qulab | f29903033ff296dbb07a3a869bd7c3b2f135e12ed1be227691040dfe5272677b

Analysis

max time kernel
160s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
24-05-2022 18:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f29903033ff296dbb07a3a869bd7c3b2f135e12ed1be227691040dfe5272677b.exe
Size

6.3MB
MD5

607afb9f5a1de0e31d5cf6904e60a853
SHA1

ac99aafee4902a65c0185f9aab490da3b12b83ae
SHA256

f29903033ff296dbb07a3a869bd7c3b2f135e12ed1be227691040dfe5272677b
SHA512

356b77f7cd35abfae04149f1bde3f8b84affc6556e411edd9f4ced3355dfd70e9f3840818cfd89e57b94b6867babc20b896507ee4f32b13671ff934f67a0e797

Score

10^/10

qulab discovery evasion spyware stealer themida trojan upx

Malware Config

Signatures

Qulab Stealer & Clipper
Infostealer and clipper created with AutoIt.
stealer qulab

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.sqlite3.module.dll	acprotect
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.sqlite3.module.dll	acprotect

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Executes dropped EXE 1 IoCs

Processes:

dinput.module.exe

pid process

4228 dinput.module.exe
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

pid	process
4228	dinput.module.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.sqlite3.module.dll	upx
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.sqlite3.module.dll	upx
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.module.exe	upx
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.module.exe	upx

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dinput.exedinput.exedinput.exef29903033ff296dbb07a3a869bd7c3b2f135e12ed1be227691040dfe5272677b.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	dinput.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dinput.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	dinput.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dinput.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	dinput.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f29903033ff296dbb07a3a869bd7c3b2f135e12ed1be227691040dfe5272677b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	f29903033ff296dbb07a3a869bd7c3b2f135e12ed1be227691040dfe5272677b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dinput.exe

Loads dropped DLL 2 IoCs

Processes:

dinput.exe

pid process

3560 dinput.exe
3560 dinput.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3560	dinput.exe
3560	dinput.exe

