Local\Temp\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Setup.exe" /VERYSILENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1868
  - - C:\Users\Admin\AppData\Local\Temp\is-S1G52.tmp\Setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-S1G52.tmp\Setup.tmp" /SL5="$A01CC,11439742,799232,C:\Users\Admin\AppData\Local\Temp\Setup.exe" /VERYSILENT
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:452
    - - C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\UnRAR.exe
        
        "C:\Users\Admin\AppData\Local\\Managebg_QEE_v3\\CurrentVersion\\bin\\\UnRAR.exe" x -p2024 -o+ "C:\Users\Admin\AppData\Local\\Managebg_QEE_v3\\CurrentVersion\\bin\\\jhgfdsa.rar" "C:\Users\Admin\AppData\Local\\Managebg_QEE_v3\\CurrentVersion\\bin\\"
        5⤵
        Executes dropped EXE
        
        PID:2504
    - - C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\ezcd.exe
        
        "C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\ezcd.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3608
      - C:\Users\Admin\AppData\Roaming\cpprest141_2_8\ezcd.exe
        
        C:\Users\Admin\AppData\Roaming\cpprest141_2_8\ezcd.exe
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Modifies registry class
        NTFS ADS
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:5284
        
        C:\Windows\SysWOW64\more.com
        
        C:\Windows\SysWOW64\more.com
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\Ftur.au3
        
        C:\Users\Admin\AppData\Local\Temp\Ftur.au3
        8⤵
        Loads dropped DLL
        
        PID:5504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Licenses\01D69EEBF42E950EA.Lic

Filesize
146B

MD5
449cec5c80755d3649f60681cd6c0511

SHA1
7af35f34dbce38d1244dc388b078e883cb91b4e6

SHA256
8f34eb6935e845f16d51f0c697a9b31f84dbb730ff6e98ec67246b6c2d622c39

SHA512
ee9e9e7ab9a288aa39c437199c651e625c42bd0447a8f8b6ea138f55e230400d4d97639ecf66bd7d8c0ef02d87fd196133e311dc10ce77a46d771c37866b3a17

Download Submit
C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\ACDBASE.DLL

Filesize
1.8MB

MD5
45e8d0a6e1daa298e54784938c511c74

SHA1
81906cafb4173daafb00ea83b0d48cbbacb36c71

SHA256
65fc6a29980f9fe4c56a3ed6d2e0427afb454fd80d912d95b710d8f7e18ed9f8

SHA512
c552fb9646edbc7ce2fe616097d809576ce0b0472d547d4433c11ce6754864431dd914bdf51f99044cfcc68a82d4a3089de5a6ce03174d2db6a7db437e3cb590

Download Submit
C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\UnRAR.exe

Filesize
494KB

MD5
98ccd44353f7bc5bad1bc6ba9ae0cd68

SHA1
76a4e5bf8d298800c886d29f85ee629e7726052d

SHA256
e51021f6cb20efbd2169f2a2da10ce1abca58b4f5f30fbf4bae931e4ecaac99b

SHA512
d6e8146a1055a59cba5e2aaf47f6cb184acdbe28e42ec3daebf1961a91cec5904554d9d433ebf943dd3639c239ef11560fa49f00e1cff02e11cd8d3506c4125f

Download Submit
C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\acdbase.dll

Filesize
2.1MB

MD5
f3ab647938088544374123fc108140d1

SHA1
06a24d0df17e82c575785fa0b8fe204c9aa76bf9

SHA256
bb30fbf460118fcd39b5e71b059b2dd25dd54c3c51bac1c429b4880e71e47a9d

SHA512
65a3774ae3fb0a1041cf66417cbb3cb80d3b21dcbf15fa38b361b19e7d925e8d6d42fe6e249e2200e25a52107dd613706db73897a8bf4e15db738a24b7a95cd3

Download Submit
C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\api-ms-win-crt-convert-l1-1-0.dll