Themida packer 40 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/1336-130-0x0000000000430000-0x0000000000FE7000-memory.dmp	themida
behavioral2/memory/1336-131-0x0000000000430000-0x0000000000FE7000-memory.dmp	themida
behavioral2/memory/1336-132-0x0000000000430000-0x0000000000FE7000-memory.dmp	themida
behavioral2/memory/1336-133-0x0000000000430000-0x0000000000FE7000-memory.dmp	themida
behavioral2/memory/1336-134-0x0000000000430000-0x0000000000FE7000-memory.dmp	themida
behavioral2/memory/1336-135-0x0000000000430000-0x0000000000FE7000-memory.dmp	themida
behavioral2/memory/1336-136-0x0000000000430000-0x0000000000FE7000-memory.dmp	themida
behavioral2/memory/1336-137-0x0000000000430000-0x0000000000FE7000-memory.dmp	themida
behavioral2/memory/1336-138-0x0000000000430000-0x0000000000FE7000-memory.dmp	themida
behavioral2/memory/1336-139-0x0000000000430000-0x0000000000FE7000-memory.dmp	themida
behavioral2/memory/3560-141-0x0000000000430000-0x0000000000FE7000-memory.dmp	themida
behavioral2/memory/3560-142-0x0000000000430000-0x0000000000FE7000-memory.dmp	themida
behavioral2/memory/3560-143-0x0000000000430000-0x0000000000FE7000-memory.dmp	themida
behavioral2/memory/3560-144-0x0000000000430000-0x0000000000FE7000-memory.dmp	themida
behavioral2/memory/3560-145-0x0000000000430000-0x0000000000FE7000-memory.dmp	themida
behavioral2/memory/3560-146-0x0000000000430000-0x0000000000FE7000-memory.dmp	themida
behavioral2/memory/3560-147-0x0000000000430000-0x0000000000FE7000-memory.dmp	themida
behavioral2/memory/3560-148-0x0000000000430000-0x0000000000FE7000-memory.dmp	themida
behavioral2/memory/3560-149-0x0000000000430000-0x0000000000FE7000-memory.dmp	themida
behavioral2/memory/3560-150-0x0000000000430000-0x0000000000FE7000-memory.dmp	themida
behavioral2/memory/3252-170-0x0000000000430000-0x0000000000FE7000-memory.dmp	themida
behavioral2/memory/3252-171-0x0000000000430000-0x0000000000FE7000-memory.dmp	themida
behavioral2/memory/3252-172-0x0000000000430000-0x0000000000FE7000-memory.dmp	themida
behavioral2/memory/3252-173-0x0000000000430000-0x0000000000FE7000-memory.dmp	themida
behavioral2/memory/3252-174-0x0000000000430000-0x0000000000FE7000-memory.dmp	themida
behavioral2/memory/3252-175-0x0000000000430000-0x0000000000FE7000-memory.dmp	themida
behavioral2/memory/3252-176-0x0000000000430000-0x0000000000FE7000-memory.dmp	themida
behavioral2/memory/3252-177-0x0000000000430000-0x0000000000FE7000-memory.dmp	themida
behavioral2/memory/3252-178-0x0000000000430000-0x0000000000FE7000-memory.dmp	themida
behavioral2/memory/3252-179-0x0000000000430000-0x0000000000FE7000-memory.dmp	themida
behavioral2/memory/4220-180-0x0000000000430000-0x0000000000FE7000-memory.dmp	themida
behavioral2/memory/4220-181-0x0000000000430000-0x0000000000FE7000-memory.dmp	themida
behavioral2/memory/4220-182-0x0000000000430000-0x0000000000FE7000-memory.dmp	themida
behavioral2/memory/4220-183-0x0000000000430000-0x0000000000FE7000-memory.dmp	themida
behavioral2/memory/4220-184-0x0000000000430000-0x0000000000FE7000-memory.dmp	themida
behavioral2/memory/4220-185-0x0000000000430000-0x0000000000FE7000-memory.dmp	themida
behavioral2/memory/4220-186-0x0000000000430000-0x0000000000FE7000-memory.dmp	themida
behavioral2/memory/4220-187-0x0000000000430000-0x0000000000FE7000-memory.dmp	themida
behavioral2/memory/4220-188-0x0000000000430000-0x0000000000FE7000-memory.dmp	themida
behavioral2/memory/4220-189-0x0000000000430000-0x0000000000FE7000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

dinput.exef29903033ff296dbb07a3a869bd7c3b2f135e12ed1be227691040dfe5272677b.exedinput.exedinput.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dinput.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f29903033ff296dbb07a3a869bd7c3b2f135e12ed1be227691040dfe5272677b.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dinput.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dinput.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