Filesize
25KB

MD5
9f812bd3815909e559b15cb13489f294

SHA1
df751c956f59b4e3c82496d86895adc7cc1a1619

SHA256
ce6fcc2ddf21720c92bee04f5736a4787acffa970a1b0dbeea39ff5efec52c75

SHA512
0a360e8b81bf80cb6bdf240d627ddcf71b1a4ca42759de61b2d27fab521a8e6e3afa308cc69caf5a7c8b14d98d3d448f0d400ae1826cbe7d0f0ceafd14682064

Download Submit
C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\api-ms-win-crt-environment-l1-1-0.dll

Filesize
21KB

MD5
1a72e5f24214eb723e03a22ff53f8a22

SHA1
578d1dbfb22e9ff3b10c095d6a06acaf15469709

SHA256
fda46141c236a11054d4d3756a36da4412c82dd7877daad86cb65bf53d81ca1a

SHA512
530e693daecc7c7080b21e39b856c538bb755516aafdb6839a23768f40bcfc38d71b19586e8c8e37bb1c2b7a7c31fcb8e24a2315a8dd90f50fec22f973d86cb4

Download Submit
C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\api-ms-win-crt-heap-l1-1-0.dll

Filesize
21KB

MD5
9d136bbecf98a931e6371346059b5626

SHA1
2466e66bfd88dd66c1c693cbb95ea8a91b9558cd

SHA256
7617838af1b589f57e4fe9fee1e1412101878e6d3287cdc52a51cd03e3983717

SHA512
8c720c798d2a06f48b106a0a1ef38be9b4a2aebe2a657c8721278afa9fdbab9da2a672f47b7996ca1ce7517015d361d77963c686e0ae637a98c32fd75e5d0610

Download Submit
C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
25KB

MD5
6b39d005deb6c5ef2c9dd9e013b32252

SHA1
79a0736454befd88ba8d6bd88794d07712e38a67

SHA256
b0e50572eb82a46ed499775e95bfde7cb25c498957432c18c20cf930f332efd0

SHA512
50bc1f669499589a480379d72166dae701914427d51223994d63a0363420ca6fdde07010803270a62451afea9e4ae55206d8a4c00ca4680e7a9120cd33f99a0f

Download Submit
C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
25KB

MD5
97f24295c9bd6e1acae0c391e68a64cf

SHA1
75700dce304c45ec330a9405523f0f22e5dcbb18

SHA256
189d551fb3cba3dbb9b9c1797e127a52ac486d996f0ac7cba864fe35984a8d28

SHA512
cac75f623545c41b2597a25c14f2af7eb93e3e768b345d3b0e1928d8fd1f12bec39b18b8277f9550aa6a66d9cfe1bf6c3db93ae1eb2a6c07019d4f210b3e5998

Download Submit
C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\api-ms-win-crt-string-l1-1-0.dll

Filesize
25KB

MD5
d282a4fa046d05d40d138cc68c518914

SHA1
d5012090399f405ffe7d2fed09650e3544528322

SHA256
8b1471101145343da5f2c5981c515da4dfae783622ed71d40693fe59c3088d7a

SHA512
718926e728627f67ba60a391339b784accd861a15596f90d7f4e6292709ac3d170bcbca3cbf6267635136cb00b4f93da7dfd219fa0beee0cf8d95ce7090409e4

Download Submit
C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\api-ms-win-crt-time-l1-1-0.dll

Filesize
21KB

MD5
6d35a57a6d8d569f870b96e00e7f1f4d

SHA1
8407bdb3cd5ec15b2ce738b3dbd704aa289ce3e1

SHA256
f41511e477a164eb9451ca51fb3810437f3b15f21e6f5c6ce0956e84ec823723

SHA512
4317b86d32ca93e5f0d832819cf1ab8af68e853a19eb07dd1fa4d168a0b2a8eab309194884ed3a613b09fc6d511be872a053f76f00ea443499006cdd226fea8f

Download Submit
C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\api-ms-win-crt-utility-l1-1-0.dll