40 ipapi.co
41 ipapi.co

flow	ioc
40	ipapi.co
41	ipapi.co

AutoIT Executable 36 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/memory/1336-131-0x0000000000430000-0x0000000000FE7000-memory.dmp	autoit_exe
behavioral2/memory/1336-132-0x0000000000430000-0x0000000000FE7000-memory.dmp	autoit_exe
behavioral2/memory/1336-133-0x0000000000430000-0x0000000000FE7000-memory.dmp	autoit_exe
behavioral2/memory/1336-134-0x0000000000430000-0x0000000000FE7000-memory.dmp	autoit_exe
behavioral2/memory/1336-135-0x0000000000430000-0x0000000000FE7000-memory.dmp	autoit_exe
behavioral2/memory/1336-136-0x0000000000430000-0x0000000000FE7000-memory.dmp	autoit_exe
behavioral2/memory/1336-137-0x0000000000430000-0x0000000000FE7000-memory.dmp	autoit_exe
behavioral2/memory/1336-138-0x0000000000430000-0x0000000000FE7000-memory.dmp	autoit_exe
behavioral2/memory/1336-139-0x0000000000430000-0x0000000000FE7000-memory.dmp	autoit_exe
behavioral2/memory/3560-142-0x0000000000430000-0x0000000000FE7000-memory.dmp	autoit_exe
behavioral2/memory/3560-143-0x0000000000430000-0x0000000000FE7000-memory.dmp	autoit_exe
behavioral2/memory/3560-144-0x0000000000430000-0x0000000000FE7000-memory.dmp	autoit_exe
behavioral2/memory/3560-145-0x0000000000430000-0x0000000000FE7000-memory.dmp	autoit_exe
behavioral2/memory/3560-146-0x0000000000430000-0x0000000000FE7000-memory.dmp	autoit_exe
behavioral2/memory/3560-147-0x0000000000430000-0x0000000000FE7000-memory.dmp	autoit_exe
behavioral2/memory/3560-148-0x0000000000430000-0x0000000000FE7000-memory.dmp	autoit_exe
behavioral2/memory/3560-149-0x0000000000430000-0x0000000000FE7000-memory.dmp	autoit_exe
behavioral2/memory/3560-150-0x0000000000430000-0x0000000000FE7000-memory.dmp	autoit_exe
behavioral2/memory/3252-171-0x0000000000430000-0x0000000000FE7000-memory.dmp	autoit_exe
behavioral2/memory/3252-172-0x0000000000430000-0x0000000000FE7000-memory.dmp	autoit_exe
behavioral2/memory/3252-173-0x0000000000430000-0x0000000000FE7000-memory.dmp	autoit_exe
behavioral2/memory/3252-174-0x0000000000430000-0x0000000000FE7000-memory.dmp	autoit_exe
behavioral2/memory/3252-175-0x0000000000430000-0x0000000000FE7000-memory.dmp	autoit_exe
behavioral2/memory/3252-176-0x0000000000430000-0x0000000000FE7000-memory.dmp	autoit_exe
behavioral2/memory/3252-177-0x0000000000430000-0x0000000000FE7000-memory.dmp	autoit_exe
behavioral2/memory/3252-178-0x0000000000430000-0x0000000000FE7000-memory.dmp	autoit_exe
behavioral2/memory/3252-179-0x0000000000430000-0x0000000000FE7000-memory.dmp	autoit_exe
behavioral2/memory/4220-181-0x0000000000430000-0x0000000000FE7000-memory.dmp	autoit_exe
behavioral2/memory/4220-182-0x0000000000430000-0x0000000000FE7000-memory.dmp	autoit_exe
behavioral2/memory/4220-183-0x0000000000430000-0x0000000000FE7000-memory.dmp	autoit_exe
behavioral2/memory/4220-184-0x0000000000430000-0x0000000000FE7000-memory.dmp	autoit_exe
behavioral2/memory/4220-185-0x0000000000430000-0x0000000000FE7000-memory.dmp	autoit_exe
behavioral2/memory/4220-186-0x0000000000430000-0x0000000000FE7000-memory.dmp	autoit_exe
behavioral2/memory/4220-187-0x0000000000430000-0x0000000000FE7000-memory.dmp	autoit_exe
behavioral2/memory/4220-188-0x0000000000430000-0x0000000000FE7000-memory.dmp	autoit_exe
behavioral2/memory/4220-189-0x0000000000430000-0x0000000000FE7000-memory.dmp	autoit_exe

Drops file in System32 directory 2 IoCs

Processes:

dinput.exedinput.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\winmgmts:\localhost\	dinput.exe
File opened for modification	C:\Windows\SysWOW64\winmgmts:\localhost\	dinput.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4620 3560 WerFault.exe dinput.exe

pid	pid_target	process	target process
4620	3560	WerFault.exe	dinput.exe

NTFS ADS 2 IoCs

Processes:

f29903033ff296dbb07a3a869bd7c3b2f135e12ed1be227691040dfe5272677b.exedinput.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\	f29903033ff296dbb07a3a869bd7c3b2f135e12ed1be227691040dfe5272677b.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\winmgmts:\localhost\	dinput.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

dinput.exe

pid process

3560 dinput.exe
3560 dinput.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

f29903033ff296dbb07a3a869bd7c3b2f135e12ed1be227691040dfe5272677b.exe

pid process

1336 f29903033ff296dbb07a3a869bd7c3b2f135e12ed1be227691040dfe5272677b.exe

pid	process
3560	dinput.exe
3560	dinput.exe

pid	process
1336	f29903033ff296dbb07a3a869bd7c3b2f135e12ed1be227691040dfe5272677b.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

dinput.module.exe

description	pid	process
Token: SeRestorePrivilege	4228	dinput.module.exe
Token: 35	4228	dinput.module.exe
Token: SeSecurityPrivilege	4228	dinput.module.exe
Token: SeSecurityPrivilege	4228	dinput.module.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

f29903033ff296dbb07a3a869bd7c3b2f135e12ed1be227691040dfe5272677b.exedinput.exe

description	pid	process	target process
PID 1336 wrote to memory of 3560	1336	f29903033ff296dbb07a3a869bd7c3b2f135e12ed1be227691040dfe5272677b.exe	dinput.exe
PID 1336 wrote to memory of 3560	1336	f29903033ff296dbb07a3a869bd7c3b2f135e12ed1be227691040dfe5272677b.exe	dinput.exe
PID 1336 wrote to memory of 3560	1336	f29903033ff296dbb07a3a869bd7c3b2f135e12ed1be227691040dfe5272677b.exe	dinput.exe
PID 3560 wrote to memory of 4228	3560	dinput.exe	dinput.module.exe
PID 3560 wrote to memory of 4228	3560	dinput.exe	dinput.module.exe
PID 3560 wrote to memory of 4228	3560	dinput.exe	dinput.module.exe
PID 3560 wrote to memory of 3668	3560	dinput.exe	attrib.exe
PID 3560 wrote to memory of 3668	3560	dinput.exe	attrib.exe
PID 3560 wrote to memory of 3668	3560	dinput.exe	attrib.exe
PID 3560 wrote to memory of 4892	3560	dinput.exe	attrib.exe
PID 3560 wrote to memory of 4892	3560	dinput.exe	attrib.exe
PID 3560 wrote to memory of 4892	3560	dinput.exe	attrib.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

4892 attrib.exe
3668 attrib.exe

pid	process
4892	attrib.exe
3668	attrib.exe

C:\Users\Admin\AppData\Local\Temp\f29903033ff296dbb07a3a869bd7c3b2f135e12ed1be227691040dfe5272677b.exe
"C:\Users\Admin\AppData\Local\Temp\f29903033ff296dbb07a3a869bd7c3b2f135e12ed1be227691040dfe5272677b.exe"
1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- NTFS ADS
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1336

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe
2⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3560

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.module.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\[] .7z" "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\1\*"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4228

C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2"
3⤵
- Views/modifies file attributes
PID:3668

C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2"
3⤵
- Views/modifies file attributes
PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 3068
3⤵
- Program crash
PID:4620

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe
1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in System32 directory
PID:3252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3560 -ip 3560
1⤵
PID:2400

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe
1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in System32 directory
PID:4220

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Hidden Files and Directories

T1158

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
Filesize
1KB

MD5
1fbea7bfc773d8692802b9d72e0aa997

SHA1
475cd83c08d14bfc2fb2d5ac9bf3762474d1eed1

SHA256
0a6c67541384ab7cdaa50fd7ad85c0d4c70f8d41a95a9200e622416c0701a3e8

SHA512
3b5ca4830685747d9733262ab484288c21cab85d2458d278acf937643c48f02d5af76a19ec1c9bda6721d3c605f53f7430c02c39b38e5486fabebd4431b08dd1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
Filesize
458B