Filesize
21KB

MD5
8ed70910380aa0b28317512d72762cc0

SHA1
0421518370f24f9559f96459d0798d98b81ea732

SHA256
f15af0db93d9385ff9d8efdc06aacd0729d0dfcb66e91ca0243bb160f2ed89d0

SHA512
b31ef07eaac310fdd3df3546246e7dc696595b8e92141e3db79a44ddc3358b12129e3829a53c76d0fef214e3f29dba77fa5d556211830a140ea34ff62258d9d7

Download Submit
C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\ezcd.exe

Filesize
2.1MB

MD5
718616f8686a44b1d85ff33b246c9928

SHA1
8af0b97e8330e41b9d8823608376cb838a485554

SHA256
a4ca0e69f9459dcf33d0c67018293f68e853ceba23e42926e3a038bb2fc70458

SHA512
d31fd6db93334ffd7890857bb6f408e34655d168797f95e5627d9650b92f81e370257d07990fadc23cc304da62bf80a8abe612b75b33aa09b65293ba8a3ad696

Download Submit
C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\ezcd.exe

Filesize
8.5MB

MD5
98169506fec94c2b12ba9930ad704515

SHA1
bce662a9fb94551f648ba2d7e29659957fd6a428

SHA256
9b8a5b0a45adf843e24214b46c285e44e73bc6eaf9e2a3b2c14a6d93ae541363

SHA512
7f4f7ac2326a1a8b7afc72822dae328753578eb0a4ffcec5adb4e4fb0c49703070f71e7411df221ee9f44d6b43a0a94921fe530877c5d5e71640b807e96def30

Download Submit
C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\gable.flv

Filesize
46KB

MD5
e1e1bf5a99a816a279d1309d61d80f2d

SHA1
427726ac33db371d40a687ef11b6071239bc70f6

SHA256
317cd902474c2dd27c9ad4af84d6b97b2831a996d9cd05ce2fb2518ffc38f923

SHA512
a6a2807324218eb28039bf3f946f3fadcdf5507b1d85c126a55b94c07c048a43db26183692e3e385680c299b01f4666f2ab17fc366f946fd6097e3d71e46088d

Download Submit
C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\jhgfdsa.rar

Filesize
3.6MB

MD5
e7f747f42e2898b759d753a88951a034

SHA1
1291bf738113d5a4f7f3856f0af8db522b855e91

SHA256
5c7018523cf75f3c2d195880302a564bf5fc5f49d8f6efe303e1aaa8c9975e84

SHA512
7a17fd43c3505b8e87105064cb670b402f12e155b6622fe74a9748ba76851511fe6d49170cd1af1033b4ada2a30dd1d5838f7ca6a25a3d7c6eb70bc0061f33f3

Download Submit
C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\libmmd.dll

Filesize
1.2MB

MD5
c9d6b074b41596a2cad2ec2ba006528d

SHA1
2425b8ce6af6e253405512881d3ba2dfaa1b87b5

SHA256
daa5b79cda92a5448e579c1c702bf289080982328a2c1c6559871b7df344bd9d

SHA512
3b4f01626750d2e14dc3b47e93d37047c44f2f85255508408a2dcc2743db9fcd3815659ce7bb1cd90a3414b046641f604404663f301fa8ab7a6b02cfa9a3cdc4

Download Submit
C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\libmmd.dll

Filesize
576KB

MD5
b786bdc9b14533e1e0ff8517747aacef

SHA1
f884d8dc179a18c7b16785dbd8fa0c600f6b5a1d

SHA256
7b3cefb917fc235f4e686eaceecd6837a2aa498b9b0b0a6afe8c36507ff44ed5

SHA512
02ffd256ef35f394021c618b624e904f388f88fc6ba63e4d3152ac5b89c283c242fb09255612a3cefea22620612c6a81f6303c34c5e74a315e983268c9539d9b

Download Submit
C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\shroff.rtf