MD5
c9ac0cf1a938343a1778e63ab795f0f4

SHA1
d0a4444a3cee891e41e9223fe547d3ebd806b855

SHA256
effa1a5d41575db5a9f978e7f256a047134a0bd72d66223b5f04d017d5005406

SHA512
1924dea086090a3897a8b48cff2d903256a68573e471dcd4ccce603f53c68fdf82d96a0c87e5e65f2a1078fbb15464f4c3b61946bf21394328575625c862d650

Download Submit
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\1\Desktop TXT Files\ResetDebug.txt
Filesize
184KB

MD5
4f6319774557c50fd6aa83abe882ce34

SHA1
f9c278ea28dd03a3bc5761923aa81f89cc3fb4d7

SHA256
11f16de6d3964195d1485d8ce7d777d1a70c5c9d8a113cafc9d6d6012d1d55d2

SHA512
da97f409dba6f4424e65f5187d2483b7c94b941c7f04cddc96892ed431232c31353f2d54ccb2e15b7ae7b98c27bf7dfdc1a36c727d2fc3652173b1e562004c37

Download Submit
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\1\Desktop TXT Files\ts\Are.docx
Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\1\Desktop TXT Files\ts\Files.docx
Filesize
11KB

MD5
4a8fbd593a733fc669169d614021185b

SHA1
166e66575715d4c52bcb471c09bdbc5a9bb2f615

SHA256
714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42

SHA512
6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

Download Submit
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\1\Desktop TXT Files\ts\InstallAssert.xlsx
Filesize
443KB

MD5
0406d79ff8c54eede2b3b42d09a4a3f5

SHA1
779a55a7d49eaf56337fa3073874ebebb579c42d

SHA256
12c4c322d70693d2de15b01ce7779790c719f56f7c9ec8e839dcf9bd3148016c

SHA512
370b5e8254d6bb20fd8ee5ec0c2fa89f3f2390a3a8768967fa26b459affc98251d6e0a62fd86271fdaf0a714d50c9daec1849a0c0e77d063031e9eb82c8a9855

Download Submit
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\1\Desktop TXT Files\ts\InstallCompress.xlsx
Filesize
347KB

MD5
a5427f3e30dec224a0a93adab4705013

SHA1
35e3600e5abbd8ced3f8dec5a66e32d876f53a7f

SHA256
d86e59d1c77ea8ededeb88a733bd492cfdcb743bbf737c8a29215cf68b44a0da

SHA512
cd8aa76d86bcfceb35848faa666651bf069a879f4f8ad89aa8882d757871a0a2bfd8c0949cc0c9e7ac79038c11c8bf5792cb4921a470adf0931a070255d80386

Download Submit
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\1\Desktop TXT Files\ts\MeasureUninstall.doc
Filesize
365KB

MD5
f400e8c69d45f774c645e4bb56c13fa5

SHA1
806345cc9d918218a3aac4d2a41236b252b0d1f7

SHA256
6e7d4232d535b9bb0e53826c789f9d5f876d1d1d0e7997e28698032fd2a852e5

SHA512
2e75e2d73fb0864792568f01e9254498915b4b444a997215acf71176b89ba3e86f2f4454e5ffacc58ae11bd417a2815419ae9134c58efcf634fc3382136089c7

Download Submit
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\1\Desktop TXT Files\ts\Opened.docx
Filesize
11KB

MD5
bfbc1a403197ac8cfc95638c2da2cf0e

SHA1
634658f4dd9747e87fa540f5ba47e218acfc8af2

SHA256
272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6

SHA512
b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1

Download Submit
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\1\Desktop TXT Files\ts\Recently.docx
Filesize
11KB

MD5
3b068f508d40eb8258ff0b0592ca1f9c

SHA1
59ac025c3256e9c6c86165082974fe791ff9833a

SHA256
07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7

SHA512
e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32

Download Submit
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\1\Desktop TXT Files\ts\SuspendTrace.xlsx
Filesize
182KB

MD5
5ad626643ea639d17cc0d41c521c53bf

SHA1
7845c9619b5a26793e76f95c83c56793ce683b00

SHA256
a055af2fab7a130428705a38fa9fda147663ad31ae675662de07521e53f17ae3

SHA512
5e1523b6a3c87f5c6131dc75027872696e0d1fffae96b890b4d9322cad05525014ad6ceec268cf104b66321e4afd18012827a4be0f8ccd537cd8b9a80d8b08b6

Download Submit
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\1\Desktop TXT Files\ts\These.docx
Filesize
11KB

MD5
87cbab2a743fb7e0625cc332c9aac537

SHA1
50f858caa7f4ac3a93cf141a5d15b4edeb447ee7

SHA256
57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023

SHA512
6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa

Download Submit
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\1\Information.txt
Filesize
3KB

MD5
3cbfedec82b79de859c8f251179ff0c9

SHA1
24690d3889ba7b5f2b4ffa6c7cd7b0a75b4f57e0

SHA256
344ed7ceca03728b98a71dab10ad1d1ee53905a7d2889c779804ae578505ce45

SHA512
9ad933b1a20fb7d85963044882ae549699aca1d94b2d0bcb98697e9729ef4f8ce4066de557a228504dc774390f1292cac3f9dbaaf3308354647e524e1f3c219e

Download Submit
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\1\Screen.jpg
Filesize
50KB

MD5
56916b2d1fdbfb42d632c00256f643de

SHA1
7cabf4d655c9b4c21c4872942a648cc05afac23a

SHA256
c1031781044abdd62090f8802ff8c83ff5c58c8229fa347fbf7a8e89dcffc207

SHA512
5beea674c8f8d1bd38c1c2d65fa61b175a6872d38cf43e1115b303d78cc56f03e0a2232266b13baee47ea68beb6e929dfaa0ff937043726813eaa41cf95dc0a9

Download Submit
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.module.exe
Filesize
197KB

MD5
946285055913d457fda78a4484266e96

SHA1
668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285

SHA256
23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb

SHA512
30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

Download Submit
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.module.exe
Filesize
197KB

MD5
946285055913d457fda78a4484266e96

SHA1
668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285

SHA256
23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb

SHA512
30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

Download Submit
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.sqlite3.module.dll
Filesize
360KB

MD5
8c127ce55bfbb55eb9a843c693c9f240

SHA1
75c462c935a7ff2c90030c684440d61d48bb1858

SHA256
4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028

SHA512
d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

Download Submit
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.sqlite3.module.dll
Filesize
360KB