Filesize
448KB

MD5
8adc51f1d94c477b88f02b2daa76662e

SHA1
f5928bdee380d53c55e7bc41cfb96d61c43a8668

SHA256
9d938add263ecabeae9b7d8190dcee3884ed8ced4310e19a863c2d2f0b834ff7

SHA512
bb2928c1e4176dac38308131ad1ded59fc3dc0c6674b4e1f346a89d97279cfe870fe1fce6ad0ca2d6dc52b1dead469751b8f0cb8681346b7728eb2bc1aff786f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ftur.au3

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0acc3e3

Filesize
1.8MB

MD5
a5c4c7720d88db445641fea418c6f03b

SHA1
3b75735164ecefd4f8dbcaf337757e233467f662

SHA256
b444b8c7754081f0c702d2603521880a81f4510b780803f99ca53077f1a3656d

SHA512
1ea9298ec6b4c97ce39e42513e214c92a1b6553052fbbc669f72f919264a2e90af7bceb9845bfb4a6a85f8dd2ca46df30329db5f55ca35dfe168696bdf2bad87

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8KU2S.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ETIP8.tmp\Setup.tmp

Filesize
2.1MB

MD5
f248dc5f61d936b09b589a4b30c983b6

SHA1
adcd6e19719ef2a06f226b4c5ee2e471a73fbdf6

SHA256
0085265e40c07dec14a89a5030d0fa8996fcac62dccc5fcfa1bbdd7971e85103

SHA512
a308f976bf018086ba8af34d6707322c4fa27de784c6222402d7cc66b506b5ee39e3ed9a452f438334fec4014563f04dd8cad1c9474e693e946922a97143c830

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-S1G52.tmp\Setup.tmp

Filesize
3.0MB

MD5
62c2965912072266823bafdec2273528

SHA1
a737d8b8d31a440137894c0852c71976d64fb6fc

SHA256
d26099f9c70cd8a482e372523b96cdd5e01ff373725d786c9b9dd9749d3a03ab

SHA512
2dd306f9e3d78a6531b1bdd28ecc5be118bd45b3fad6197d404ab3dbadae60902fedf5df3cd8db2e07e63e5d80e672d6693b6e74c5df01a25d962ec912631c46

Download Submit
C:\Users\Admin\AppData\Roaming\cpprest141_2_8\ACDBASE.DLL

Filesize
2.9MB

MD5
b1bdb6ded9dff296ceff241fb196457b

SHA1
5bdfb243477cf12c239bb277cd66ca0dfa5d043d

SHA256
a9e79f83f81567cef62d2026ce30e1d5da27352590a6ef1c662cd1a634f73352

SHA512
3ba56cca93ed41fd185d81b076146064e1f59d4b3109dd44ecbe26e28e669011562527b7a2bdea0d9fb2f00d03a03c80acc83b6d3430721f0ce57b7c31c36123

Download Submit
C:\Users\Admin\AppData\Roaming\cpprest141_2_8\acdbase.dll

Filesize
2.0MB

MD5
74ff58d1f60f92436256790c14cd94f6

SHA1
d446d0b5b1c58248d8cda540aed51abde4e9a311

SHA256
0c844eabc6834ca259e13317078089066e64340271d60d580983765406b0bae7

SHA512
0ea287d0c0d0d5929417e3adeae1567559028407c074064d3d04ceb92fdeac2e26f9639a1a566fadf37591ee030c53ac19e5651bebaf762cd5deb28326ac87c2

Download Submit
C:\Users\Admin\AppData\Roaming\cpprest141_2_8\ezcd.exe

Filesize
2.0MB

MD5
429785fa3913f133cebfe4a45914c0f7

SHA1
751ded0e7ec1e49fb65af5e7dc410df4d96960f7

SHA256
c949239b24a9cabdaf41cf999681c1706ecfb314dfaf15a600b41ddb18b8332e

SHA512
ccebadf008bf475b5aadbc38e120a092840ead42adfec6f64a922b0c2ca5f68f79426b2045e1c0fb9ebfd966bcdc8e79c01fd53068202d057d78272afb4b535d