MD5
8c127ce55bfbb55eb9a843c693c9f240

SHA1
75c462c935a7ff2c90030c684440d61d48bb1858

SHA256
4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028

SHA512
d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

Download Submit
memory/1336-130-0x0000000000430000-0x0000000000FE7000-memory.dmp

Filesize
11.7MB

Download
memory/1336-139-0x0000000000430000-0x0000000000FE7000-memory.dmp

Filesize
11.7MB

Download
memory/1336-138-0x0000000000430000-0x0000000000FE7000-memory.dmp

Filesize
11.7MB

Download
memory/1336-137-0x0000000000430000-0x0000000000FE7000-memory.dmp

Filesize
11.7MB

Download
memory/1336-136-0x0000000000430000-0x0000000000FE7000-memory.dmp

Filesize
11.7MB

Download
memory/1336-135-0x0000000000430000-0x0000000000FE7000-memory.dmp

Filesize
11.7MB

Download
memory/1336-134-0x0000000000430000-0x0000000000FE7000-memory.dmp

Filesize
11.7MB

Download
memory/1336-133-0x0000000000430000-0x0000000000FE7000-memory.dmp

Filesize
11.7MB

Download
memory/1336-132-0x0000000000430000-0x0000000000FE7000-memory.dmp

Filesize
11.7MB

Download
memory/1336-131-0x0000000000430000-0x0000000000FE7000-memory.dmp

Filesize
11.7MB

Download
memory/3252-175-0x0000000000430000-0x0000000000FE7000-memory.dmp

Filesize
11.7MB

Download
memory/3252-170-0x0000000000430000-0x0000000000FE7000-memory.dmp

Filesize
11.7MB

Download
memory/3252-179-0x0000000000430000-0x0000000000FE7000-memory.dmp

Filesize
11.7MB

Download
memory/3252-178-0x0000000000430000-0x0000000000FE7000-memory.dmp

Filesize
11.7MB

Download
memory/3252-177-0x0000000000430000-0x0000000000FE7000-memory.dmp

Filesize
11.7MB

Download
memory/3252-176-0x0000000000430000-0x0000000000FE7000-memory.dmp

Filesize
11.7MB

Download
memory/3252-174-0x0000000000430000-0x0000000000FE7000-memory.dmp

Filesize
11.7MB

Download
memory/3252-173-0x0000000000430000-0x0000000000FE7000-memory.dmp

Filesize
11.7MB

Download
memory/3252-172-0x0000000000430000-0x0000000000FE7000-memory.dmp

Filesize
11.7MB

Download
memory/3252-171-0x0000000000430000-0x0000000000FE7000-memory.dmp

Filesize
11.7MB

Download
memory/3560-142-0x0000000000430000-0x0000000000FE7000-memory.dmp

Filesize
11.7MB

Download
memory/3560-150-0x0000000000430000-0x0000000000FE7000-memory.dmp

Filesize
11.7MB

Download
memory/3560-140-0x0000000000000000-mapping.dmp

Download
memory/3560-143-0x0000000000430000-0x0000000000FE7000-memory.dmp

Filesize
11.7MB

Download
memory/3560-144-0x0000000000430000-0x0000000000FE7000-memory.dmp

Filesize
11.7MB

Download
memory/3560-145-0x0000000000430000-0x0000000000FE7000-memory.dmp

Filesize
11.7MB

Download
memory/3560-146-0x0000000000430000-0x0000000000FE7000-memory.dmp

Filesize
11.7MB

Download
memory/3560-141-0x0000000000430000-0x0000000000FE7000-memory.dmp

Filesize
11.7MB

Download
memory/3560-147-0x0000000000430000-0x0000000000FE7000-memory.dmp

Filesize
11.7MB

Download
memory/3560-148-0x0000000000430000-0x0000000000FE7000-memory.dmp

Filesize
11.7MB

Download
memory/3560-149-0x0000000000430000-0x0000000000FE7000-memory.dmp

Filesize
11.7MB

Download
memory/3668-168-0x0000000000000000-mapping.dmp

Download
memory/4220-185-0x0000000000430000-0x0000000000FE7000-memory.dmp

Filesize
11.7MB

Download
memory/4220-181-0x0000000000430000-0x0000000000FE7000-memory.dmp

Filesize
11.7MB

Download
memory/4220-182-0x0000000000430000-0x0000000000FE7000-memory.dmp

Filesize
11.7MB

Download
memory/4220-183-0x0000000000430000-0x0000000000FE7000-memory.dmp

Filesize
11.7MB

Download
memory/4220-184-0x0000000000430000-0x0000000000FE7000-memory.dmp

Filesize
11.7MB

Download
memory/4220-186-0x0000000000430000-0x0000000000FE7000-memory.dmp

Filesize
11.7MB

Download
memory/4220-187-0x0000000000430000-0x0000000000FE7000-memory.dmp

Filesize
11.7MB

Download
memory/4220-188-0x0000000000430000-0x0000000000FE7000-memory.dmp

Filesize
11.7MB

Download
memory/4220-189-0x0000000000430000-0x0000000000FE7000-memory.dmp

Filesize
11.7MB

Download
memory/4220-180-0x0000000000430000-0x0000000000FE7000-memory.dmp

Filesize
11.7MB

Download
memory/4228-153-0x0000000000000000-mapping.dmp

Download
memory/4892-169-0x0000000000000000-mapping.dmp

Download