Download Submit
C:\Users\Admin\AppData\Roaming\cpprest141_2_8\libmmd.dll

Filesize
2.1MB

MD5
fac7154d63d9df11a5e94b0a0983a503

SHA1
4a6787a8b29c25a6529cbe833a77ceb6167a15dd

SHA256
473069be552218ca0ad7e638cc3bffa323a5ec362bfff3fc32d07cbe5e3bb743

SHA512
ca8506f67ed02b7e60200987b278e0556dd89a8afd37eb524cb779729d664156dfdc7d1db27307d772eb55a408064a3671f51c9abf6a1a8a98c827d47aa21f06

Download Submit
C:\Users\Admin\AppData\Roaming\cpprest141_2_8\shroff.rtf

Filesize
512KB

MD5
bf5b6644c5d3ee57a94e117d5709ee2b

SHA1
d77dd309e998c0fd58dc8c8781fdd01ca0b65981

SHA256
fa679d0dfd8340b2d2905e1b70ed4168b7b051fdfe4f1453b42072cdc4943c0b

SHA512
483e677a6e09f6957515637b2bf317791510bbe2e16151f556a19f6c3a0adb70db8a2be755ee7a54010658d7a39b753295f716118abe7ffceeb9449ebe17f739

Download Submit
C:\Users\Admin\AppData\Roaming\cpprest141_2_8\vcruntime140.dll

Filesize
116KB

MD5
699dd61122d91e80abdfcc396ce0ec10

SHA1
7b23a6562e78e1d4be2a16fc7044bdcea724855e

SHA256
f843cd00d9aff9a902dd7c98d6137639a10bd84904d81a085c28a3b29f8223c1

SHA512
2517e52f7f03580afd8f928c767d264033a191e831a78eed454ea35c9514c0f0df127f49a306088d766908af7880f713f5009c31ce6b0b1e4d0b67e49447bfff

Download Submit
memory/452-67-0x0000000000400000-0x000000000070C000-memory.dmp

Filesize
3.0MB

Download
memory/1868-15-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1868-13-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1868-75-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2156-157-0x0000000075870000-0x00000000759EB000-memory.dmp

Filesize
1.5MB

Download
memory/2156-155-0x00007FFAC39F0000-0x00007FFAC3BE5000-memory.dmp

Filesize
2.0MB

Download
memory/2440-6-0x0000000000400000-0x000000000070C000-memory.dmp

Filesize
3.0MB

Download
memory/2440-17-0x0000000000400000-0x000000000070C000-memory.dmp

Filesize
3.0MB

Download
memory/3608-79-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/3608-83-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/3608-86-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/3608-84-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/3608-97-0x00007FFAB4F70000-0x00007FFAB50E2000-memory.dmp

Filesize
1.4MB

Download
memory/3608-85-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/3608-81-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/3608-88-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/3608-68-0x0000000003FE0000-0x00000000041C8000-memory.dmp

Filesize
1.9MB

Download
memory/5284-151-0x00007FFAB4F70000-0x00007FFAB50E2000-memory.dmp

Filesize
1.4MB

Download
memory/5284-140-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/5284-135-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/5284-137-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/5284-133-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/5284-138-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/5284-122-0x0000000003FF0000-0x00000000041D8000-memory.dmp

Filesize
1.9MB

Download
memory/5284-142-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/5284-152-0x00007FFAB4F70000-0x00007FFAB50E2000-memory.dmp

Filesize
1.4MB

Download
memory/5284-139-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/5504-163-0x0000000000530000-0x0000000000589000-memory.dmp

Filesize
356KB

Download
memory/5504-166-0x0000000000530000-0x0000000000589000-memory.dmp

Filesize
356KB

Download
memory/5504-164-0x00007FFAC39F0000-0x00007FFAC3BE5000-memory.dmp

Filesize
2.0MB

Download
memory/5800-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/5800-1-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/5800-19-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download